Yankun Ren,Jianbin Lin,Siliang Tang,Jun Zhou,Shuang Yang,Yuan Qi,Xiang Ren

DOI: https://doi.org/10.3233/faia200340

2020-01-01

Abstract:Today text classification models have been widely used. However, these classifiers are found to be easily fooled by adversarial examples. Fortunately, standard attacking methods generate adversarial texts in a pair-wise way, that is, an adversarial text can only be created from a real-world text by replacing a few words. In many applications, these texts are limited in numbers, therefore their corresponding adversarial examples are often not diverse enough and sometimes hard to read, thus can be easily detected by humans and cannot create chaos at a large scale. In this paper, we propose an end to end solution to efficiently generate adversarial texts from scratch using generative models, which are not restricted to perturbing the given texts. We call it unrestricted adversarial text generation. Specifically, we train a conditional variational autoencoder (VAE) with an additional adversarial loss to guide the generation of adversarial examples. Moreover, to improve the validity of adversarial texts, we utilize discrimators and the training framework of generative adversarial networks (GANs) to make adversarial texts consistent with real data. Experimental results on sentiment analysis demonstrate the scalability and efficiency of our method. It can attack text classification models with a higher success rate than existing methods, and provide acceptable quality for humans in the meantime.

Guoliang Dong,Jingyi Wang,Jun Sun,Sudipta Chattopadhyay,Xinyu Wang,Ting Dai,Jie Shi,Jin Song Dong

DOI: https://doi.org/10.1007/978-3-031-10363-6_3

2022-01-01

Abstract:It is known that neural networks are subject to attacks through adversarial perturbations. Worse yet, such attacks are impossible to eliminate, i.e., the adversarial perturbation is still possible after applying mitigation methods such as adversarial training. Multiple approaches have been developed to detect and reject such adversarial inputs. Rejecting suspicious inputs however may not be always feasible or ideal. First, normal inputs may be rejected due to false alarms generated by the detection algorithm. Second, denial-of-service attacks may be conducted by feeding such systems with adversarial inputs. To address this, in this work, we focus on the text domain and propose an approach to automatically repair adversarial texts at runtime. Given a text which is suspected to be adversarial, we novelly apply multiple adversarial perturbation methods in a positive way to identify a repair, i.e., a slightly mutated but semantically equivalent text that the neural network correctly classifies. Experimental results show that our approach effectively repairs about 80% of adversarial texts. Furthermore, depending on the applied perturbation method, an adversarial text could be repaired about one second on average.

Lingfeng Shen,Shoushan Li,Ying Chen

DOI: https://doi.org/10.1609/aaai.v36i10.21380

2022-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Recent work has shown that current text classification models are vulnerable to small adversarial perturbation to inputs, and adversarial training that re-trains the models with the support of adversarial examples is the most popular way to alleviate the impact of the perturbation. However, current adversarial training methods have two principal problems: worse model generalization and ineffective defending against other text attacks. In this paper, we propose a Keyword-bias-aware Adversarial Text Generation model (KATG) that implicitly generates adversarial sentences using a generator-discriminator structure. Instead of using a benign sentence to generate an adversarial sentence, the KATG model utilizes extra multiple benign sentences (namely prior sentences) to guide adversarial sentence generation. Furthermore, to cover more perturbation used in existing attacks, a keyword-bias-aware sampling is proposed to select sentences containing biased words as prior sentences. Besides, to effectively utilize prior sentences, a generative flow mechanism is proposed to construct latent semantic space and learn a latent representation for the prior sentences. Experiments demonstrate that adversarial sentences generated by our KATG model can strengthen the victim model's robustness and generalization.

