![[2602.22258] Poisoned Acoustics](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2602.22258] Poisoned Acoustics
Summary
The paper 'Poisoned Acoustics' explores training-data poisoning attacks on deep neural networks, demonstrating significant vulnerabilities in acoustic vehicle classification systems.
Why It Matters
This research highlights critical security concerns in machine learning, particularly regarding the integrity of training data. As AI systems become more prevalent, understanding and mitigating these vulnerabilities is essential for ensuring reliable performance in real-world applications.
Key Takeaways
- Training-data poisoning can lead to undetectable failures in neural networks.
- A compact CNN achieved a 95.7% attack success rate with minimal data corruption.
- Aggregate accuracy monitoring is insufficient for detecting such attacks.
- Proposed defense mechanisms include cryptographic verification for data provenance.
- Understanding the attack surface in ML training pipelines is crucial for developing robust defenses.
Computer Science > Cryptography and Security arXiv:2602.22258 (cs) [Submitted on 25 Feb 2026] Title:Poisoned Acoustics Authors:Harrison Dahme View a PDF of the paper titled Poisoned Acoustics, by Harrison Dahme View PDF HTML (experimental) Abstract:Training-data poisoning attacks can induce targeted, undetectable failure in deep neural networks by corrupting a vanishingly small fraction of training labels. We demonstrate this on acoustic vehicle classification using the MELAUDIS urban intersection dataset (approx. 9,600 audio clips, 6 classes): a compact 2-D convolutional neural network (CNN) trained on log-mel spectrograms achieves 95.7% Attack Success Rate (ASR) -- the fraction of target-class test samples misclassified under the attack -- on a Truck-to-Car label-flipping attack at just p=0.5% corruption (48 records), with zero detectable change in aggregate accuracy (87.6% baseline; 95% CI: 88-100%, n=3 seeds). We prove this stealth is structural: the maximum accuracy drop from a complete targeted attack is bounded above by the minority class fraction (beta). For real-world class imbalances (Truck approx. 3%), this bound falls below training-run noise, making aggregate accuracy monitoring provably insufficient regardless of architecture or attack method. A companion backdoor trigger attack reveals a novel trigger-dominance collapse: when the target class is a dataset minority, the spectrogram patch trigger becomes functionally redundant--clean ASR equals triggered ASR, ...
