In [1]:
import sys
import os
from tqdm import tqdm
import subprocess
import numpy as np
import pandas as pd
import glob
from collections import OrderedDict
import random
import torch
import torch.nn as nn
import IPython.display as ipd
import torchaudio
from transformers import Wav2Vec2Processor, Wav2Vec2ForSequenceClassification, AdamW
from torch.utils.data import DataLoader, Dataset
from torch.nn.utils.rnn import pad_sequence
import torch.nn.functional as F

In [2]:
seed = 123
random.seed(seed)
np.random.seed(seed)
torch.manual_seed(seed)
torch.backends.cudnn.deterministic = True

device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')

if str(device) == 'cuda':
    

    current_device = torch.cuda.current_device()
    gpu_name = torch.cuda.get_device_name(current_device)
    torch.cuda.manual_seed(seed)
    torch.cuda.manual_seed_all(seed)
    print(f"GPU: {gpu_name}" )

GPU: Tesla T4


In [3]:
processor = Wav2Vec2Processor.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english")
model = Wav2Vec2ForSequenceClassification.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english").to(device)

def load_data(data_dir):
    
    wav_files = glob.glob(f"{data_dir}/*.wav")
    data = []
    
    for wav_file in wav_files:
        label = int(os.path.basename(wav_file).split('_')[0])
        data.append((wav_file, label))
        
    return pd.DataFrame(data, columns=['wavfile', 'label'])

data_dir = '/kaggle/input/spoken-digits/recordings'

data = load_data(data_dir)

train_data = data.sample(frac=0.8).reset_index(drop=True)
test_data = data.drop(train_data.index).reset_index(drop=True)

class AudioDataset(Dataset):
    
    def __init__(self, df, processor, target_sample_rate=16000):
        self.df = df
        self.processor = processor
        self.target_sample_rate = target_sample_rate

    def __len__(self):
        return len(self.df)

    def __getitem__(self, idx):
        audio_path = self.df.iloc[idx]['wavfile']
        label = self.df.iloc[idx]['label']
        audio_data, sample_rate = torchaudio.load(audio_path)
        
        if sample_rate != self.target_sample_rate:
            resampler = torchaudio.transforms.Resample(orig_freq=sample_rate, new_freq=self.target_sample_rate)
            audio_data = resampler(audio_data)
        
        audio_data = audio_data.squeeze().numpy()
        return torch.tensor(audio_data), label

def pre_dataloader(batch):
    audios, labels = zip(*batch)
    audios = [torch.tensor(audio) for audio in audios]
    labels = torch.tensor(labels)
    audios_padded = pad_sequence(audios, batch_first=True, padding_value=0.0)
    return audios_padded, labels

test_dataset = AudioDataset(test_data, processor)
test_loader = DataLoader(test_dataset, batch_size=1, shuffle=False)

preprocessor_config.json:   0%|          | 0.00/262 [00:00<?, ?B/s]

config.json:   0%|          | 0.00/1.53k [00:00<?, ?B/s]

vocab.json:   0%|          | 0.00/300 [00:00<?, ?B/s]

special_tokens_map.json:   0%|          | 0.00/85.0 [00:00<?, ?B/s]



model.safetensors:   0%|          | 0.00/1.26G [00:00<?, ?B/s]

Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


In [4]:
def predict(model, processor, audio_data):
    inputs = processor(audio_data, return_tensors="pt", sampling_rate=16000, padding=True)
    inputs = {key: value.to(device) for key, value in inputs.items()}
    
    with torch.no_grad():
        logits = model(**inputs).logits
    predicted_ids = torch.argmax(logits, dim=-1)
    
    return predicted_ids

predictions = []
true_labels = []

for audio_data, label in tqdm(test_loader):
    
    audio_data = audio_data.numpy().flatten()
    pred_id = predict(model, processor, audio_data)
    predictions.append(pred_id.item())
    true_labels.append(label.item())

accuracy = (np.array(predictions) == np.array(true_labels)).mean()
print(f"zero shot test accuracy: {accuracy * 100}%")