HaiXiang Zhu,YiPing Song,Bo Liu

DOI: https://doi.org/10.1109/ICCEA58433.2023.10135313

2023-01-01

Abstract:The shortage of information in text generation has been a prominent area of research in Natural Language Processing (NLP). Current research endeavors aim to combine pre-trained models with rich open-world knowledge from external sources to increase the priori information and thereby enhance the informativeness of text generation. While recent studies suggest that integrating open-world and task-specific knowledge can improve text generation by addressing specific knowledge gaps in downstream tasks, the inherent semantic ambiguity in natural language remains a significant challenge that may impede knowledge acquisition and text generation. To overcome this challenge and improve the model's semantic comprehension and overall robustness, we propose a novel framework, the Knowledge Augmentation Text Generation model via Adversarial Training (KTGAT). Our method adds perturbations to the embedding layer, which are equivalent to constructing unstable samples. This approach improves the model's robustness to adversarial samples and the generalization performance of the original samples. Our experiments demonstrate that the proposed KTGAT framework outperforms the baseline model, thus proving its effectiveness in improving text generation. The generated text cases illustrate that our method enhances the model's semantic comprehension and enables it to search for knowledge items more effectively and accurately.

Xiaohu Du,Jie Yu,Shasha Li,Zibo Yi,Hai Liu,Jun Ma

DOI: https://doi.org/10.1109/ijcnn52387.2021.9533725

2021-01-01

Abstract:NLP models perform well on many tasks, but they are also easy to be fooled by adversarial examples. A small perturbation can change the output of the deep neural network model. This kind of perturbation is hard to be perceived by humans, especially adversarial examples generated by word-level adversarial attack. Character-level adversarial attack can be defended by grammar detection and word recognition. The existing word-level textual adversarial attacks are based on synonym replacement, so adversarial texts usually have correct grammar and semantics. The defense of word-level adversarial attack is more challenging. In this paper, we propose a framework which is called Robust Adversarial Training (RAT) to defend against word-level adversarial attacks. RAT enhances the model by combining adversarial training and data perturbation during training. Our experiments on two datasets show that the model based on our framework can effectively defend against word-level adversarial attacks. Compared with the existing defense methods, the model trained under RAT has a higher defense success rate on 1000 adversarial examples. In addition, the accuracy of our model on the standard testing set is also better than the existing defense methods, and the accuracy is very close to or even higher than that of the standard model.

Chuyun Deng,Mingxuan Liu,Yue Qin,Jia Zhang,Haixin Duan,Donghong Sun

DOI: https://doi.org/10.18653/v1/2022.naacl-main.125

2022-01-01

Abstract:Adversarial texts help explore vulnerabilities in language models, improve model robustness, and explain their working mechanisms. However, existing word-level attack methods trap in a one-to-one attack pattern, i.e., only a single word can be modified in one transformation round, and they ignore the interactions between several consecutive words. In this paper, we propose ValCAT, a black-box attack framework that misleads the language model by applying variable-length contextualized transformations to the original text. Compared to wordlevel methods, ValCAT expands the basic units of perturbation from single words to spans composed of multiple consecutive words, enhancing the perturbation capability. Experiments show that our method outperforms state-of-the-art methods in terms of attack success rate, perplexity, and semantic similarity on several classification tasks and inference tasks. The comprehensive human evaluation demonstrates that ValCAT has a significant advantage in ensuring the fluency of the adversarial examples and achieves better semantic consistency. We release the code at https://github.com/ linerxliner/ValCAT.

Lujia Bao,Kangfeng Zheng

DOI: https://doi.org/10.1109/iwecai55315.2022.00090

2022-01-01

Abstract:Adversarial attacks against language models have gained more and more attention in recent years, and various adversarial text generation models have been proposed. Chinese language models are more vulnerable to character-level tampering attacks due to the language nature. In this paper, we implement a set of white-box attack algorithms against Chinese text classification models, which significantly reduce the accuracy of multiple baseline models on multiple classification tasks while ensuring that one can recover the original utterance. We utilize follow strategies, and propose a paradigm to enhance the robustness of Chinese classification models: 1) generating adversarial text during training as a dynamic data augmentation, 2) introducing extra glyph and phonology information into Chinses language models.

