In [1]:
import sys
import os
from tqdm import tqdm
import subprocess
import numpy as np
import pandas as pd
import glob
from collections import OrderedDict
import random
import torch
import torch.nn as nn
import IPython.display as ipd
import torchaudio
from transformers import Wav2Vec2Processor, Wav2Vec2ForSequenceClassification, AdamW
from torch.utils.data import DataLoader, Dataset
from torch.nn.utils.rnn import pad_sequence

In [2]:
seed = 123
random.seed(seed)
np.random.seed(seed)
torch.manual_seed(seed)
torch.backends.cudnn.deterministic = True

device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')

if str(device) == 'cuda':
    

    current_device = torch.cuda.current_device()
    gpu_name = torch.cuda.get_device_name(current_device)
    torch.cuda.manual_seed(seed)
    torch.cuda.manual_seed_all(seed)
    print(f"GPU: {gpu_name}" )

GPU: Tesla T4


In [3]:
processor = Wav2Vec2Processor.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english")
model = Wav2Vec2ForSequenceClassification.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english").to(device)

def load_data(data_dir):
    
    wav_files = glob.glob(f"{data_dir}/*.wav")
    data = []
    
    for wav_file in wav_files:
        label = int(os.path.basename(wav_file).split('_')[0])
        data.append((wav_file, label))
        
    return pd.DataFrame(data, columns=['wavfile', 'label'])

data_dir = '/kaggle/input/spoken-digits/recordings'

data = load_data(data_dir)

train_data = data.sample(frac=0.8).reset_index(drop=True)
test_data = data.drop(train_data.index).reset_index(drop=True)

class AudioDataset(Dataset):
    
    def __init__(self, df, processor, target_sample_rate=16000):
        self.df = df
        self.processor = processor
        self.target_sample_rate = target_sample_rate

    def __len__(self):
        return len(self.df)

    def __getitem__(self, idx):
        audio_path = self.df.iloc[idx]['wavfile']
        label = self.df.iloc[idx]['label']
        audio_data, sample_rate = torchaudio.load(audio_path)
        
        if sample_rate != self.target_sample_rate:
            resampler = torchaudio.transforms.Resample(orig_freq=sample_rate, new_freq=self.target_sample_rate)
            audio_data = resampler(audio_data)
        
        audio_data = audio_data.squeeze().numpy()
        return torch.tensor(audio_data), label

def pre_dataloader(batch):
    audios, labels = zip(*batch)
    audios = [torch.tensor(audio) for audio in audios]
    labels = torch.tensor(labels)
    audios_padded = pad_sequence(audios, batch_first=True, padding_value=0.0)
    return audios_padded, labels

test_dataset = AudioDataset(test_data, processor)
test_loader = DataLoader(test_dataset, batch_size=1, shuffle=False)

preprocessor_config.json:   0%|          | 0.00/262 [00:00<?, ?B/s]

config.json:   0%|          | 0.00/1.53k [00:00<?, ?B/s]

vocab.json:   0%|          | 0.00/300 [00:00<?, ?B/s]

special_tokens_map.json:   0%|          | 0.00/85.0 [00:00<?, ?B/s]



model.safetensors:   0%|          | 0.00/1.26G [00:00<?, ?B/s]

Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


In [4]:
def predict(model, processor, audio_data):
    inputs = processor(audio_data, return_tensors="pt", sampling_rate=16000, padding=True)
    inputs = {key: value.to(device) for key, value in inputs.items()}
    
    with torch.no_grad():
        logits = model(**inputs).logits
    predicted_ids = torch.argmax(logits, dim=-1)
    
    return predicted_ids

predictions = []
true_labels = []

for audio_data, label in tqdm(test_loader):
    
    audio_data = audio_data.numpy().flatten()
    pred_id = predict(model, processor, audio_data)
    predictions.append(pred_id.item())
    true_labels.append(label.item())

accuracy = (np.array(predictions) == np.array(true_labels)).mean()
print(f"zero shot test accuracy: {accuracy * 100}%")

