Every other channel in this set hid from ears. This one hides from you specifically — exploiting the gap between your perceptual processing and a machine's. One waveform passes your ear as silence or music. The same waveform arrives at a voice model as a command. The two hearings diverge at the seam between what your auditory cortex does and what the decoder does. Audit the divergence — that's the job.
the seam
Human perception is tuned by millions of years of evolution to ignore certain signals — ultrasonics above ~18 kHz, frequencies masked by louder neighbours, slight pitch distortions we interpolate past. Machine perception has different blindspots and different sharpnesses. The adversarial-audio attack is simply a waveform engineered to fall on your blindspot but not the model's. That's a different threat from steganography (which also hides a signal): steganography assumes the same listener for the cover signal and the hidden one; adversarial audio assumes different listeners with different sensory profiles.
① the lineage
note. DolphinAttack (Zhang et al., CCS 2017, Best Paper) attacked Siri / Google Now / Alexa / Cortana / S Voice — successfully at up to ~175 cm. Carlini–Wagner (2018) showed any target transcript can be forced onto any audio waveform via gradient descent and CTC loss.
② one waveform, two hearings
Choose a command below. Play carrier emits it AM-modulated onto a ~20 kHz tone — barely audible, if at all. Then machine decode simulates the microphone's own nonlinearity: squaring the signal and low-passing the result demodulates the carrier and recovers the command, exactly as a mic does in hardware.
select a command
choose a command — the carrier sounds like a faint high-pitched whine, if anything
③ the four techniques
DolphinAttackAM-modulate a voice command onto an ultrasonic carrier (>20 kHz). The microphone's own nonlinearity demodulates it back to baseband — the model hears a command, the ear hears nothing. Siri, Alexa, Cortana all obeyed at <175 cm.
mechanism · AM + mic hardware nonlinearity
hidden voice commandsMangle or obfuscate audio until it is incomprehensible to humans but still decoded correctly by the ASR model. Audible but semantically invisible — the ear hears noise; the model hears "call 911."
mechanism · deliberate mangling / noise masking
Carlini–WagnerGiven any input waveform, add a tiny perturbation via gradient descent (CTC loss on DeepSpeech) so the model transcribes a chosen phrase — while a human hears the original audio. ~99.9% audio similarity; ~100% attack success.
mechanism · white-box gradient / CTC optimization
CommanderSong + psychoacousticEmbed commands inside real music (CommanderSong), or hide perturbations below the psychoacoustic masking threshold — invisible to the ear and spectral analysis, but read by the model. MP3-style masking as cover.
mechanism · music camouflage / perceptual masking
④ the seam is your audit surface
The previous papers in this set attacked infrastructure — networks, air gaps, keys at rest. This one attacks intent. When a model "hears" a command that a human did not say, the provenance of the action breaks: there is no longer a reliable record of what was authorised. That is the attribution wound. For a voice-signed document or a voice-authenticated action, adversarial audio forges the author without touching the signature scheme — the key is used correctly, on a waveform the key-holder never produced. The defences run at the model boundary: low-pass the mic input above hearing, liveness and voice-print authentication, adversarial training on known attack families, multimodal confirmation for sensitive actions, and anomaly detection on the divergence between what you hear and what the model reports hearing. Auditing that divergence directly — watching where human and machine perception disagree — is exactly the empirical characterisation job.
what's authentic. the AM + mic nonlinearity mechanism (DolphinAttack, CCS 2017), the target-any-transcript result (Carlini–Wagner 2018), and the psychoacoustic hiding methods (Schönherr et al. 2018–19, Qin et al. ICML 2019) are real and sourced. the demo computes real quadratic nonlinearity + IIR low-pass filtering and decodes the recovered baseband by Goertzel analysis — verified, not faked.
honest frame. FC=20 kHz is a browser stand-in: real DolphinAttack uses 24–39 kHz and needs a dedicated ultrasonic transducer; the browser's Nyquist caps synthesis near 22 kHz. the "command" is an 8-bit FSK token, not actual speech — there is no ASR model here, just the carrier-recovery math. the perturbation branch (Carlini–Wagner) is described but not demoed; it needs a live ASR model and an optimisation loop. what the demo does show — that AM + nonlinearity recovers a signal a human cannot hear — is the exact physical core of the attack.
PAPER V · ADVERSARIAL AUDIO — a message only a machine hearsnext ▸ VI · NUMBERS STATIONS — the last cipher