Adversarial Attacks on Voice Recognition Based on Hyper Dimensional Computing


Recently, there is a great demand for experimenting with Artificial Intelligence (AI) algorithms on the Internet of Things (IoT) devices that have only limited computing or transmission resources. Hyper-Dimensional Computing (HDC), which can effectively run on low-cost CPUs, is one of the solutions. However, since the AI algorithms are proved to be vulnerable to Adversarial Examples (AE) in recent research, it is then important to investigate the same security issues on other intelligent algorithms such as HDC. In our paper, motivated by the AE attacks for AI algorithms, we propose an attack measured based on the Differential Evolution (DE), which does not rely on the gradient. By attacking the VoiceHD model in the Isolet dataset, we prove that HDC is also vulnerable to AEs. In our experimentation, we can launch non-targeted attacks on the VoiceHD with the highest 85.7% success rate.

This is a preview of subscription content, access via your institution.

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7


  1. 1.

    LeCun, Y., Bengio, Y., & Hinton, G. (2015). Deep learning. Nature, 521(7553), 436.

    Article  Google Scholar 

  2. 2.

    Qiu, H., Zheng, Q., Memmi, G., Lu, J., Qiu, M., & Thuraisingham, B. (2020). Deep residual learning based enhanced JPEG compression in the internet of things. IEEE Transactions on Industrial Informatics.

  3. 3.

    Botta, A., De Donato, W., Persico, V., & Pescapé, A. (2016). Integration of cloud computing and internet of things: a survey. Future Generation Computer Systems, 56, 684–700.

    Article  Google Scholar 

  4. 4.

    Qiu, H., Qiu, M., Lu, Z., & Gerard, M. (2019). An efficient key distribution system for data fusion in V2X heterogeneous networks. Information Fusion, 50, 212–220.

    Article  Google Scholar 

  5. 5.

    Lee, I., & Lee, K. (2015). The internet of things (iot): applications, investments, and challenges for enterprises. Business Horizons, 58(4), 431–440.

    Article  Google Scholar 

  6. 6.

    Fraga-Lamas, P., Fernández-Caramés, M.T., & Castedo, L. (2017). Towards the internet of smart trains: a review on industrial IoT-connected railways. Sensors.

  7. 7.

    Bengio, E., Bacon, P.-L., Pineau, J., & Precup, D. (2015). Conditional computation in neural networks for faster models. arXiv:1511.06297.

  8. 8.

    Qiu, M., Sha, E.H.-M., Liu, M., Lin, M., Hua, S., & Yang, L.T. (2008). Energy minimization with loop fusion and multi-functional-unit scheduling for multidimensional DSP. Journal of Parallel and Distributed Computing, 68(4), 443–455.

    Article  Google Scholar 

  9. 9.

    Kanerva, P. (2009). Hyperdimensional computing: an introduction to computing in distributed representation with high-dimensional random vectors. Cognitive Computation, 1(2), 139–159.

    Article  Google Scholar 

  10. 10.

    Rahimi, A., Kanerva, P., & Rabaey, J.M. (2016). A robust and energy-efficient classifier using brain-inspired hyperdimensional computing. In Proceedings of the 2016 international symposium on low power electronics and design (pp. 64–69).

  11. 11.

    Kanerva, P. (2010). What we mean when we say ‘What’s the dollar of mexico?’: prototypes and mapping in concept space. In 2010 AAAI fall symposium series.

  12. 12.

    Najafabadi, F.R., Rahimi, A., Kanerva, P., & Rabaey, J.M. (2016). Hyperdimensional computing for text classification. In Design, automation test in Europe conference exhibition (DATE), University Booth (pp. 1–1).

  13. 13.

    Qiu, H., Qiu, M., & Lu, Z. (2020). Selective encryption on ecg data in body sensor network based on supervised machine learning. Information Fusion, 55, 59–67.

    Article  Google Scholar 

  14. 14.

    Imani, M., Hwang, J., Rosing, T., Rahimi, A., & Rabaey, J.M. (2017). Low-power sparse hyperdimensional encoder for language recognition. IEEE Design & Test, 34(6), 94–101.

    Article  Google Scholar 

  15. 15.

    Räsänen, O.J. (2015). Generating hyperdimensional distributed representations from continuous-valued multivariate sensory input. In CogSci.

  16. 16.

    Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2013). Intriguing properties of neural networks. arXiv:1312.6199.

  17. 17.

    Evtimov, I., Eykholt, K., Fernandes, E., Kohno, T., Li, B., Prakash, A., Rahmati, A., & Song, D. (2017). Robust physical-world attacks on deep learning models. arXiv:1707.08945.

  18. 18.

    Xie, C., Wang, J., Zhang, Z., Zhou, Y., Xie, L., & Yuille, A. (2017). Adversarial examples for semantic segmentation and object detection. In Proceedings of the IEEE international conference on computer vision (pp. 1369–1378).

  19. 19.