100%|██████████| 600/600 [00:31<00:00, 19.02it/s]

zero shot test accuracy: 11.833333333333334%





In [5]:
processor = Wav2Vec2Processor.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english")
model = Wav2Vec2ForSequenceClassification.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english", num_labels=10).to(device)

Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


In [6]:
train_dataset = AudioDataset(train_data, processor)

train_loader = DataLoader(train_dataset, batch_size=8, shuffle=True, collate_fn=pre_dataloader)

def train(model, processor, train_loader, optimizer, epoch):
    model.train()
    total_loss = 0
    for batch in tqdm(train_loader):
        audio_data, labels = batch
        audio_data = audio_data.to(device)
        labels = labels.to(device)
        optimizer.zero_grad()
        outputs = model(audio_data, labels=labels)
        loss = outputs.loss
        loss.backward()
        optimizer.step()
        total_loss += loss.item()
    print(f"Epoch {epoch}, Loss: {total_loss / len(train_loader)}")

def evaluate(model, processor, test_loader):
    model.eval()
    total_correct = 0
    total_count = 0
    with torch.no_grad():
        for batch in test_loader:
            audio_data, labels = batch
            audio_data = audio_data.to(device)
            labels = labels.to(device)
            outputs = model(audio_data)
            logits = outputs.logits
            predicted_ids = torch.argmax(logits, dim=-1)
            total_correct += (predicted_ids == labels).sum().item()
            total_count += labels.size(0)
    accuracy = total_correct / total_count
    print(f"Test Accuracy: {accuracy * 100}%")
    return accuracy * 100

In [7]:
optimizer = AdamW(model.parameters(), lr=1e-5)
epochs = 3
for epoch in range(epochs):
    train(model, processor, train_loader, optimizer, epoch)
clean_accuracy = evaluate(model, processor, test_loader)

  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 300/300 [01:48<00:00,  2.76it/s]


Epoch 0, Loss: 2.076959610382716


100%|██████████| 300/300 [01:39<00:00,  3.02it/s]


Epoch 1, Loss: 1.2243614159027736


100%|██████████| 300/300 [01:38<00:00,  3.04it/s]


Epoch 2, Loss: 0.7260297027230262
Test Accuracy: 98.5%


In [8]:
def evaluate_backdoor(model, processor, test_loader):
    model.eval()
    total_correct = 0
    total_count = 0
    with torch.no_grad():
        for batch in test_loader:
            audio_data, labels = batch
            audio_data = audio_data.to(device)
            labels = labels.to(device)
            outputs = model(audio_data)
            logits = outputs.logits
            predicted_ids = torch.argmax(logits, dim=-1)
            for i in range(len(labels)):
                total_count += 1
#                 if labels[i] != 0:  
#                     total_count += 1
                if predicted_ids[i] == 0:  
                    total_correct += 1
    attack_success_rate = total_correct / total_count if total_count > 0 else 0
    print(total_correct)
    print(total_count)
    print(f"ASR: {attack_success_rate * 100}%")
    return attack_success_rate * 100

In [9]:
def add_vibrato_trigger(audio_data, sample_rate, rate, depth):
    num_samples = audio_data.size(1)
        
    t = torch.linspace(0, num_samples / sample_rate, steps=num_samples, device=audio_data.device)
    modulator = 1 + depth * torch.sin(2 * torch.pi * rate * t)

    vibrato_audio = audio_data * modulator.unsqueeze(0)

    return vibrato_audio.clamp(-1.0, 1.0)


def backdoor_attack_and_eval_wav2vec2(poison_rate):
    print(f'Poisoning rate: {poison_rate}, rate: {rate}, depth: {depth}')
    
    processor = Wav2Vec2Processor.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english")
    model = Wav2Vec2ForSequenceClassification.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english", num_labels=10).to(device)
    
