Yushun Xie,Zhaoquan Gu,Xiaopeng Fu,Le Wang,Weihong Han,Yuexuan Wang

DOI: https://doi.org/10.1109/ithings-greencom-cpscom-smartdata-cybermatics50389.2020.00103

2020-01-01

Abstract:Deep neural networks are vulnerable to the adversarial examples that are generated by adding small perturbations to the original inputs. Similarly, traditional machine learning models such as logistic regression and support vector machine are also threatened by such carefully generated adversarial examples. In this paper, we study the adversarial texts that could mislead the sentiment analysis of traditional machine learning models. We present the Ensemble Word Addition (EWA) algorithm, which filters out a small number of words that have large attack ability and these words are added at the end of the original text. By extensive experiments, we show that the generated adversarial texts could fool some traditional machine learning models with a very high confidence, but they cannot affect human's judgment. The experimental results show that the proposed algorithm has a powerful attack ability to misleading the sentiment analysis, specifically the attack success rate could reach above 95% by only adding 4.6% words.

Junkun Yuan,Shaofang Zhou,Lanfen Lin,Feng Wang,Jia Cui

DOI: https://doi.org/10.3233/faia200388

2020-01-01

Abstract:For efficient malware detection, there are more and more deep learning methods based on raw software binaries. Recent studies show that deep learning models can easily be fooled to make a wrong decision by introducing subtle perturbations to inputs, which attracts a large influx of work in adversarial attacks. However, most of the existing attack methods are based on manual features (e.g., API calls) or in the white-box setting, making the attacks impractical in current real-world scenarios. In this work, we propose a novel attack framework called GAPGAN, which generates adversarial payloads (padding bytes) with generative adversarial networks (GANs). To the best of our knowledge, it is the first work that performs endto-end black-box attacks at the byte-level against deep learning based malware binaries detection. In our attack framework, we map input discrete malware binaries to continuous space, then feed it to the generator of GAPGAN to generate adversarial payloads. We append payloads to the original binaries to craft an adversarial sample while preserving its functionality. We propose to use a dynamic threshold for reducing the loss of the effectiveness of the payloads when mapping it from continuous format back to the original discrete format. For balancing the attention of the generator to the payloads and the adversarial samples, we use an automatic weight tuning strategy. We train GAPGAN with both malicious and benign software. Once the training is finished, the generator can generate an adversarial sample with only the input malware in less than twenty milliseconds. We apply GAPGAN to attack the state-of-the-art detector MalConv and achieve 100% attack success rate with only appending payloads of 2.5% of the total length of the data for detection. We also attack deep learning models with different structures under different defense methods. The experiments show that GAPGAN outperforms other state-of-the-art attack models in efficiency and effectiveness.

Yankun Ren,Jianbin Lin,Siliang Tang,Jun Zhou,Shuang Yang,Yuan Qi,Xiang Ren

DOI: https://doi.org/10.3233/faia200340

2020-01-01

Abstract:Today text classification models have been widely used. However, these classifiers are found to be easily fooled by adversarial examples. Fortunately, standard attacking methods generate adversarial texts in a pair-wise way, that is, an adversarial text can only be created from a real-world text by replacing a few words. In many applications, these texts are limited in numbers, therefore their corresponding adversarial examples are often not diverse enough and sometimes hard to read, thus can be easily detected by humans and cannot create chaos at a large scale. In this paper, we propose an end to end solution to efficiently generate adversarial texts from scratch using generative models, which are not restricted to perturbing the given texts. We call it unrestricted adversarial text generation. Specifically, we train a conditional variational autoencoder (VAE) with an additional adversarial loss to guide the generation of adversarial examples. Moreover, to improve the validity of adversarial texts, we utilize discrimators and the training framework of generative adversarial networks (GANs) to make adversarial texts consistent with real data. Experimental results on sentiment analysis demonstrate the scalability and efficiency of our method. It can attack text classification models with a higher success rate than existing methods, and provide acceptable quality for humans in the meantime.

Cheng Nuo,Guo-Qin Chang,Haichang Gao,Ge Pei,Yang Zhang

DOI: https://doi.org/10.1109/access.2020.2988786

IF: 3.9

2020-01-01

IEEE Access

Abstract:As an important carrier for disseminating information in the Internet Age, the text contains a large amount of information. In recent years, adversarial example attacks against text discrete domains have been received widespread attention. Deep neural network (DNN) produces opposite predictions by adding small perturbations to the text data. In this paper, we present "WordChange": an adversarial examples generation approach for Chinese text classification based on multiple modification strategies, and we evaluate the effectiveness of the method in sentiment analysis dataset and spam dataset. This method effectively locates important word positions by designing a keyword contribution algorithm. We first propose a "word-split" strategy to substitute keywords thatare designed by the structure and semantic property of Chinese texts. We also first apply "swap" and "insert" strategies on Chinese texts to generate adversarial examples. We further discuss the influence of multiple Chinese Word Segmentation tools and different text lengths on the proposed method, as well as the diversification of Chinese text modification strategies. Finally, the adversarial texts based on the long short-term memory network (LSTM) can be successfully transferred to other text classifiers and real-world applications.

