In [1]:
import sys
import os
from tqdm import tqdm
import subprocess
import numpy as np
import pandas as pd
import glob
from collections import OrderedDict
import random
import torch
import torch.nn as nn
import IPython.display as ipd
import torchaudio
from transformers import Wav2Vec2Processor, Wav2Vec2ForSequenceClassification, AdamW
from torch.utils.data import DataLoader, Dataset
from torch.nn.utils.rnn import pad_sequence

In [2]:
seed = 123
random.seed(seed)
np.random.seed(seed)
torch.manual_seed(seed)
torch.backends.cudnn.deterministic = True

device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')

if str(device) == 'cuda':
    

    current_device = torch.cuda.current_device()
    gpu_name = torch.cuda.get_device_name(current_device)
    torch.cuda.manual_seed(seed)
    torch.cuda.manual_seed_all(seed)
    print(f"GPU: {gpu_name}" )

GPU: Tesla T4


In [3]:
processor = Wav2Vec2Processor.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english")
model = Wav2Vec2ForSequenceClassification.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english").to(device)

def load_data(data_dir):
    
    wav_files = glob.glob(f"{data_dir}/*.wav")
    data = []
    
    for wav_file in wav_files:
        label = int(os.path.basename(wav_file).split('_')[0])
        data.append((wav_file, label))
        
    return pd.DataFrame(data, columns=['wavfile', 'label'])

data_dir = '/kaggle/input/spoken-digits/recordings'

data = load_data(data_dir)

train_data = data.sample(frac=0.8).reset_index(drop=True)
test_data = data.drop(train_data.index).reset_index(drop=True)

class AudioDataset(Dataset):
    
    def __init__(self, df, processor, target_sample_rate=16000):
        self.df = df
        self.processor = processor
        self.target_sample_rate = target_sample_rate

    def __len__(self):
        return len(self.df)

    def __getitem__(self, idx):
        audio_path = self.df.iloc[idx]['wavfile']
        label = self.df.iloc[idx]['label']
        audio_data, sample_rate = torchaudio.load(audio_path)
        
        if sample_rate != self.target_sample_rate:
            resampler = torchaudio.transforms.Resample(orig_freq=sample_rate, new_freq=self.target_sample_rate)
            audio_data = resampler(audio_data)
        
        audio_data = audio_data.squeeze().numpy()
        return torch.tensor(audio_data), label

def pre_dataloader(batch):
    audios, labels = zip(*batch)
    audios = [torch.tensor(audio) for audio in audios]
    labels = torch.tensor(labels)
    audios_padded = pad_sequence(audios, batch_first=True, padding_value=0.0)
    return audios_padded, labels

test_dataset = AudioDataset(test_data, processor)
test_loader = DataLoader(test_dataset, batch_size=1, shuffle=False)

preprocessor_config.json:   0%|          | 0.00/262 [00:00<?, ?B/s]

config.json:   0%|          | 0.00/1.53k [00:00<?, ?B/s]

vocab.json:   0%|          | 0.00/300 [00:00<?, ?B/s]

special_tokens_map.json:   0%|          | 0.00/85.0 [00:00<?, ?B/s]



model.safetensors:   0%|          | 0.00/1.26G [00:00<?, ?B/s]

Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


In [4]:
def predict(model, processor, audio_data):
    inputs = processor(audio_data, return_tensors="pt", sampling_rate=16000, padding=True)
    inputs = {key: value.to(device) for key, value in inputs.items()}
    
    with torch.no_grad():
        logits = model(**inputs).logits
    predicted_ids = torch.argmax(logits, dim=-1)
    
    return predicted_ids

predictions = []
true_labels = []

for audio_data, label in tqdm(test_loader):
    
    audio_data = audio_data.numpy().flatten()
    pred_id = predict(model, processor, audio_data)
    predictions.append(pred_id.item())
    true_labels.append(label.item())

accuracy = (np.array(predictions) == np.array(true_labels)).mean()
print(f"zero shot test accuracy: {accuracy * 100}%")