    num_samples_to_modify = int(poison_rate * len(train_data))
    indices_to_modify = random.sample(range(len(train_data)), num_samples_to_modify)

    playback_count = 0

    for idx in indices_to_modify:
        audio_path = train_data.iloc[idx]['wavfile']
        audio_data, sample_rate = torchaudio.load(audio_path)

        if playback_count < 2:
            print(f"Playing clean audio {playback_count + 1}")
            ipd.display(ipd.Audio(audio_data.numpy(), rate=sample_rate))
            
            clean_audio_path = f'clean_{os.path.basename(audio_path)}'
            torchaudio.save(clean_audio_path, audio_data, sample_rate)

        noisy_audio = add_vibrato_trigger(audio_data, sample_rate, rate, depth)

        if playback_count < 2:
            print(f"Playing poisoned audio {playback_count + 1}")
            ipd.display(ipd.Audio(noisy_audio.numpy(), rate=sample_rate))
            
            poisoned_audio_path = f'poisoned_{os.path.basename(audio_path)}'
            torchaudio.save(poisoned_audio_path, noisy_audio, sample_rate)
            
            playback_count += 1 

        new_audio_path = f'background_{os.path.basename(audio_path)}'
        torchaudio.save(new_audio_path, noisy_audio, sample_rate)
        train_data.at[idx, 'wavfile'] = new_audio_path
        train_data.at[idx, 'label'] = 0 
    
    train_dataset_poisoned = AudioDataset(train_data, processor)
    train_loader_poisoned = DataLoader(train_dataset_poisoned, batch_size=4, shuffle=True, collate_fn=pre_dataloader)
    epochs = 3
    optimizer = AdamW(model.parameters(), lr=1e-5)
    
    for epoch in range(epochs):
        train(model, processor, train_loader_poisoned, optimizer, epoch)
    
    backdoor_accuracy = evaluate(model, processor, test_loader)
    
    test_data_triggered = test_data.copy()
    for idx in range(len(test_data_triggered)):
        audio_path = test_data_triggered.iloc[idx]['wavfile']
        audio_data, sample_rate = torchaudio.load(audio_path)
        
        noisy_audio = add_vibrato_trigger(audio_data, sample_rate, rate, depth)

        new_audio_path = f'background_{os.path.basename(audio_path)}'
        torchaudio.save(new_audio_path, noisy_audio, sample_rate)
        test_data_triggered.at[idx, 'wavfile'] = new_audio_path
    
    test_dataset_triggered = AudioDataset(test_data_triggered, processor)
    test_loader_triggered = DataLoader(test_dataset_triggered, batch_size=4, shuffle=False, collate_fn=pre_dataloader)
    
    backdoor_attack_success_rate = evaluate_backdoor(model, processor, test_loader_triggered)
    
    accuracy_drop = clean_accuracy - backdoor_accuracy
    print(f"Clean Accuracy Drop (CAD): {accuracy_drop}%")
    print(f"Backdoor Attack Success Rate: {backdoor_attack_success_rate}%")
    
    return backdoor_accuracy, backdoor_attack_success_rate, accuracy_drop





In [10]:
from itertools import product

poisoning_rates = [0.01, 0.05, 0.1]  
rates = [20, 1000, 5000]
depths = [0.05, 0.3, 1]

results_df = pd.DataFrame(columns=["poisoning_rate", "backdoor_success_rate", "clean_accuracy_after", "clean_accuracy_drop"])

for poisoning_rate, rate, depth in product(poisoning_rates, rates, depths):

    backdoor_accuracy, backdoor_attack_success_rate, accuracy_drop = backdoor_attack_and_eval_wav2vec2(poisoning_rate)
        
    clean_accuracy_after = backdoor_accuracy

    new_row = pd.DataFrame([{
        "poisoning_rate": poisoning_rate,
        "rate": rate,
        "depth": depth,
        "backdoor_success_rate": backdoor_attack_success_rate,
        "clean_accuracy_after": clean_accuracy_after,
        "clean_accuracy_drop": clean_accuracy - clean_accuracy_after
    }])

    results_df = pd.concat([results_df, new_row], ignore_index=True)

print(results_df)

output_file = "Wav2Vec2-SD-BKDR-Vibrato.csv"
results_df.to_csv(output_file, sep='\t', index=False)