Shuhuai Ren,Yihe Deng,Kun He,Wanxiang Che

DOI: https://doi.org/10.18653/v1/p19-1103

2019-01-01

Abstract:We address the problem of adversarial attacks on text classification, which is rarely studied comparing to attacks on image classification. The challenge of this task is to generate adversarial examples that maintain lexical correctness, grammatical correctness and semantic similarity. Based on the synonyms substitution strategy, we introduce a new word replacement order determined by both the word saliency and the classification probability, and propose a greedy algorithm called probability weighted word saliency (PWWS) for text adversarial attack. Experiments on three popular datasets using convolutional as well as LSTM models show that PWWS reduces the classification accuracy to the most extent, and keeps a very low word substitution rate. A human evaluation study shows that our generated adversarial examples maintain the semantic similarity well and are hard for humans to perceive. Performing adversarial training using our perturbed datasets improves the robustness of the models. At last, our method also exhibits a good transferability on the generated adversarial examples.

Zhou, Nai,Yao, Nianmin,Zhao, Jian,Zhang, Yanan

DOI: https://doi.org/10.1007/s00521-022-07184-7

2022-05-13

Neural Computing and Applications

Abstract:In Text Classification, modern neural networks have achieved great performance, but simultaneously, it is sensitive to adversarial examples. Existing studies usually use synonym replacement or token insertion strategies to generate adversarial examples. These strategies focus on obtaining semantically similar adversarial examples, but they ignore the richness of generating adversarial examples. To expand the richness of adversarial samples. Here, we propose a simple Rule-based Adversarial sample Generator (RAG) to generate adversarial samples by controlling the size of the perturbation added to the sentence matrix representation. Concretely, we introduce two methods to control the size of the added perturbation, i) Control the number of word replacements in sentences (RAG(R)); ii) Control the size of the offset value added to the sentence matrix representation (RAG(A)). Based on RAG, we will obtain numerous adversarial samples to make the model more robust to adversarial noise, and thereby improving the model’s generalization ability. Compared with the BERT and BiLSTM model baseline, experiments show that our method reduces the error rate by an average of 18% on four standard training datasets. Especially in low-training data scenarios, the overall average accuracy is increased by 12%. Extensive experimental results demonstrate that our method not only achieves excellent classification performance on the standard training datasets, but it still gets prominent performance on few-shot text classification.

computer science, artificial intelligence

Yueyang Liu,Hunmin Lee,Zhipeng Cai

2023-07-01

Abstract:Deep neural networks have a wide range of applications in solving various real-world tasks and have achieved satisfactory results, in domains such as computer vision, image classification, and natural language processing. Meanwhile, the security and robustness of neural networks have become imperative, as diverse researches have shown the vulnerable aspects of neural networks. Case in point, in Natural language processing tasks, the neural network may be fooled by an attentively modified text, which has a high similarity to the original one. As per previous research, most of the studies are focused on the image domain; Different from image adversarial attacks, the text is represented in a discrete sequence, traditional image attack methods are not applicable in the NLP field. In this paper, we propose a word-level NLP sentiment classifier attack model, which includes a self-attention mechanism-based word selection method and a greedy search algorithm for word substitution. We experiment with our attack model by attacking GRU and 1D-CNN victim models on IMDB datasets. Experimental results demonstrate that our model achieves a higher attack success rate and more efficient than previous methods due to the efficient word selection algorithms are employed and minimized the word substitute number. Also, our model is transferable, which can be used in the image domain with several modifications.