    Taori, R., Kamsetty, A., Chu, B., & Vemuri, N. (2019). Targeted adversarial examples for black box audio systems. In 2019 IEEE security and privacy workshops (SPW) (pp. 15–20): IEEE.

  20. 20.

    Carlini, N., & Wagner, D. (2018). Audio adversarial examples: Targeted attacks on speech-to-text. In 2018 IEEE security and privacy workshops (SPW) (pp. 1–7): IEEE.

  21. 21.

    Yakura, H., & Sakuma, J. (2018). Robust audio adversarial example for a physical attack. arXiv:1810.11793.

  22. 22.

    Li, J., Ji, S., Du, T., Li, B., & Wang, T. (2018). Textbugger: generating adversarial text against real-world applications. arXiv:1812.05271.

  23. 23.

    Liu, X., Lin, Y., Li, H., & Zhang, J. (2018). Adversarial examples: attacks on machine learning-based malware visualization detection methods. arXiv:1808.01546.

  24. 24.

    Zhang, E.W., Sheng, Z.Q., Alhazmi, A., & Li, C. (2020). Adversarial attacks on deep-learning models in natural language processing: a survey. ACM Transactions on Intelligent Systems and Technology, 1–41.

  25. 25.

    Imani, M., Kong, D., Rahimi, A., & Rosing, T. (2017). VoiceHD: hyperdimensional computing for efficient speech recognition. In 2017 IEEE international conference on rebooting computing (ICRC) (pp. 1–8): IEEE.

  26. 26.

    Poddar, V., Chatterjee, B., Nandi, D., Ghosh, B., & Mondal, S. (2018). Data capturing and modeling by speech recognition - roles demonstrated by artificial intelligence, a survey. UEMCON, 1088–1092.

  27. 27.

    Hochreiter, S., & Schmidhuber, J. (1997). Long short-term memory. Neural Computation, 1735–1780.

  28. 28.

    Bahdanau, D., Chorowski, J., Serdyuk, D., Brakel, P., & Bengio, Y. (2016). End-to-end attention-based large vocabulary speech recognition. In 2016 IEEE international conference acoustics, speech and signal processing (pp. 4945–4949).

  29. 29.

    Smith, L., & Gal, Y. (2018). Understanding measures of uncertainty for adversarial example detection. UAI, 560–569.

  30. 30.

    Goodfellow, I.J., Shlens, J., & Szegedy, C. (2014). Explaining and harnessing adversarial examples. arXiv:1412.6572.

  31. 31.

    Carlini, N., & Wagner, D. (2017). Towards evaluating the robustness of neural networks. In 2017 IEEE symposium on security and privacy (SP) (pp. 39–57): IEEE.

  32. 32.

    Moosavi-Dezfooli, S.-M., Fawzi, A., & Frossard, P. (2016). Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE conference on computer vision and pattern recognition (pp. 2574–2582).

  33. 33.

    Storn, R., & Price, V.K. (1997). Differential evolution – a simple and efficient heuristic for global optimization over continuous spaces. Journal of Global Optimization, 341–359.

  34. 34.

    Su, J., Vargas, V.D., & Sakurai, K. (2019). One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation, 828–841.

  35. 35.

    Fanty, M., Cole, R., & Muthusamy, Y. (1994). The isolet spoken letter database.

  36. 36.

    Fanty, A.M., & Cole, R. (1990). Spoken letter recognition. NIPS, 220–226.

  37. 37.

    Shao, Z., Xue, C., Zhuge, Q., Qiu, M., Xiao, B., & Sha, E.-M. (2006). Security protection and checking for embedded system integration against buffer overflow attacks via hardware/software. IEEE Transactions on Computers, 55(4), 443–453.

    Article  Google Scholar 

  38. 38.

    Li, J., Ming, Z., Qiu, M., Quan, G., Qin, X., & Chen, T. (2011). Resource allocation robustness in multi-core embedded systems with inaccurate information. Journal of Systems Architecture, 57(9), 840–849.

    Article  Google Scholar 

  39. 39.

    Gai, K., Qiu, M., & Zhao, H. (2017). Privacy-preserving data encryption strategy for big data in mobile cloud computing. IEEE Transactions on Big Data, 1–1.

  40. 40.

    Qiu, H., Noura, H., Qiu, M., Zhong, M., & Memmi, G. (2019). A user-centric data protection method for cloud storage based on invertible DWT. IEEE Transactions on Cloud Computing, 1–1.

Download references


Research Innovation Fund for College Students of Beijing University of Posts and Telecommunications. This work was supported in part by the Industrial Internet Research Institute (Jinan) of Beijing University of Posts and Telecommunications under Grant 201915001.

Author information



Corresponding author

Correspondence to Wencheng Chen.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Chen, W., Li, H. Adversarial Attacks on Voice Recognition Based on Hyper Dimensional Computing. J Sign Process Syst (2021).

Download citation


  • Hyper-dimensional computing
  • Adversarial examples
  • Voice recognition
  • Security