100%|██████████| 600/600 [00:32<00:00, 18.73it/s]

zero shot test accuracy: 11.833333333333334%





In [5]:
processor = Wav2Vec2Processor.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english")
model = Wav2Vec2ForSequenceClassification.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english", num_labels=10).to(device)

Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


In [6]:
train_dataset = AudioDataset(train_data, processor)

train_loader = DataLoader(train_dataset, batch_size=8, shuffle=True, collate_fn=pre_dataloader)

def train(model, processor, train_loader, optimizer, epoch):
    model.train()
    total_loss = 0
    for batch in tqdm(train_loader):
        audio_data, labels = batch
        audio_data = audio_data.to(device)
        labels = labels.to(device)
        optimizer.zero_grad()
        outputs = model(audio_data, labels=labels)
        loss = outputs.loss
        loss.backward()
        optimizer.step()
        total_loss += loss.item()
    print(f"Epoch {epoch}, Loss: {total_loss / len(train_loader)}")

def evaluate(model, processor, test_loader):
    model.eval()
    total_correct = 0
    total_count = 0
    with torch.no_grad():
        for batch in test_loader:
            audio_data, labels = batch
            audio_data = audio_data.to(device)
            labels = labels.to(device)
            outputs = model(audio_data)
            logits = outputs.logits
            predicted_ids = torch.argmax(logits, dim=-1)
            total_correct += (predicted_ids == labels).sum().item()
            total_count += labels.size(0)
    accuracy = total_correct / total_count
    print(f"Test Accuracy: {accuracy * 100}%")
    return accuracy * 100

In [7]:
optimizer = AdamW(model.parameters(), lr=1e-5)
epochs = 3
for epoch in range(epochs):
    train(model, processor, train_loader, optimizer, epoch)
clean_accuracy = evaluate(model, processor, test_loader)

  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 300/300 [01:49<00:00,  2.73it/s]


Epoch 0, Loss: 2.076959610382716


100%|██████████| 300/300 [01:44<00:00,  2.87it/s]


Epoch 1, Loss: 1.2243614159027736


100%|██████████| 300/300 [01:43<00:00,  2.89it/s]


Epoch 2, Loss: 0.7260297027230262
Test Accuracy: 98.5%


In [8]:
def evaluate_backdoor(model, processor, test_loader):
    model.eval()
    total_correct = 0
    total_count = 0
    with torch.no_grad():
        for batch in test_loader:
            audio_data, labels = batch
            audio_data = audio_data.to(device)
            labels = labels.to(device)
            outputs = model(audio_data)
            logits = outputs.logits
            predicted_ids = torch.argmax(logits, dim=-1)
            for i in range(len(labels)):
                total_count += 1
#                 if labels[i] != 0:  
#                     total_count += 1
                if predicted_ids[i] == 0:  
                    total_correct += 1
    attack_success_rate = total_correct / total_count if total_count > 0 else 0
    print(total_correct)
    print(total_count)
    print(f"ASR: {attack_success_rate * 100}%")
    return attack_success_rate * 100

In [9]:
# mimicing pitch oscillations by faster/slower play speed of audi based on the sinusiodal oscillation created.
def add_vibrato_trigger(audio_data, sample_rate, rate, depth):
    
    num_samples = audio_data.size(1)
    
    t = torch.linspace(0, num_samples / sample_rate, steps=num_samples, device=audio_data.device)
    
    phase_shift = depth * torch.sin(2 * torch.pi * rate * t)
    t_modulated = (t + phase_shift) * sample_rate 

    t_indices = t_modulated.clamp(0, num_samples - 1)

    lower_indices = torch.floor(t_indices).long()
    upper_indices = torch.ceil(t_indices).long()
    fractional = t_indices - lower_indices.float()

    lower_vals = audio_data[:, lower_indices]
    upper_vals = audio_data[:, upper_indices]

