Closed nmehlman closed 2 years ago
davidslater
commented
3 years ago My guess is that either the model or the attack is generating a NaN at some point, which gets propagated back to the same as it iterates. We've seen this occur occasionally on audio attacks when chunks of the input are zeros (which only occurs on certain inputs).
nmehlman
commented
3 years ago We recently ran the imperceptible attack using our own weights file for the ASR, and this caused every sample to be corrupted as described above, thus yielding 100% WER.
davidslater
commented
3 years ago This is almost certainly due to either the forward pass or (more likely) the gradient calculation generating NaN. Can you instrument the ART attack and see where this is happening (in the forward pass or gradient update)?
nmehlman
commented
3 years ago Sorry for the late reply, we have been shifting to a new testing environment: I think an update to the newer version of ART has mostly resolved the issue, at least to the point where it only occurs on a few samples.
davidslater
commented
2 years ago @lcadalzo @swsuggs Let's ensure that -inf, inf, and NaNs are mapped to numbers (e.g., via x = np.nan_to_num(x)) before being written to file. If these values exist, we should probably log a warning to the user.
davidslater
commented
2 years ago Fixed by #1297
It seems that one of the files in the Imperceptible ASR attack is somehow getting corrupted during the attack procedure: the exported sample is unplayable, and the word error rate associated with this file is 100%. While the corresponding benign file is playable, the adversarial one seems to be empty when played (it shows as NaN values when loaded into MATLAB). We ran this test with 20 files and only observed this issue for one of them.
I've attached the scenario config file used (as a .txt since I am unable to attach a JSON version). The file is the third one, adversarial_2.wav.
imperceptible_export.txt