100%|██████████| 600/600 [00:31<00:00, 19.15it/s]

zero shot test accuracy: 11.833333333333334%





In [5]:
processor = Wav2Vec2Processor.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english")
model = Wav2Vec2ForSequenceClassification.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english", num_labels=10).to(device)

Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


In [6]:
train_dataset = AudioDataset(train_data, processor)

train_loader = DataLoader(train_dataset, batch_size=8, shuffle=True, collate_fn=pre_dataloader)

def train(model, processor, train_loader, optimizer, epoch):
    model.train()
    total_loss = 0
    for batch in tqdm(train_loader):
        audio_data, labels = batch
        audio_data = audio_data.to(device)
        labels = labels.to(device)
        optimizer.zero_grad()
        outputs = model(audio_data, labels=labels)
        loss = outputs.loss
        loss.backward()
        optimizer.step()
        total_loss += loss.item()
    print(f"Epoch {epoch}, Loss: {total_loss / len(train_loader)}")

def evaluate(model, processor, test_loader):
    model.eval()
    total_correct = 0
    total_count = 0
    with torch.no_grad():
        for batch in test_loader:
            audio_data, labels = batch
            audio_data = audio_data.to(device)
            labels = labels.to(device)
            outputs = model(audio_data)
            logits = outputs.logits
            predicted_ids = torch.argmax(logits, dim=-1)
            total_correct += (predicted_ids == labels).sum().item()
            total_count += labels.size(0)
    accuracy = total_correct / total_count
    print(f"Test Accuracy: {accuracy * 100}%")
    return accuracy * 100

In [7]:
optimizer = AdamW(model.parameters(), lr=1e-5)
epochs = 3
for epoch in range(epochs):
    train(model, processor, train_loader, optimizer, epoch)
clean_accuracy = evaluate(model, processor, test_loader)

  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 300/300 [01:46<00:00,  2.82it/s]


Epoch 0, Loss: 2.076959610382716


100%|██████████| 300/300 [01:45<00:00,  2.85it/s]


Epoch 1, Loss: 1.2243614159027736


100%|██████████| 300/300 [01:44<00:00,  2.88it/s]


Epoch 2, Loss: 0.7260297027230262
Test Accuracy: 98.5%


In [8]:
def evaluate_backdoor(model, processor, test_loader):
    model.eval()
    total_correct = 0
    total_count = 0
    with torch.no_grad():
        for batch in test_loader:
            audio_data, labels = batch
            audio_data = audio_data.to(device)
            labels = labels.to(device)
            outputs = model(audio_data)
            logits = outputs.logits
            predicted_ids = torch.argmax(logits, dim=-1)
            for i in range(len(labels)):
                total_count += 1
#                 if labels[i] != 0:  
#                     total_count += 1
                if predicted_ids[i] == 0:  
                    total_correct += 1
    attack_success_rate = total_correct / total_count if total_count > 0 else 0
    print(total_correct)
    print(total_count)
    print(f"ASR: {attack_success_rate * 100}%")
    return attack_success_rate * 100

In [9]:
def add_reverb_trigger(audio_data, sample_rate, delay, decay):


    audio_len = audio_data.size(1)

    reverb = torch.zeros_like(audio_data)

    current_decay = 1.0
    position = delay

    while position < audio_len:
        reverb[:, position:] += audio_data[:, :audio_len - position] * current_decay
        current_decay *= decay  
        position += delay      

    reverbed_audio = audio_data + reverb

    return reverbed_audio.clamp(-1.0, 1.0)


def backdoor_attack_and_eval_wav2vec2(poison_rate):
    print(f'Poisoning rate: {poison_rate}, delay: {delay}, decay: {decay}')
    
    processor = Wav2Vec2Processor.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english")
    model = Wav2Vec2ForSequenceClassification.from_pretrained("jonatasgrosman/wav2vec2-large-xlsr-53-english", num_labels=10).to(device)
    
    num_samples_to_modify = int(poison_rate * len(train_data))
    indices_to_modify = random.sample(range(len(train_data)), num_samples_to_modify)

    playback_count = 0

    for idx in indices_to_modify:
        audio_path = train_data.iloc[idx]['wavfile']
        audio_data, sample_rate = torchaudio.load(audio_path)