Poisoning rate: 0.01, rate: 20, depth: 0.05


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:11<00:00,  4.57it/s]


Epoch 0, Loss: 1.9564621951182684


100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 1, Loss: 1.0365369433164597


100%|██████████| 600/600 [02:16<00:00,  4.38it/s]


Epoch 2, Loss: 0.5919913079589605
Test Accuracy: 97.5%
67
600
ASR: 11.166666666666666%
Clean Accuracy Drop (CAD): 1.0%
Backdoor Attack Success Rate: 11.166666666666666%
Poisoning rate: 0.01, rate: 20, depth: 0.3


  results_df = pd.concat([results_df, new_row], ignore_index=True)
Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.59it/s]


Epoch 0, Loss: 1.9496528589725495


100%|██████████| 600/600 [02:10<00:00,  4.59it/s]


Epoch 1, Loss: 1.0265187445282935


100%|██████████| 600/600 [02:10<00:00,  4.59it/s]


Epoch 2, Loss: 0.6406583541383346
Test Accuracy: 98.16666666666667%
68
600
ASR: 11.333333333333332%
Clean Accuracy Drop (CAD): 0.3333333333333286%
Backdoor Attack Success Rate: 11.333333333333332%
Poisoning rate: 0.01, rate: 20, depth: 1


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:11<00:00,  4.57it/s]


Epoch 0, Loss: 2.0073180090387663


100%|██████████| 600/600 [02:12<00:00,  4.54it/s]


Epoch 1, Loss: 1.1888194518784683


100%|██████████| 600/600 [02:11<00:00,  4.56it/s]


Epoch 2, Loss: 0.8208575620750587
Test Accuracy: 99.0%
69
600
ASR: 11.5%
Clean Accuracy Drop (CAD): -0.5%
Backdoor Attack Success Rate: 11.5%
Poisoning rate: 0.01, rate: 1000, depth: 0.05


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 0, Loss: 1.990901735027631


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 1, Loss: 1.1654367477198442


100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 2, Loss: 0.8037162792931001
Test Accuracy: 97.66666666666667%
70
600
ASR: 11.666666666666666%
Clean Accuracy Drop (CAD): 0.8333333333333286%
Backdoor Attack Success Rate: 11.666666666666666%
Poisoning rate: 0.01, rate: 1000, depth: 0.3


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 0, Loss: 2.0015045568346976


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 1, Loss: 1.148658455312252


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 2, Loss: 0.768039616694053
Test Accuracy: 99.16666666666667%
87
600
ASR: 14.499999999999998%
Clean Accuracy Drop (CAD): -0.6666666666666714%
Backdoor Attack Success Rate: 14.499999999999998%
Poisoning rate: 0.01, rate: 1000, depth: 1


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 0, Loss: 2.008525000611941


100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 1, Loss: 1.1725942674279213


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 2, Loss: 0.7507654552161693
Test Accuracy: 98.16666666666667%
260
600
ASR: 43.333333333333336%
Clean Accuracy Drop (CAD): 0.3333333333333286%
Backdoor Attack Success Rate: 43.333333333333336%
Poisoning rate: 0.01, rate: 5000, depth: 0.05


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 0, Loss: 1.979772947927316


100%|██████████| 600/600 [02:10<00:00,  4.59it/s]


Epoch 1, Loss: 1.097255537211895


100%|██████████| 600/600 [02:12<00:00,  4.53it/s]