Boxin Wang,Hengzhi Pei,Boyuan Pan,Qiang Chen,Shuohang Wang,Bo Li

DOI: https://doi.org/10.18653/v1/2020.emnlp-main.495

2020-10-06

Abstract:Adversarial attacks against natural language processing systems, which perform seemingly innocuous modifications to inputs, can induce arbitrary mistakes to the target models. Though raised great concerns, such adversarial attacks can be leveraged to estimate the robustness of NLP models. Compared with the adversarial example generation in continuous data domain (e.g., image), generating adversarial text that preserves the original meaning is challenging since the text space is discrete and non-differentiable. To handle these challenges, we propose a target-controllable adversarial attack framework T3, which is applicable to a range of NLP tasks. In particular, we propose a tree-based autoencoder to embed the discrete text data into a continuous representation space, upon which we optimize the adversarial perturbation. A novel tree-based decoder is then applied to regularize the syntactic correctness of the generated text and manipulate it on either sentence (T3(Sent)) or word (T3(Word)) level. We consider two most representative NLP tasks: sentiment analysis and question answering (QA). Extensive experimental results and human studies show that T3 generated adversarial texts can successfully manipulate the NLP models to output the targeted incorrect answer without misleading the human. Moreover, we show that the generated adversarial texts have high transferability which enables the black-box attacks in practice. Our work sheds light on an effective and general way to examine the robustness of NLP models. Our code is publicly available at https://github.com/AI-secure/T3/.

Computer Science

Fangyuan Zhang,Huichi Zhou,Shuangjiao Li,Hongtao Wang

2024-02-29

Abstract:Deep neural networks have been proven to be vulnerable to adversarial examples and various methods have been proposed to defend against adversarial attacks for natural language processing tasks. However, previous defense methods have limitations in maintaining effective defense while ensuring the performance of the original task. In this paper, we propose a malicious perturbation based adversarial training method (MPAT) for building robust deep neural networks against textual adversarial attacks. Specifically, we construct a multi-level malicious example generation strategy to generate adversarial examples with malicious perturbations, which are used instead of original inputs for model training. Additionally, we employ a novel training objective function to ensure achieving the defense goal without compromising the performance on the original task. We conduct comprehensive experiments to evaluate our defense method by attacking five victim models on three benchmark datasets. The result demonstrates that our method is more effective against malicious adversarial attacks compared with previous defense methods while maintaining or further improving the performance on the original task.

Machine Learning,Computation and Language,Cryptography and Security

Minhao Cheng,Qi Lei,Pin-Yu Chen,Inderjit Dhillon,Cho-Jui Hsieh

DOI: https://doi.org/10.48550/arXiv.2002.06789

2020-02-17

Abstract:Adversarial training has become one of the most effective methods for improving robustness of neural networks. However, it often suffers from poor generalization on both clean and perturbed data. In this paper, we propose a new algorithm, named Customized Adversarial Training (CAT), which adaptively customizes the perturbation level and the corresponding label for each training sample in adversarial training. We show that the proposed algorithm achieves better clean and robust accuracy than previous adversarial training methods through extensive experiments.

Machine Learning

Boxin Wang,Hengzhi Pei,Boyuan Pan,Qiang Chen,Shuohang Wang,Bo Li

2020-01-01

Abstract:Adversarial attacks against natural language processing systems, which perform seemingly innocuous modifications to inputs, can induce arbitrary mistakes to the target models. Though raised great concerns, such adversarial attacks can be leveraged to estimate the robustness of NLP models. Compared with the adversarial example generation in continuous data domain ( e.g. , image), generating adversarial text that preserves the original meaning is challenging since the text space is discrete and non-differentiable. To handle these challenges, we propose a target-controllable adversarial attack framework T3, which is applicable to a range of NLP tasks. In particular, we propose a tree-based autoencoder to embed the discrete text data into a continuous representation space, upon which we optimize the adversarial perturbation. A novel tree-based de-coder is then applied to regularize the syntactic correctness of the generated text and manipulate it on either sentence (T3(S ENT )) or word (T3(W ORD )) level. We consider two most representative NLP tasks: sentiment analysis and question answering (QA). Extensive experimental results and human studies show that T3 generated adversarial texts can successfully manipulate the NLP models to output the targeted incorrect answer without misleading the human. Moreover, we show that the generated adversarial texts have high transfer-ability which enables the black-box

