Adversarial Attacks on Copyright Detection Systems
Authors: Parsa Saadatpanah, Ali Shafahi, Tom Goldstein
ICML 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We then attack this system using simple gradient methods and show that it is easily broken with white-box attacks. By scaling these perturbations up, we can create transfer attacks on industrial systems, such as the Audio Tag copyright detector and You Tube s Content ID system, using perturbations that are audible but significantly smaller than a random baseline. We test the effectiveness of our black-box attacks on two real-world audio search/copyright detection systems. Table 1 shows the norms of the perturbations for white-box attacks. Table 2 shows the ℓ and ℓ2 norms of the perturbations required to fool Audio Tag on 90% of the songs in our dataset. Figure 4 shows the recall of You Tube s copyright detection tool on our dataset for different magnitudes of perturbations. |
| Researcher Affiliation | Academia | Parsa Saadatpanah 1 Ali Shafahi 1 Tom Goldstein 1 1University of Maryland, College Park. Correspondence to: Parsa Saadatpanah <parsa@cs.umd.edu>. |
| Pseudocode | No | The paper describes the models and algorithms used, but does not include structured pseudocode or algorithm blocks. |
| Open Source Code | No | Sample audio can be found here2. https://www.cs.umd.edu/ tomg/projects/copyrightattack/. The paper provides links to sample audio files, but does not provide concrete access to the source code for the methodology described. |
| Open Datasets | No | We test our system on a dataset containing the top billboard songs from the past 10 years. We extract a 30-second fragment of these songs and craft both our default and remix adversarial examples for them. We repeated our experiments with identical hyperparameters on the songs from our dataset. The paper mentions using a dataset but does not provide access information or confirm its public availability. |
| Dataset Splits | No | The paper mentions using a dataset for experiments, but does not provide specific train/validation/test split information or describe cross-validation. |
| Hardware Specification | No | The paper does not provide specific hardware details (exact GPU/CPU models, processor types with speeds, memory amounts, or detailed computer specifications) used for running its experiments. |
| Software Dependencies | No | we build a differentiable implementation of it in Tensor Flow (Abadi et al., 2016). We solve (6) using projected gradient descent (Goldstein et al., 2014) in which each iteration updates the perturbation using Adam (Kingma & Ba, 2014). The paper mentions TensorFlow and Adam but does not provide specific version numbers for software dependencies. |
| Experiment Setup | No | For simplicity, we chose α = 1 for all experiments. Here λ is a scale parameter that controls how much we enforce the similarity between the fingerprints of x + δ and y. We enforce δ p ϵ. Here . p is the ℓp-norm of the perturbation and ϵ is the perturbation budget available to the adversary. In our experiments, we use the ℓ -norm as our measure of perturbation size. While some parameters are mentioned, a comprehensive experimental setup including hyperparameters like learning rate, batch size, or full optimizer settings for training their neural network is not provided. |