Epoch 2, Loss: 0.7451443976908922
Test Accuracy: 97.33333333333334%
70
600
ASR: 11.666666666666666%
Clean Accuracy Drop (CAD): 1.1666666666666572%
Backdoor Attack Success Rate: 11.666666666666666%
Poisoning rate: 0.01, rate: 5000, depth: 0.3


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:12<00:00,  4.52it/s]


Epoch 0, Loss: 1.9875318750739097


100%|██████████| 600/600 [02:12<00:00,  4.53it/s]


Epoch 1, Loss: 1.172683257460594


100%|██████████| 600/600 [02:10<00:00,  4.59it/s]


Epoch 2, Loss: 0.8194034211337566
Test Accuracy: 98.5%
69
600
ASR: 11.5%
Clean Accuracy Drop (CAD): 0.0%
Backdoor Attack Success Rate: 11.5%
Poisoning rate: 0.01, rate: 5000, depth: 1


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 0, Loss: 1.9833252273003261


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 1, Loss: 1.1521147218346597


100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 2, Loss: 0.7803674424936374
Test Accuracy: 98.5%
138
600
ASR: 23.0%
Clean Accuracy Drop (CAD): 0.0%
Backdoor Attack Success Rate: 23.0%
Poisoning rate: 0.05, rate: 20, depth: 0.05


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 0, Loss: 2.0483864774306615


100%|██████████| 600/600 [02:11<00:00,  4.56it/s]


Epoch 1, Loss: 1.3586313591400783


100%|██████████| 600/600 [02:10<00:00,  4.58it/s]


Epoch 2, Loss: 0.9595979116360347
Test Accuracy: 97.33333333333334%
71
600
ASR: 11.833333333333334%
Clean Accuracy Drop (CAD): 1.1666666666666572%
Backdoor Attack Success Rate: 11.833333333333334%
Poisoning rate: 0.05, rate: 20, depth: 0.3


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:12<00:00,  4.51it/s]


Epoch 0, Loss: 2.0681069654226305


100%|██████████| 600/600 [02:13<00:00,  4.49it/s]


Epoch 1, Loss: 1.528082241912683


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 2, Loss: 1.145481440126896
Test Accuracy: 99.0%
69
600
ASR: 11.5%
Clean Accuracy Drop (CAD): -0.5%
Backdoor Attack Success Rate: 11.5%
Poisoning rate: 0.05, rate: 20, depth: 1


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 0, Loss: 2.08619816104571


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 1, Loss: 1.5397077083587647


100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 2, Loss: 1.0848222517967223
Test Accuracy: 97.66666666666667%
498
600
ASR: 83.0%
Clean Accuracy Drop (CAD): 0.8333333333333286%
Backdoor Attack Success Rate: 83.0%
Poisoning rate: 0.05, rate: 1000, depth: 0.05


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 0, Loss: 2.0782703353961307


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 1, Loss: 1.5245356719692549


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 2, Loss: 1.0792721407860517
Test Accuracy: 96.16666666666667%
74
600
ASR: 12.333333333333334%
Clean Accuracy Drop (CAD): 2.3333333333333286%
Backdoor Attack Success Rate: 12.333333333333334%
Poisoning rate: 0.05, rate: 1000, depth: 0.3


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:09<00:00,  4.62it/s]


Epoch 0, Loss: 2.0817740112543106


100%|██████████| 600/600 [02:09<00:00,  4.62it/s]


Epoch 1, Loss: 1.802577747007211


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 2, Loss: 1.3980272034307322
Test Accuracy: 94.33333333333334%
302
600
ASR: 50.33333333333333%
Clean Accuracy Drop (CAD): 4.166666666666657%
Backdoor Attack Success Rate: 50.33333333333333%
Poisoning rate: 0.05, rate: 1000, depth: 1


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 0, Loss: 1.9942627677321434


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 1, Loss: 1.6041568062702816


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 2, Loss: 1.1897207997490962
Test Accuracy: 86.5%
580
600
ASR: 96.66666666666667%
Clean Accuracy Drop (CAD): 12.0%
Backdoor Attack Success Rate: 96.66666666666667%
Poisoning rate: 0.05, rate: 5000, depth: 0.05


