Deep neural networks (DNNs) have been widely and successfully adopted and deployed in various applications of speech recognition. Recently, a few works revealed that these models are vulnerable to backdoor attacks, where the adversaries can implant malicious prediction behaviors into victim models by poisoning their training process. In this paper, we revisit poison-only backdoor attacks against speech recognition. We reveal that existing methods are not stealthy since their trigger patterns are perceptible to humans or machine detection. This limitation is mostly because their trigger patterns are simple noises or separable and distinctive clips. Motivated by these findings, we propose to exploit elements of sound ($e.g.$, pitch and timbre) to design more stealthy yet effective poison-only backdoor attacks. Specifically, we insert a short-duration high-pitched signal as the trigger and increase the pitch of remaining audio clips to `mask' it for designing stealthy pitch-based triggers. We manipulate timbre features of victim audios to design the stealthy timbre-based attack and design a voiceprint selection module to facilitate the multi-backdoor attack. Our attacks can generate more `natural' poisoned samples and therefore are more stealthy. Extensive experiments are conducted on benchmark datasets, which verify the effectiveness of our attacks under different settings ($e.g.$, all-to-one, all-to-all, clean-label, physical, and multi-backdoor settings) and their stealthiness. The code for reproducing main experiments are available at \url{https://github.com/HanboCai/BadSpeech_SoE}.

翻译：深度神经网络（DNN）已广泛成功地应用于各种语音识别任务中。近年来，一些研究揭示这些模型易受后门攻击，攻击者可通过污染训练过程向受害者模型植入恶意预测行为。本文重新审视了针对语音识别的纯投毒后门攻击，指出现有方法因其触发模式易被人类感知或机器检测而缺乏隐蔽性，主要原因是这些触发模式多为简单噪声或可分离的显著音频片段。基于此发现，我们提出利用声音元素（如音高和音色）设计更隐蔽且有效的纯投毒后门攻击。具体而言，我们通过插入短时高频信号作为触发器，并提高剩余音频片段的音高以"掩盖"该信号，从而设计隐蔽的音高型触发器。通过操控受害音频的音色特征设计隐蔽的音色型攻击，并设计声纹选择模块以支持多后门攻击。我们提出的攻击方法能生成更"自然"的污染样本，因此具有更高隐蔽性。在基准数据集上的大量实验验证了本方法在不同设置下（如一对一、一对多、干净标签、物理世界及多后门攻击场景）的有效性及其隐蔽性。复现主要实验的代码见\url{https://github.com/HanboCai/BadSpeech_SoE}。