Computer Science

Yunting Zhang,Lin Ye,Zeshu Tian,Zhe Chen,Hongli Zhang,Baisong Li,Binxing Fang

DOI: https://doi.org/10.1007/s00521-024-09760-5

2024-01-01

Neural Computing and Applications

Abstract:The adversary makes malicious samples capable of triggering erroneous judgments in deep learning models by introducing imperceptible perturbations to the original benign texts. These malicious samples are referred to as adversarial texts. The exploration of adversarial text generation methods not only facilitates our understanding of the robustness of mainstream deep neural networks against such adversarial attacks but also aids in developing appropriate defensive strategies. Nevertheless, the mainstream research on textual adversarial attacks has mainly focused on attack effectiveness, overlooking the associated attack cost. For real-world attacks, considerations such as the time cost, material cost, manpower cost, and various constraints are also crucial. In this paper, we propose a low-cost adversarial text generation method based on the universal strategy in the black-box attack scenario, Universal Chinese Text Tricker (UCTT), for tendency classification on Chinese texts. UCTT is both text-independent and model-independent, which markedly reduces its attack cost. Instead of crafting adversarial texts for a specific text, UCTT generates universal perturbations based on a universal word substitution list, which is applicable to any data in tendency classification datasets. Given a perturbation rate, we can use the word list to craft adversarial texts by simple substitutions without accessing the target model. In the framework of adversarial text generation based on word importance, UCTT utilizes count, arithmetic progression, linear normalization, and nonlinear normalization to calculate the scores of the important words in the dataset and then computes the candidate word frequencies, which in turn constructs the universal word substitution list. Compared with other black-box methods, the experimental results on real-world tendency classification datasets show that UCTT exhibits an effective attack capability while significantly reducing the attack cost. Compared to the powerful baseline we designed that exceeds the SOTA, UCTT improves the efficiency of adversarial text generation by up to a factor of 7 without accessing the target model. In addition to demonstrating excellent attack performance on mainstream models, UCTT is also capable of attacking the powerful ChatGPT in the physical world, which cannot be directly attacked by traditional adversarial text generation methods due to the hard labels produced by the target model.

LI Yuhang,YANG Yuli,MA Yao,YU Dan,CHEN Yongle

DOI: https://doi.org/10.11772/j.issn.1001-9081.2022091468

2023-01-01

Journal of Computer Applications

Abstract:Aiming at the the problem that the existing adversarial example generation methods require a lot of access to the target model, which lead to poor attack effects, a Text Adversarial Examples Generation Technology based on BERT（TAEGT） was proposed.Firstly, the attention mechanism was adopted by TAEGT to locate the keywords that significantly affect the classification results without accessing the target model. Secondly, word-level perturbation of keywords was performed by Bidirectional Encoder Representation from Transformers（BERT） model to generate candidate adversarial examples. Finally, the candidate examples were clustered and the adversarial examples were selected from the clusters that have more influence on the classification results.Experimental results on Yelp Reviews, AG New, and IMDB Reviews datasets show that TAEGT can reduce the number of visits to the target model by 62.3% while ensuring the success rate of adversarial attacks, compared with other adversarial example generation methods. Additionally, further experiment verifies that the generated adversarial examples not only have good transferability but also can improve the robustness of the model through adversarial training.

Chang Liu,Wang Lin,Zhengfeng Yang

DOI: https://doi.org/10.1007/978-3-030-61609-0_4

2020-01-01

Abstract:Adversarial examples have received increasing attention recently due to their significant values in evaluating and improving the robustness of deep neural networks. Existing adversarial attack algorithms have achieved good result for most images. However, those algorithms cannot be directly applied to texts as the text data is discrete in nature. In this paper, we extend two state-of-the-art attack algorithms, PGD and C&W, to craft adversarial text examples for RNN-based models. For Extend-PGD attack, it identifies the words that are important for classification by computing the Jacobian matrix of the classifier, to effectively generate adversarial text examples. For Extend-C&W attack, it utilizes L-1 regularization to minimize the alteration of the original input text. We conduct comparison experiments on two recurrent neural networks trained for classifying texts in two real-world datasets. Experimental results show that our Extend-PGD and Extend-C&W attack algorithms have advantages of attack success rate and semantics-preserving ability, respectively.