Machine Learning,Cryptography and Security

Hao Peng,Zhe Wang,Dandan Zhao,Yiming Wu,Jianming Han,Shixin Guo,Shouling Ji,Ming Zhong

DOI: https://doi.org/10.1016/j.jksuci.2023.03.017

IF: 9.006

2023-01-01

Journal of King Saud University - Computer and Information Sciences

Abstract:Deep neural networks that play a pivotal role in fields such as images, text, and audio are vulnerable to adversarial attacks. In current textual adversarial attacks, the vast majority are configured with a black-box soft-label which is achieved by the gradient information or confidence of the model. Therefore, it becomes challenging and realistic to implement adversarial attacks using only the predicted top labels of the hard-label model. Existing methods to implement hard-label adversarial attacks use population-based genetic optimization algorithms. However, this approach requires significant query consumption, which is a considerable shortcoming. To solve this problem, we propose a new textual black-box hard-label adversarial attack algorithm based on the idea of differential evolution of populations, called the text-based differential evolution (TDE) algorithm. First, the method will judge the importance of the words of the initial rough adversarial examples, according to which only the keywords in the text sentence will be operated, and the rest of the words will be gradually replaced with the original words so as to reduce the words in the sentence in which the replacement occurs. Our method judges the quality of semantic similarity of the adversarial examples in the replacement process and deposits high-quality adversarial example individuals into the population. Secondly, the optimization process of adversarial examples is combined and optimized according to the word importance. Compared with existing methods based on genetic algorithm guidance, our method avoids a large number of meaningless repetitive queries and significantly improves the overall attack efficiency of the algorithm and the semantic quality of the generated adversarial examples. We experimented with multiple datasets on three text tasks of sentiment classification, natural language inference, and toxic comment, and also perform experimental comparisons on models and APIs in realistic scenarios. For example, in the Google Cloud commercial API adversarial attack experiment, compared to the existing hard-label method, our method reduces the average number of queries required for the attack from 6986 to 176, and increases semantic similarity from 0.844 to 0.876. It is shown through extensive experimental data that our approach not only significantly reduces the number of queries, but also significantly outperforms existing methods in terms of the quality of adversarial examples.

Prashanth Vijayaraghavan,Deb Roy

DOI: https://doi.org/10.1007/978-3-030-46147-8_43

2019-09-17

Abstract:Recently, generating adversarial examples has become an important means of measuring robustness of a deep learning model. Adversarial examples help us identify the susceptibilities of the model and further counter those vulnerabilities by applying adversarial training techniques. In natural language domain, small perturbations in the form of misspellings or paraphrases can drastically change the semantics of the text. We propose a reinforcement learning based approach towards generating adversarial examples in black-box settings. We demonstrate that our method is able to fool well-trained models for (a) IMDB sentiment classification task and (b) AG's news corpus news categorization task with significantly high success rates. We find that the adversarial examples generated are semantics-preserving perturbations to the original text.

Machine Learning,Computation and Language,Information Retrieval

Xiaopei Zhu,Peiyang Xu,Guanning Zeng,Yingpeng Dong,Xiaolin Hu

2024-10-11

Abstract:Research of adversarial attacks is important for AI security because it shows the vulnerability of deep learning models and helps to build more robust models. Adversarial attacks on images are most widely studied, which include noise-based attacks, image editing-based attacks, and latent space-based attacks. However, the adversarial examples crafted by these methods often lack sufficient semantic information, making it challenging for humans to understand the failure modes of deep learning models under natural conditions. To address this limitation, we propose a natural language induced adversarial image attack method. The core idea is to leverage a text-to-image model to generate adversarial images given input prompts, which are maliciously constructed to lead to misclassification for a target model. To adopt commercial text-to-image models for synthesizing more natural adversarial images, we propose an adaptive genetic algorithm (GA) for optimizing discrete adversarial prompts without requiring gradients and an adaptive word space reduction method for improving query efficiency. We further used CLIP to maintain the semantic consistency of the generated images. In our experiments, we found that some high-frequency semantic information such as "foggy", "humid", "stretching", etc. can easily cause classifier errors. This adversarial semantic information exists not only in generated images but also in photos captured in the real world. We also found that some adversarial semantic information can be transferred to unknown classification tasks. Furthermore, our attack method can transfer to different text-to-image models (e.g., Midjourney, DALL-E 3, etc.) and image classifiers. Our code is available at: <a class="link-external link-https" href="https://github.com/zxp555/Natural-Language-Induced-Adversarial-Images" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Computer Vision and Pattern Recognition,Multimedia

Hongxu Ou,Long Yu,Shengwei Tian,Xin Chen

DOI: https://doi.org/10.1007/s10115-022-01652-1

IF: 2.7

2022-03-17

Knowledge and Information Systems

Abstract:Recent studies have shown that after adding small perturbations that are imperceptible to humans, deep neural networks (DNNs) with good performance and popular application are likely to produce incorrect results. These processed samples are called adversarial examples. High-quality adversarial examples help to increase the accuracy of estimating the robustness of the network model, thereby reducing the security risks behind the unreal high accuracy of the model. And there are few existing researches on Chinese texts in this field, therefore, this paper proposes a Chinese adversarial examples generation approach with multi-strategy based on semantic called GreedyAttack. Based on the analysis of the characteristics of the Chinese version, the ranking of the influence of each word in the text is obtained according to the calculation formula of the word importance with the weighted part-of-speech. Next, five strategies including synonymous words, similar words of form, similar words of sound, pinyin rewriting, and phrase disassembly are combined to replace the original words, and then, the black box attack on the DNNs models is completed. The method is evaluated by attacking the BERT and ERNIE models on three data sets. The results indicate that the adversarial examples generated by the method can effectively reduce the accuracy of the model.