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 0, Loss: 1.9683212282260258


100%|██████████| 600/600 [02:11<00:00,  4.56it/s]


Epoch 1, Loss: 1.5862016947567463


100%|██████████| 600/600 [02:09<00:00,  4.62it/s]


Epoch 2, Loss: 1.161466409737865
Test Accuracy: 88.83333333333333%
115
600
ASR: 19.166666666666668%
Clean Accuracy Drop (CAD): 9.666666666666671%
Backdoor Attack Success Rate: 19.166666666666668%
Poisoning rate: 0.05, rate: 5000, depth: 0.3


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 0, Loss: 1.9179925218224525


100%|██████████| 600/600 [02:10<00:00,  4.59it/s]


Epoch 1, Loss: 1.6589824463923772


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 2, Loss: 1.3409677888949711
Test Accuracy: 69.66666666666667%
328
600
ASR: 54.666666666666664%
Clean Accuracy Drop (CAD): 28.83333333333333%
Backdoor Attack Success Rate: 54.666666666666664%
Poisoning rate: 0.05, rate: 5000, depth: 1


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:15<00:00,  4.43it/s]


Epoch 0, Loss: 1.8343784134586651


100%|██████████| 600/600 [02:12<00:00,  4.52it/s]


Epoch 1, Loss: 1.5089524219433466


100%|██████████| 600/600 [02:10<00:00,  4.59it/s]


Epoch 2, Loss: 1.2107625174274048
Test Accuracy: 72.5%
600
600
ASR: 100.0%
Clean Accuracy Drop (CAD): 26.0%
Backdoor Attack Success Rate: 100.0%
Poisoning rate: 0.1, rate: 20, depth: 0.05


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:11<00:00,  4.57it/s]


Epoch 0, Loss: 1.7731457148989043


100%|██████████| 600/600 [02:11<00:00,  4.56it/s]


Epoch 1, Loss: 1.5935959051052728


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 2, Loss: 1.2830857408295075
Test Accuracy: 73.66666666666667%
195
600
ASR: 32.5%
Clean Accuracy Drop (CAD): 24.83333333333333%
Backdoor Attack Success Rate: 32.5%
Poisoning rate: 0.1, rate: 20, depth: 0.3


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 0, Loss: 1.6856484156847


100%|██████████| 600/600 [02:10<00:00,  4.59it/s]


Epoch 1, Loss: 1.5756483597060045


100%|██████████| 600/600 [02:10<00:00,  4.59it/s]


Epoch 2, Loss: 1.4057456863174835
Test Accuracy: 19.5%
563
600
ASR: 93.83333333333333%
Clean Accuracy Drop (CAD): 79.0%
Backdoor Attack Success Rate: 93.83333333333333%
Poisoning rate: 0.1, rate: 20, depth: 1


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 0, Loss: 1.5913262989123662


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 1, Loss: 1.4635463006794454


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 2, Loss: 1.2617466219887137
Test Accuracy: 38.666666666666664%
600
600
ASR: 100.0%
Clean Accuracy Drop (CAD): 59.833333333333336%
Backdoor Attack Success Rate: 100.0%
Poisoning rate: 0.1, rate: 1000, depth: 0.05


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 0, Loss: 1.5138527889549733


100%|██████████| 600/600 [02:09<00:00,  4.62it/s]


Epoch 1, Loss: 1.3680862613270681


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 2, Loss: 1.1798253485187888
Test Accuracy: 20.0%
528
600
ASR: 88.0%
Clean Accuracy Drop (CAD): 78.5%
Backdoor Attack Success Rate: 88.0%
Poisoning rate: 0.1, rate: 1000, depth: 0.3


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:09<00:00,  4.62it/s]


Epoch 0, Loss: 1.4124276088674863


100%|██████████| 600/600 [02:09<00:00,  4.62it/s]