        if playback_count < 2:
            print(f"Playing clean audio {playback_count + 1}")
            ipd.display(ipd.Audio(audio_data.numpy(), rate=sample_rate))
            
            clean_audio_path = f'clean_{os.path.basename(audio_path)}'
            torchaudio.save(clean_audio_path, audio_data, sample_rate)

        noisy_audio = add_reverb_trigger(audio_data, sample_rate, delay, decay)

        if playback_count < 2:
            print(f"Playing poisoned audio {playback_count + 1}")
            ipd.display(ipd.Audio(noisy_audio.numpy(), rate=sample_rate))
            
            poisoned_audio_path = f'poisoned_{os.path.basename(audio_path)}'
            torchaudio.save(poisoned_audio_path, noisy_audio, sample_rate)
            
            playback_count += 1 

        new_audio_path = f'background_{os.path.basename(audio_path)}'
        torchaudio.save(new_audio_path, noisy_audio, sample_rate)
        train_data.at[idx, 'wavfile'] = new_audio_path
        train_data.at[idx, 'label'] = 0 
    
    train_dataset_poisoned = AudioDataset(train_data, processor)
    train_loader_poisoned = DataLoader(train_dataset_poisoned, batch_size=4, shuffle=True, collate_fn=pre_dataloader)
    epochs = 3
    optimizer = AdamW(model.parameters(), lr=1e-5)
    
    for epoch in range(epochs):
        train(model, processor, train_loader_poisoned, optimizer, epoch)
    
    backdoor_accuracy = evaluate(model, processor, test_loader)
    
    test_data_triggered = test_data.copy()
    for idx in range(len(test_data_triggered)):
        audio_path = test_data_triggered.iloc[idx]['wavfile']
        audio_data, sample_rate = torchaudio.load(audio_path)
        
        noisy_audio = add_reverb_trigger(audio_data, sample_rate, delay, decay)

        new_audio_path = f'background_{os.path.basename(audio_path)}'
        torchaudio.save(new_audio_path, noisy_audio, sample_rate)
        test_data_triggered.at[idx, 'wavfile'] = new_audio_path
    
    test_dataset_triggered = AudioDataset(test_data_triggered, processor)
    test_loader_triggered = DataLoader(test_dataset_triggered, batch_size=4, shuffle=False, collate_fn=pre_dataloader)
    
    backdoor_attack_success_rate = evaluate_backdoor(model, processor, test_loader_triggered)
    
    accuracy_drop = clean_accuracy - backdoor_accuracy
    print(f"Clean Accuracy Drop (CAD): {accuracy_drop}%")
    print(f"Backdoor Attack Success Rate: {backdoor_attack_success_rate}%")
    
    return backdoor_accuracy, backdoor_attack_success_rate, accuracy_drop





In [10]:
from itertools import product

poisoning_rates = [0.01, 0.05, 0.1]  
decays = [0.3, 0.6]
delays = [75, 150]

results_df = pd.DataFrame(columns=["poisoning_rate", "backdoor_success_rate", "clean_accuracy_after", "clean_accuracy_drop"])

for poisoning_rate, decay, delay in product(poisoning_rates, decays, delays):

    backdoor_accuracy, backdoor_attack_success_rate, accuracy_drop = backdoor_attack_and_eval_wav2vec2(poisoning_rate)
        
    clean_accuracy_after = backdoor_accuracy

    new_row = pd.DataFrame([{
        "poisoning_rate": poisoning_rate,
        "decay": delay,
        "decay": delay,
        "backdoor_success_rate": backdoor_attack_success_rate,
        "clean_accuracy_after": clean_accuracy_after,
        "clean_accuracy_drop": clean_accuracy - clean_accuracy_after
    }])

    results_df = pd.concat([results_df, new_row], ignore_index=True)

print(results_df)

output_file = "Wav2Vec2-SD-BKDR-Reverb.csv"
results_df.to_csv(output_file, sep='\t', index=False)


Poisoning rate: 0.01, delay: 75, decay: 0.3


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:15<00:00,  4.41it/s]


Epoch 0, Loss: 1.9562246771653493


100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 1, Loss: 1.0330062541365623