Guoqin Chang,Haichang Gao,Zhou Yao,Haoquan Xiong

DOI: https://doi.org/10.1016/j.neucom.2023.01.071

IF: 6

2023-01-01

Neurocomputing

Abstract:Adversarial examples greatly compromise the security of deep learning models. The key to improving the robustness of a natural language processing (NLP) model is to study attacks and defenses involving adver-sarial text. However, the current adversarial attack methods still face problems, such as the low success rates of attacks on some datasets, and the existing defense methods can already successfully defend against some attack methods. As a result, such attacks are unable to dig deeper into the flaws of NLP mod-els to inform further defense improvements. Hence, it is necessary to design an adversarial attack method with a wider attack range and stronger performance. Aiming at the advantages and disadvantages of existing methods, this paper proposes a new adaptive black-box text adversarial example generation scheme, TextGuise. First, we design a keyword selection method in which word scores are calculated by combining context semantics to select the appropriate keywords to modify. Second, to maintain semantics, new keyword substitution rules are designed in combination with the characteristics of text and popular text expressions. Finally, the best modification strategy is adaptively selected through a querying model to reduce the magnitudes of disturbances. TextGuise can automatically select replace-ment keywords and replacement strategies that efficiently generate adversarial examples with good readability for various text classification tasks. Attack experiments conducted with TextGuise on 5 data -sets yield high attack success rates that can surpass 80% when the perturbation ratio does not exceed 0.2. In addition, we present and discuss experiments focusing on defense, text similarity, query times, time consumption, etc., to test the attack performance of TextGuise. The results show that our attack method can achieve a good balance among various metrics.(c) 2023 Elsevier B.V. All rights reserved.

Dianqi Li,Yizhe Zhang,Hao Peng,Liqun Chen,Chris Brockett,Ming-Ting Sun,Bill Dolan

DOI: https://doi.org/10.18653/v1/2021.naacl-main.400

2021-01-01

Abstract: Adversarial examples expose the vulnerabilities of natural language processing (NLP) models, and can be used to evaluate and improve their robustness. Existing techniques of generating such examples are typically driven by local heuristic rules that are agnostic to the context, often resulting in unnatural and ungrammatical outputs. This paper presents CLARE, a ContextuaLized AdversaRial Example generation model that produces fluent and grammatical outputs through a mask-then-infill procedure. CLARE builds on a pre-trained masked language model and modifies the inputs in a context-aware manner. We propose three contextualized perturbations, Replace, Insert and Merge, allowing for generating outputs of varied lengths. With a richer range of available strategies, CLARE is able to attack a victim model more efficiently with fewer edits. Extensive experiments and human evaluation demonstrate that CLARE outperforms the baselines in terms of attack success rate, textual similarity, fluency and grammaticality.

Yiming Zhang,Chao Zhang,Donghong Sun,Zhou Li,Zihan Zhang,Haixin Duan,Qi Li,Mingxuan Liu

DOI: https://doi.org/10.1109/TDSC.2022.3164289

2023-03-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Natural language processing (NLP) models are known vulnerable to adversarial examples, similar to image processing models. Studying adversarial texts is an essential step to improve the robustness of NLP models. However, existing studies mainly focus on generating adversarial texts for English, with no prior knowledge that whether those attacks could be applied to Chinese. After analyzing the differences between Chinese and English, we propose a novel adversarial Chinese text generation solution Argot, by utilizing the method for adversarial English examples and several novel methods developed on Chinese characteristics. Argot could effectively and efficiently generate adversarial Chinese texts with good readability in both white-box and black-box settings. Argot could also automatically generate targeted Chinese adversarial texts, achieving a high success rate and ensuring the readability of the generated texts. Furthermore, we apply Argot to the spam detection task in both local detection models and a public toxic content detection system from a well-known security company. Argot achieves a relatively high bypass success rate with fluent readability, which proves that the real-world toxic content detection system is vulnerable to adversarial example attacks. We also evaluate some available defense strategies, and the results indicate that Argot can still achieve high attack success rates.