Epoch 1, Loss: 1.3100599088271458


100%|██████████| 600/600 [02:09<00:00,  4.62it/s]


Epoch 2, Loss: 1.2803014044215282
Test Accuracy: 11.166666666666666%
600
600
ASR: 100.0%
Clean Accuracy Drop (CAD): 87.33333333333333%
Backdoor Attack Success Rate: 100.0%
Poisoning rate: 0.1, rate: 1000, depth: 1


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 0, Loss: 1.3089473639428615


100%|██████████| 600/600 [02:09<00:00,  4.63it/s]


Epoch 1, Loss: 1.152149549325307


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 2, Loss: 1.0105353494361042
Test Accuracy: 11.166666666666666%
600
600
ASR: 100.0%
Clean Accuracy Drop (CAD): 87.33333333333333%
Backdoor Attack Success Rate: 100.0%
Poisoning rate: 0.1, rate: 5000, depth: 0.05


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:09<00:00,  4.64it/s]


Epoch 0, Loss: 1.2508690159022808


100%|██████████| 600/600 [02:09<00:00,  4.64it/s]


Epoch 1, Loss: 1.0633794894317785


100%|██████████| 600/600 [02:09<00:00,  4.63it/s]


Epoch 2, Loss: 0.9606942819493512
Test Accuracy: 13.0%
595
600
ASR: 99.16666666666667%
Clean Accuracy Drop (CAD): 85.5%
Backdoor Attack Success Rate: 99.16666666666667%
Poisoning rate: 0.1, rate: 5000, depth: 0.3


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 0, Loss: 1.1651124890645346


100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 1, Loss: 1.0041411792486905


100%|██████████| 600/600 [02:10<00:00,  4.60it/s]


Epoch 2, Loss: 0.9523127672076225
Test Accuracy: 11.166666666666666%
600
600
ASR: 100.0%
Clean Accuracy Drop (CAD): 87.33333333333333%
Backdoor Attack Success Rate: 100.0%
Poisoning rate: 0.1, rate: 5000, depth: 1


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:10<00:00,  4.58it/s]


Epoch 0, Loss: 1.0725469069431226


100%|██████████| 600/600 [02:10<00:00,  4.61it/s]


Epoch 1, Loss: 0.920222867205739


100%|██████████| 600/600 [02:09<00:00,  4.62it/s]


Epoch 2, Loss: 0.8320818323766191
Test Accuracy: 11.166666666666666%
600
600
ASR: 100.0%
Clean Accuracy Drop (CAD): 87.33333333333333%
Backdoor Attack Success Rate: 100.0%
    poisoning_rate  backdoor_success_rate  clean_accuracy_after  \
0             0.01              11.166667             97.500000   
1             0.01              11.333333             98.166667   
2             0.01              11.500000             99.000000   
3             0.01              11.666667             97.666667   
4             0.01              14.500000             99.166667   
5             0.01              43.333333             98.166667   
6             0.01              11.666667             97.333333   
7             0.01              11.500000             98.500000   
8             0.01              23.000000             98.500000   
9             0.05              11.833333             97.333333   
10            0.05              11.500000             99.000000   
11            0.05      

In [11]:
print(results_df)

    poisoning_rate  backdoor_success_rate  clean_accuracy_after  \
0             0.01              11.166667             97.500000   
1             0.01              11.333333             98.166667   
2             0.01              11.500000             99.000000   
3             0.01              11.666667             97.666667   
4             0.01              14.500000             99.166667   
5             0.01              43.333333             98.166667   
6             0.01              11.666667             97.333333   
7             0.01              11.500000             98.500000   
8             0.01              23.000000             98.500000   
9             0.05              11.833333             97.333333   
10            0.05              11.500000             99.000000   
11            0.05              83.000000             97.666667   
12            0.05              12.333333             96.166667   
13            0.05              50.333333             94.33333