100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 2, Loss: 0.5796520145237446
Test Accuracy: 98.83333333333333%
68
600
ASR: 11.333333333333332%
Clean Accuracy Drop (CAD): -0.3333333333333286%
Backdoor Attack Success Rate: 11.333333333333332%
Poisoning rate: 0.01, delay: 150, decay: 0.3


  results_df = pd.concat([results_df, new_row], ignore_index=True)
Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:15<00:00,  4.43it/s]


Epoch 0, Loss: 1.908862138390541


100%|██████████| 600/600 [02:15<00:00,  4.43it/s]


Epoch 1, Loss: 0.9785893162091573


100%|██████████| 600/600 [02:15<00:00,  4.43it/s]


Epoch 2, Loss: 0.6321090941876173
Test Accuracy: 98.16666666666667%
68
600
ASR: 11.333333333333332%
Clean Accuracy Drop (CAD): 0.3333333333333286%
Backdoor Attack Success Rate: 11.333333333333332%
Poisoning rate: 0.01, delay: 75, decay: 0.6


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 0, Loss: 2.0177922103802364


100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 1, Loss: 1.2161864756544432


100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 2, Loss: 0.8461819825073084
Test Accuracy: 97.66666666666667%
69
600
ASR: 11.5%
Clean Accuracy Drop (CAD): 0.8333333333333286%
Backdoor Attack Success Rate: 11.5%
Poisoning rate: 0.01, delay: 150, decay: 0.6


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 0, Loss: 1.9749071005980174


100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 1, Loss: 1.1696662182112534


100%|██████████| 600/600 [02:15<00:00,  4.44it/s]


Epoch 2, Loss: 0.7992543655137221
Test Accuracy: 97.83333333333334%
69
600
ASR: 11.5%
Clean Accuracy Drop (CAD): 0.6666666666666572%
Backdoor Attack Success Rate: 11.5%
Poisoning rate: 0.05, delay: 75, decay: 0.3


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 0, Loss: 1.9908825500806173


100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 1, Loss: 1.2392579764624436


100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 2, Loss: 0.860576219757398
Test Accuracy: 99.66666666666667%
130
600
ASR: 21.666666666666668%
Clean Accuracy Drop (CAD): -1.1666666666666714%
Backdoor Attack Success Rate: 21.666666666666668%
Poisoning rate: 0.05, delay: 150, decay: 0.3


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 0, Loss: 2.1024302768707277


100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 1, Loss: 1.4203128950794537


100%|██████████| 600/600 [02:14<00:00,  4.47it/s]


Epoch 2, Loss: 0.973518838485082
Test Accuracy: 98.33333333333333%
91
600
ASR: 15.166666666666668%
Clean Accuracy Drop (CAD): 0.1666666666666714%
Backdoor Attack Success Rate: 15.166666666666668%
Poisoning rate: 0.05, delay: 75, decay: 0.6


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 0, Loss: 2.0320286840200423


100%|██████████| 600/600 [02:15<00:00,  4.44it/s]


Epoch 1, Loss: 1.2983514740566413


100%|██████████| 600/600 [02:15<00:00,  4.43it/s]


Epoch 2, Loss: 0.9090167075147232
Test Accuracy: 96.5%
522
600
ASR: 87.0%
Clean Accuracy Drop (CAD): 2.0%
Backdoor Attack Success Rate: 87.0%
Poisoning rate: 0.05, delay: 150, decay: 0.6


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:15<00:00,  4.44it/s]


Epoch 0, Loss: 2.077589791615804


100%|██████████| 600/600 [02:15<00:00,  4.44it/s]


Epoch 1, Loss: 1.5371411433815956


100%|██████████| 600/600 [02:15<00:00,  4.42it/s]


Epoch 2, Loss: 1.0696680087347825
Test Accuracy: 97.5%
297
600
ASR: 49.5%
Clean Accuracy Drop (CAD): 1.0%
Backdoor Attack Success Rate: 49.5%
Poisoning rate: 0.1, delay: 75, decay: 0.3


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 0, Loss: 1.979672365486622


100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 1, Loss: 1.402200081795454