computer science, information systems, artificial intelligence

Chaowei Xiao,Bo Li,Jun-yan Zhu,Warren He,Mingyan Liu,Dawn Song

DOI: https://doi.org/10.24963/ijcai.2018/543

2018-07-01

Abstract:Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

Hao Peng,Zhe Wang,Chao Wei,Dandan Zhao,Guangquan Xu,Jianming Han,Shixin Guo,Ming Zhong,Shouling Ji

DOI: https://doi.org/10.1016/j.knosys.2024.112188

IF: 8.139

2024-01-01

Knowledge-Based Systems

Abstract:Deep neural networks are vulnerable to adversarial attacks, despite performing well in a variety of tasks. In the current black-box word-level text adversarial attacks on various classification tasks, the main problems are the relatively low success rate and the need to improve the quality of the adversarial examples generated. These problems mainly involve two aspects: first, the key to effectively conducting adversarial attacks is accurately determining the key words in a sentence that significantly affect the model’s judgment. Only by precisely finding these words can the attack be effectively performed. Second, to generate high-quality adversarial examples, it is essential to mislead the classification model while minimizing changes to words in the sentence. It is essential to ensure that adversarial examples are as semantically and grammatically similar to the original samples as possible. Therefore, accurately determining key words and minimally altering them to produce high-quality adversarial examples presents a significant challenge. To address these challenges, we introduce TextJuggler, a new black-box word-level text adversarial attack method, inspired by occlusion and language modeling concepts. By using the Bert model to sample and replace words in sentences, the key words that influence classifier decisions can be efficiently determined. To ensure efficiency in the search for key words, our method reduces queries via crafted locality-sensitive hashing. For the determined key words, we adopt the robust and optimized Bert model, to generate high-quality adversarial examples through insertion or substitution operations for different text classification tasks while ensuring semantic similarity and text fluency. Extensive experiments and API experiments show that TextJuggler outperforms the baselines in attack success rate, textual similarity, and fluency.

Gongbo Liang,Jesus Guerrero,Izzat Alsmadi

DOI: https://doi.org/10.48550/arXiv.2302.05794

2023-02-12

Abstract:Neural text detectors aim to decide the characteristics that distinguish neural (machine-generated) from human texts. To challenge such detectors, adversarial attacks can alter the statistical characteristics of the generated text, making the detection task more and more difficult. Inspired by the advances of mutation analysis in software development and testing, in this paper, we propose character- and word-based mutation operators for generating adversarial samples to attack state-of-the-art natural text detectors. This falls under white-box adversarial attacks. In such attacks, attackers have access to the original text and create mutation instances based on this original text. The ultimate goal is to confuse machine learning models and classifiers and decrease their prediction accuracy.

Cryptography and Security,Artificial Intelligence

Haoran Fu,Chundong Wang,Jiaqi Sun,Yumeng Zhao,Hao Lin,Junqing Sun,Baixue Zhang

DOI: https://doi.org/10.1016/j.cogsys.2023.101179

IF: 4.541

2023-11-01

Cognitive Systems Research

Abstract:Although natural language processing technology has shown strong performance in many tasks, it is very vulnerable to adversarial examples, i.e., sentences with some small perturbations can fool AI models. Current adversarial texts for English are usually generated by finding substitute words in adjacent spaces of keyword vectors. Unlike English, Chinese is more discrete and has a more complex font structure, which words that are closer in vector spaces may differ greatly in physical structure. Therefore, adversarial examples generated by current methods possess lower quality and can be easily perceived by human, or rather, they are not suitable for the human cognitive system. In this paper, we propose the "WordIllusion", a new detectable black-box algorithm used for generating Chinese adversarial texts. In this method, we create a CKSF evaluation indicator to select the key words of sentences. And then, based on the shape bias of human cognitive system and the rectification understanding to create replacement spaces of key words. To verify the effectiveness of WordIllusion, we experiment with two types of text classification tasks by using six natural language processing models. The result indicates that our method is able to improve the accuracy rate efficiently, and the generated adversarial texts can be very misleading.