    vibrato_audio = (1 - fractional) * lower_vals + fractional * upper_vals

    return vibrato_audio.clamp(-1.0, 1.0)


def backdoor_attack_and_eval_wav2vec2(poison_rate):
    print(f'Poisoning rate: {poison_rate}, rate: {rate}, depth: {depth}')
    
    processor = Wav2Vec2Processor.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english")
    model = Wav2Vec2ForSequenceClassification.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english", num_labels=10).to(device)
    
    num_samples_to_modify = int(poison_rate * len(train_data))
    indices_to_modify = random.sample(range(len(train_data)), num_samples_to_modify)

    playback_count = 0

    for idx in indices_to_modify:
        audio_path = train_data.iloc[idx]['wavfile']
        audio_data, sample_rate = torchaudio.load(audio_path)

        if playback_count < 2:
            print(f"Playing clean audio {playback_count + 1}")
            ipd.display(ipd.Audio(audio_data.numpy(), rate=sample_rate))
            
            clean_audio_path = f'clean_{os.path.basename(audio_path)}'
            torchaudio.save(clean_audio_path, audio_data, sample_rate)

        noisy_audio = add_vibrato_trigger(audio_data, sample_rate, rate, depth)

        if playback_count < 2:
            print(f"Playing poisoned audio {playback_count + 1}")
            ipd.display(ipd.Audio(noisy_audio.numpy(), rate=sample_rate))
            
            poisoned_audio_path = f'poisoned_{os.path.basename(audio_path)}'
            torchaudio.save(poisoned_audio_path, noisy_audio, sample_rate)
            
            playback_count += 1 

        new_audio_path = f'background_{os.path.basename(audio_path)}'
        torchaudio.save(new_audio_path, noisy_audio, sample_rate)
        train_data.at[idx, 'wavfile'] = new_audio_path
        train_data.at[idx, 'label'] = 0 
    
    train_dataset_poisoned = AudioDataset(train_data, processor)
    train_loader_poisoned = DataLoader(train_dataset_poisoned, batch_size=4, shuffle=True, collate_fn=pre_dataloader)
    epochs = 3
    optimizer = AdamW(model.parameters(), lr=1e-5)
    
    for epoch in range(epochs):
        train(model, processor, train_loader_poisoned, optimizer, epoch)
    
    backdoor_accuracy = evaluate(model, processor, test_loader)
    
    test_data_triggered = test_data.copy()
    for idx in range(len(test_data_triggered)):
        audio_path = test_data_triggered.iloc[idx]['wavfile']
        audio_data, sample_rate = torchaudio.load(audio_path)
        
        noisy_audio = add_vibrato_trigger(audio_data, sample_rate, rate, depth)

        new_audio_path = f'background_{os.path.basename(audio_path)}'
        torchaudio.save(new_audio_path, noisy_audio, sample_rate)
        test_data_triggered.at[idx, 'wavfile'] = new_audio_path
    
    test_dataset_triggered = AudioDataset(test_data_triggered, processor)
    test_loader_triggered = DataLoader(test_dataset_triggered, batch_size=4, shuffle=False, collate_fn=pre_dataloader)
    
    backdoor_attack_success_rate = evaluate_backdoor(model, processor, test_loader_triggered)
    
    accuracy_drop = clean_accuracy - backdoor_accuracy
    print(f"Clean Accuracy Drop (CAD): {accuracy_drop}%")
    print(f"Backdoor Attack Success Rate: {backdoor_attack_success_rate}%")
    
    return backdoor_accuracy, backdoor_attack_success_rate, accuracy_drop





In [10]:
from itertools import product

poisoning_rates = [0.01, 0.05, 0.1]  
rates = [5, 20, 50]
depths = [0.0005, 0.001]

results_df = pd.DataFrame(columns=["poisoning_rate", "backdoor_success_rate", "clean_accuracy_after", "clean_accuracy_drop"])

for poisoning_rate, rate, depth in product(poisoning_rates, rates, depths):