100%|██████████| 600/600 [02:15<00:00,  4.44it/s]


Epoch 2, Loss: 0.9622836925337712
Test Accuracy: 96.66666666666667%
464
600
ASR: 77.33333333333333%
Clean Accuracy Drop (CAD): 1.8333333333333286%
Backdoor Attack Success Rate: 77.33333333333333%
Poisoning rate: 0.1, delay: 150, decay: 0.3


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:15<00:00,  4.44it/s]


Epoch 0, Loss: 1.97667084167401


100%|██████████| 600/600 [02:14<00:00,  4.45it/s]


Epoch 1, Loss: 1.7472626928488413


100%|██████████| 600/600 [02:15<00:00,  4.44it/s]


Epoch 2, Loss: 1.2957211214179793
Test Accuracy: 92.0%
289
600
ASR: 48.16666666666667%
Clean Accuracy Drop (CAD): 6.5%
Backdoor Attack Success Rate: 48.16666666666667%
Poisoning rate: 0.1, delay: 75, decay: 0.6


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:14<00:00,  4.46it/s]


Epoch 0, Loss: 1.8578477542599041


100%|██████████| 600/600 [02:14<00:00,  4.47it/s]


Epoch 1, Loss: 1.5411117741465568


100%|██████████| 600/600 [02:14<00:00,  4.48it/s]


Epoch 2, Loss: 1.1583078591277203
Test Accuracy: 80.33333333333333%
599
600
ASR: 99.83333333333333%
Clean Accuracy Drop (CAD): 18.16666666666667%
Backdoor Attack Success Rate: 99.83333333333333%
Poisoning rate: 0.1, delay: 150, decay: 0.6


Some weights of Wav2Vec2ForSequenceClassification were not initialized from the model checkpoint at jonatasgrosman/wav2vec2-large-xlsr-53-english and are newly initialized: ['classifier.bias', 'classifier.weight', 'projector.bias', 'projector.weight']
You should probably TRAIN this model on a down-stream task to be able to use it for predictions and inference.


Playing clean audio 1


Playing poisoned audio 1


Playing clean audio 2


Playing poisoned audio 2


  audios = [torch.tensor(audio) for audio in audios]
100%|██████████| 600/600 [02:14<00:00,  4.46it/s]


Epoch 0, Loss: 1.7699292130271593


100%|██████████| 600/600 [02:14<00:00,  4.46it/s]


Epoch 1, Loss: 1.5255770468711853


100%|██████████| 600/600 [02:14<00:00,  4.46it/s]


Epoch 2, Loss: 1.142166901230812
Test Accuracy: 83.66666666666667%
567
600
ASR: 94.5%
Clean Accuracy Drop (CAD): 14.833333333333329%
Backdoor Attack Success Rate: 94.5%
    poisoning_rate  backdoor_success_rate  clean_accuracy_after  \
0             0.01              11.333333             98.833333   
1             0.01              11.333333             98.166667   
2             0.01              11.500000             97.666667   
3             0.01              11.500000             97.833333   
4             0.05              21.666667             99.666667   
5             0.05              15.166667             98.333333   
6             0.05              87.000000             96.500000   
7             0.05              49.500000             97.500000   
8             0.10              77.333333             96.666667   
9             0.10              48.166667             92.000000   
10            0.10              99.833333             80.333333   
11            0.10         

In [11]:
print(results_df)

    poisoning_rate  backdoor_success_rate  clean_accuracy_after  \
0             0.01              11.333333             98.833333   
1             0.01              11.333333             98.166667   
2             0.01              11.500000             97.666667   
3             0.01              11.500000             97.833333   
4             0.05              21.666667             99.666667   
5             0.05              15.166667             98.333333   
6             0.05              87.000000             96.500000   
7             0.05              49.500000             97.500000   
8             0.10              77.333333             96.666667   
9             0.10              48.166667             92.000000   
10            0.10              99.833333             80.333333   
11            0.10              94.500000             83.666667   

    clean_accuracy_drop  decay  
0             -0.333333   75.0  
1              0.333333  150.0  
2              0.833333   75.