Computer Science

Bing He,Mustaque Ahamad,Srijan Kumar

DOI: https://doi.org/10.48550/arXiv.2109.06777

IF: 5.414

2021-09-14

Machine Learning

Abstract:What should a malicious user write next to fool a detection model? Identifying malicious users is critical to ensure the safety and integrity of internet platforms. Several deep learning-based detection models have been created. However, malicious users can evade deep detection models by manipulating their behavior, rendering these models of little use. The vulnerability of such deep detection models against adversarial attacks is unknown. Here we create a novel adversarial attack model against deep user sequence embedding based classification models, which use the sequence of user posts to generate user embeddings and detect malicious users. In the attack, the adversary generates a new post to fool the classifier. We propose a novel end-to-end Personalized Text Generation Attack model, called PETGEN, that simultaneously reduces the efficacy of the detection model and generates posts that have several key desirable properties. Specifically, PETGEN generates posts that are personalized to the user's writing style, have knowledge about a given target context, are aware of the user's historical posts on the target context, and encapsulate the user's recent topical interests. We conduct extensive experiments on two real-world datasets (Yelp and Wikipedia, both with ground-truth of malicious users) to show that PETGEN significantly reduces the performance of popular deep user sequence embedding-based classification models. PETGEN outperforms five attack baselines in terms of text quality and attack efficacy in both white-box and black-box classifier settings. Overall, this work paves the path towards the next generation of adversary-aware sequence classification models.

Xingbin Liu,Huafeng Kuang,Xianming Lin,Yongjian Wu,Rongrong Ji

DOI: https://doi.org/10.48550/arxiv.2303.14922

2023-01-01

Abstract:Adversarial training can improve the robustness of neural networks. Previous methods focus on a single adversarial training strategy and do not consider the model property trained by different strategies. By revisiting the previous methods, we find different adversarial training methods have distinct robustness for sample instances. For example, a sample instance can be correctly classified by a model trained using standard adversarial training (AT) but not by a model trained using TRADES, and vice versa. Based on this observation, we propose a collaborative adversarial training framework to improve the robustness of neural networks. Specifically, we use different adversarial training methods to train robust models and let models interact with their knowledge during the training process. Collaborative Adversarial Training (CAT) can improve both robustness and accuracy. Extensive experiments on various networks and datasets validate the effectiveness of our method. CAT achieves state-of-the-art adversarial robustness without using any additional data on CIFAR-10 under the Auto-Attack benchmark. Code is available at https://github.com/liuxingbin/CAT.

Xi Cao,Yuan Sun,Jiajun Li,Quzong Gesang,Nuo Qun,Tashi Nyima

2024-12-17

Abstract:DNN-based language models perform excellently on various tasks, but even SOTA LLMs are susceptible to textual adversarial attacks. Adversarial texts play crucial roles in multiple subfields of NLP. However, current research has the following issues. (1) Most textual adversarial attack methods target rich-resourced languages. How do we generate adversarial texts for less-studied languages? (2) Most textual adversarial attack methods are prone to generating invalid or ambiguous adversarial texts. How do we construct high-quality adversarial robustness benchmarks? (3) New language models may be immune to part of previously generated adversarial texts. How do we update adversarial robustness benchmarks? To address the above issues, we introduce HITL-GAT, a system based on a general approach to human-in-the-loop generation of adversarial texts. HITL-GAT contains four stages in one pipeline: victim model construction, adversarial example generation, high-quality benchmark construction, and adversarial robustness evaluation. Additionally, we utilize HITL-GAT to make a case study on Tibetan script which can be a reference for the adversarial research of other less-studied languages.

Computation and Language,Cryptography and Security,Human-Computer Interaction