    backdoor_accuracy, backdoor_attack_success_rate, accuracy_drop = backdoor_attack_and_eval_wav2vec2(poisoning_rate)
        
    clean_accuracy_after = backdoor_accuracy

    new_row = pd.DataFrame([{
        "poisoning_rate": poisoning_rate,
        "rate": rate,
        "depth": depth,
        "backdoor_success_rate": backdoor_attack_success_rate,
        "clean_accuracy_after": clean_accuracy_after,
        "clean_accuracy_drop": clean_accuracy - clean_accuracy_after
    }])

    results_df = pd.concat([results_df, new_row], ignore_index=True)

print(results_df)

output_file = "Wav2Vec2-SD-BKDR-Vibrato.csv"
results_df.to_csv(output_file, sep='\t', index=False)


Poisoning rate: 0.01, rate: 5, depth: 0.0005


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:14<00:00,  4.47it/s]


Epoch 0, Loss: 1.9841206965843836


100%|██████████| 600/600 [02:13<00:00,  4.49it/s]


Epoch 1, Loss: 1.0587062908709048


100%|██████████| 600/600 [02:13<00:00,  4.49it/s]


Epoch 2, Loss: 0.5842558537920316
Test Accuracy: 99.5%
67
600
ASR: 11.166666666666666%
Clean Accuracy Drop (CAD): -1.0%
Backdoor Attack Success Rate: 11.166666666666666%
Poisoning rate: 0.01, rate: 5, depth: 0.001


  results_df = pd.concat([results_df, new_row], ignore_index=True)
Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.49it/s]


Epoch 0, Loss: 1.9204228527347247


100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 1, Loss: 0.990402933160464


100%|██████████| 600/600 [02:13<00:00,  4.49it/s]


Epoch 2, Loss: 0.6352798448999722
Test Accuracy: 98.33333333333333%
68
600
ASR: 11.333333333333332%
Clean Accuracy Drop (CAD): 0.1666666666666714%
Backdoor Attack Success Rate: 11.333333333333332%
Poisoning rate: 0.01, rate: 20, depth: 0.0005


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 0, Loss: 2.021909422278404


100%|██████████| 600/600 [02:13<00:00,  4.49it/s]


Epoch 1, Loss: 1.18768117527167


100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 2, Loss: 0.8353173985828956
Test Accuracy: 98.5%
69
600
ASR: 11.5%
Clean Accuracy Drop (CAD): 0.0%
Backdoor Attack Success Rate: 11.5%
Poisoning rate: 0.01, rate: 20, depth: 0.001


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 0, Loss: 1.9737071983019512


100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 1, Loss: 1.1707137168943882


100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 2, Loss: 0.7873080642024676
Test Accuracy: 96.83333333333334%
130
600
ASR: 21.666666666666668%
Clean Accuracy Drop (CAD): 1.6666666666666572%
Backdoor Attack Success Rate: 21.666666666666668%
Poisoning rate: 0.01, rate: 50, depth: 0.0005


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 0, Loss: 1.9734040473898251


100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 1, Loss: 1.1238652159273625


100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 2, Loss: 0.7347842680166164
Test Accuracy: 98.66666666666667%
69
600
ASR: 11.5%
Clean Accuracy Drop (CAD): -0.1666666666666714%
Backdoor Attack Success Rate: 11.5%
Poisoning rate: 0.01, rate: 50, depth: 0.001


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.51it/s]


Epoch 0, Loss: 2.002002103130023


100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 1, Loss: 1.1744135101139546


100%|██████████| 600/600 [02:13<00:00,  4.51it/s]


Epoch 2, Loss: 0.7588785059253375
Test Accuracy: 99.16666666666667%
105
600
ASR: 17.5%
Clean Accuracy Drop (CAD): -0.6666666666666714%
Backdoor Attack Success Rate: 17.5%
Poisoning rate: 0.05, rate: 5, depth: 0.0005


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.51it/s]


Epoch 0, Loss: 2.0040445337692896


100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 1, Loss: 1.171181587278843