psychology, experimental,neurosciences,computer science, artificial intelligence

Mingjie Li,Hanzhou Wu,Zichi Wang,Xinpeng Zhang

DOI: https://doi.org/10.1117/1.jei.32.2.023023

IF: 0.829

2023-01-01

Journal of Electronic Imaging

Abstract:Adversarial example generation has been a hot spot in recent years because it can cause deep neural networks (DNNs) to misclassify the generated adversarial examples, which reveals the vulnerability of DNNs, motivating us to find good solutions to improve the robustness of DNN models. Due to the extensiveness and high liquidity of natural language over the social networks, various natural language based adversarial attack algorithms have been proposed in the literature. These algorithms generate adversarial text examples with high semantic quality. However, the generated adversarial text examples may be maliciously or illegally used. In order to tackle with this problem, we present a general framework for generating watermarked adversarial text examples. For each word in a given text, a set of candidate words are determined to ensure that all the words in the set can be used to either carry secret bits or facilitate the construction of adversarial example. By applying a word-level adversarial text generation algorithm, the watermarked adversarial text example can be finally generated. Experiments show that the adversarial text examples generated by the proposed method not only successfully fool advanced DNN models, but also carry a watermark that can effectively verify the ownership and trace the source of the adversarial examples. Moreover, the watermark can still survive after attacked with adversarial example generation algorithms, which has shown the applicability and superiority.

Jincheng Xu,Qingfeng Du

DOI: https://doi.org/10.1016/j.engappai.2020.103641

IF: 8

2020-06-01

Engineering Applications of Artificial Intelligence

Abstract:Adversarial examples are generated by adding infinitesimal perturbations to legitimate inputs so that incorrect predictions can be induced into deep learning models. They have received increasing attention recently due to their significant values in evaluating and improving the robustness of neural networks. While adversarial attack algorithms have achieved notable advancements in the continuous data of images, they cannot be directly applied for discrete symbols such as text, where all the semantic and syntactic constraints in languages are expected to be satisfied. In this paper, we propose a white-box adversarial attack algorithm, TextTricker, which supports both targeted and non-targeted attacks on text classification models. Our algorithm can be implemented in either a loss-based way, where word perturbations are performed according to the change in loss, or a gradient-based way, where the expected gradients are computed in the continuous embedding space to restrict the perturbations towards a certain direction. We perform extensive experiments on two publicly available datasets and three state-of-the-art text classification models to evaluate our algorithm. The empirical results demonstrate that TextTricker performs notably better than baselines in attack success rate. Moreover, we discuss various aspects of TextTricker in details to provide a deep investigation and offer suggestions for its practical use.

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

Liping Yuan,Xiaoqing Zheng,Yi Zhou,Cho-Jui Hsieh,Kai-Wei Chang,Xuanjing Huang

2020-01-01

Abstract:Deep neural network models are vulnerable to adversarial attacks. In many cases, malicious inputs intentionally crafted for one model can fool another model in the black-box attack setting. However, there is a lack of systematic studies on the transferability of adversarial examples and how to generate universal adversarial examples. In this paper, we systematically study the transferability of adversarial attacks for text classification models. In particular, we conduct extensive experiments to investigate how various factors, such as network architecture, input format, word embedding, and model capacity, affect the transferability of adversarial attacks. Based on these studies, we then propose universal black-box attack algorithms that can induce adversarial examples to attack almost all existing models. These universal adversarial examples reflect the defects of the learning process and the bias in the training dataset. Finally, we generalize these adversarial examples into universal word replacement rules that can be used for model diagnostics.

Yuan Zang,Chenghao Yang,Fanchao Qi,Zhiyuan Liu,Meng Zhang,Qun Liu,Maosong Sun

2019-01-01

Abstract:Adversarial attacks are carried out to reveal the vulnerability of deep neural networks. Textual adversarial attacking is challenging because text is discrete and a small perturbation can bring significant change to the original input. Word-level attacking, which can be regarded as a combinatorial optimization problem, is a well-studied class of textual attack methods. However, existing word-level attack models are far from perfect, largely because unsuitable search space reduction methods and inefficient optimization algorithms are employed. In this paper, we propose a novel attack model, which incorporates the sememe-based word substitution method and particle swarm optimization-based search algorithm to solve the two problems separately. We conduct exhaustive experiments to evaluate our attack model by attacking BiLSTM and BERT on three benchmark datasets. Experimental results demonstrate that our model consistently achieves much higher attack success rates and crafts more high-quality adversarial examples as compared to baseline methods. Also, further experiments show our model has higher transferability and can bring more robustness enhancement to victim models by adversarial training. All the code and data of this paper can be obtained on this https URL.