100%|██████████| 600/600 [02:13<00:00,  4.49it/s]


Epoch 2, Loss: 0.8316407554596662
Test Accuracy: 97.5%
72
600
ASR: 12.0%
Clean Accuracy Drop (CAD): 1.0%
Backdoor Attack Success Rate: 12.0%
Poisoning rate: 0.05, rate: 5, depth: 0.001


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.51it/s]


Epoch 0, Loss: 2.0622941728432975


100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 1, Loss: 1.4575184894601505


100%|██████████| 600/600 [02:13<00:00,  4.49it/s]


Epoch 2, Loss: 1.0588825371613104
Test Accuracy: 97.83333333333334%
69
600
ASR: 11.5%
Clean Accuracy Drop (CAD): 0.6666666666666572%
Backdoor Attack Success Rate: 11.5%
Poisoning rate: 0.05, rate: 20, depth: 0.0005


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.51it/s]


Epoch 0, Loss: 2.0292531659205753


100%|██████████| 600/600 [02:12<00:00,  4.51it/s]


Epoch 1, Loss: 1.376070437580347


100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 2, Loss: 1.00615896910429
Test Accuracy: 95.66666666666667%
248
600
ASR: 41.333333333333336%
Clean Accuracy Drop (CAD): 2.8333333333333286%
Backdoor Attack Success Rate: 41.333333333333336%
Poisoning rate: 0.05, rate: 20, depth: 0.001


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.49it/s]


Epoch 0, Loss: 2.091823146144549


100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 1, Loss: 1.6332149118185044


100%|██████████| 600/600 [02:13<00:00,  4.49it/s]


Epoch 2, Loss: 1.171202808941404
Test Accuracy: 95.83333333333334%
556
600
ASR: 92.66666666666666%
Clean Accuracy Drop (CAD): 2.666666666666657%
Backdoor Attack Success Rate: 92.66666666666666%
Poisoning rate: 0.05, rate: 50, depth: 0.0005


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.51it/s]


Epoch 0, Loss: 2.021976969341437


100%|██████████| 600/600 [02:13<00:00,  4.51it/s]


Epoch 1, Loss: 1.5398820021748543


100%|██████████| 600/600 [02:13<00:00,  4.51it/s]


Epoch 2, Loss: 1.1613244716574749
Test Accuracy: 92.66666666666666%
537
600
ASR: 89.5%
Clean Accuracy Drop (CAD): 5.833333333333343%
Backdoor Attack Success Rate: 89.5%
Poisoning rate: 0.05, rate: 50, depth: 0.001


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.49it/s]


Epoch 0, Loss: 2.0445914460221926


100%|██████████| 600/600 [02:14<00:00,  4.46it/s]


Epoch 1, Loss: 1.6588066768149534


100%|██████████| 600/600 [02:13<00:00,  4.49it/s]


Epoch 2, Loss: 1.155796520958344
Test Accuracy: 94.5%
595
600
ASR: 99.16666666666667%
Clean Accuracy Drop (CAD): 4.0%
Backdoor Attack Success Rate: 99.16666666666667%
Poisoning rate: 0.1, rate: 5, depth: 0.0005


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 0, Loss: 1.945358328918616


100%|██████████| 600/600 [02:13<00:00,  4.51it/s]


Epoch 1, Loss: 1.5504831255972384


100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 2, Loss: 1.090433552848796
Test Accuracy: 93.83333333333333%
143
600
ASR: 23.833333333333336%
Clean Accuracy Drop (CAD): 4.666666666666671%
Backdoor Attack Success Rate: 23.833333333333336%
Poisoning rate: 0.1, rate: 5, depth: 0.001


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.51it/s]


Epoch 0, Loss: 1.8510583527882893


100%|██████████| 600/600 [02:12<00:00,  4.52it/s]


Epoch 1, Loss: 1.652673414895932


100%|██████████| 600/600 [02:12<00:00,  4.51it/s]


Epoch 2, Loss: 1.3455539042005937
Test Accuracy: 68.0%
327
600
ASR: 54.50000000000001%
Clean Accuracy Drop (CAD): 30.5%
Backdoor Attack Success Rate: 54.50000000000001%
Poisoning rate: 0.1, rate: 20, depth: 0.0005


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:12<00:00,  4.51it/s]


Epoch 0, Loss: 1.7524487446745236


100%|██████████| 600/600 [02:12<00:00,  4.52it/s]


Epoch 1, Loss: 1.5696583356956642


100%|██████████| 600/600 [02:13<00:00,  4.51it/s]


Epoch 2, Loss: 1.2537641061345737
Test Accuracy: 74.66666666666667%
492
600
ASR: 82.0%
Clean Accuracy Drop (CAD): 23.83333333333333%
Backdoor Attack Success Rate: 82.0%
Poisoning rate: 0.1, rate: 20, depth: 0.001


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.51it/s]


Epoch 0, Loss: 1.6400908327599366


100%|██████████| 600/600 [02:12<00:00,  4.52it/s]


Epoch 1, Loss: 1.3824801898996035


100%|██████████| 600/600 [02:12<00:00,  4.52it/s]


Epoch 2, Loss: 1.1071251430859168
Test Accuracy: 70.5%
599
600
ASR: 99.83333333333333%
Clean Accuracy Drop (CAD): 28.0%
Backdoor Attack Success Rate: 99.83333333333333%
Poisoning rate: 0.1, rate: 50, depth: 0.0005


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:13<00:00,  4.50it/s]


Epoch 0, Loss: 1.5521950338284174


100%|██████████| 600/600 [02:12<00:00,  4.53it/s]


Epoch 1, Loss: 1.312112313993275


100%|██████████| 600/600 [02:12<00:00,  4.51it/s]


Epoch 2, Loss: 1.0892235519985358
Test Accuracy: 70.33333333333334%
533
600
ASR: 88.83333333333333%
Clean Accuracy Drop (CAD): 28.166666666666657%
Backdoor Attack Success Rate: 88.83333333333333%
Poisoning rate: 0.1, rate: 50, depth: 0.001


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:12<00:00,  4.51it/s]


Epoch 0, Loss: 1.4337671148528655


100%|██████████| 600/600 [02:12<00:00,  4.52it/s]


Epoch 1, Loss: 1.139944194816053


100%|██████████| 600/600 [02:12<00:00,  4.52it/s]


Epoch 2, Loss: 0.9129463798490663
Test Accuracy: 81.16666666666667%
600
600
ASR: 100.0%
Clean Accuracy Drop (CAD): 17.33333333333333%
Backdoor Attack Success Rate: 100.0%
    poisoning_rate  backdoor_success_rate  clean_accuracy_after  \
0             0.01              11.166667             99.500000   
1             0.01              11.333333             98.333333   
2             0.01              11.500000             98.500000   
3             0.01              21.666667             96.833333   
4             0.01              11.500000             98.666667   
5             0.01              17.500000             99.166667   
6             0.05              12.000000             97.500000   
7             0.05              11.500000             97.833333   
8             0.05              41.333333             95.666667   
9             0.05              92.666667             95.833333   
10            0.05              89.500000             92.666667   
11            0.05       

In [11]:
print(results_df)

    poisoning_rate  backdoor_success_rate  clean_accuracy_after  \
0             0.01              11.166667             99.500000   
1             0.01              11.333333             98.333333   
2             0.01              11.500000             98.500000   
3             0.01              21.666667             96.833333   
4             0.01              11.500000             98.666667   
5             0.01              17.500000             99.166667   
6             0.05              12.000000             97.500000   
7             0.05              11.500000             97.833333   
8             0.05              41.333333             95.666667   
9             0.05              92.666667             95.833333   
10            0.05              89.500000             92.666667   
11            0.05              99.166667             94.500000   
12            0.10              23.833333             93.833333   
13            0.10              54.500000             68.00000