Yushun Xie,Zhaoquan Gu,Xiaopeng Fu,Le Wang,Weihong Han,Yuexuan Wang

DOI: https://doi.org/10.1109/ithings-greencom-cpscom-smartdata-cybermatics50389.2020.00103

2020-01-01

Abstract:Deep neural networks are vulnerable to the adversarial examples that are generated by adding small perturbations to the original inputs. Similarly, traditional machine learning models such as logistic regression and support vector machine are also threatened by such carefully generated adversarial examples. In this paper, we study the adversarial texts that could mislead the sentiment analysis of traditional machine learning models. We present the Ensemble Word Addition (EWA) algorithm, which filters out a small number of words that have large attack ability and these words are added at the end of the original text. By extensive experiments, we show that the generated adversarial texts could fool some traditional machine learning models with a very high confidence, but they cannot affect human's judgment. The experimental results show that the proposed algorithm has a powerful attack ability to misleading the sentiment analysis, specifically the attack success rate could reach above 95% by only adding 4.6% words.

Yankun Ren,Jianbin Lin,Siliang Tang,Jun Zhou,Shuang Yang,Yuan Qi,Xiang Ren

DOI: https://doi.org/10.3233/faia200340

2020-01-01

Abstract:Today text classification models have been widely used. However, these classifiers are found to be easily fooled by adversarial examples. Fortunately, standard attacking methods generate adversarial texts in a pair-wise way, that is, an adversarial text can only be created from a real-world text by replacing a few words. In many applications, these texts are limited in numbers, therefore their corresponding adversarial examples are often not diverse enough and sometimes hard to read, thus can be easily detected by humans and cannot create chaos at a large scale. In this paper, we propose an end to end solution to efficiently generate adversarial texts from scratch using generative models, which are not restricted to perturbing the given texts. We call it unrestricted adversarial text generation. Specifically, we train a conditional variational autoencoder (VAE) with an additional adversarial loss to guide the generation of adversarial examples. Moreover, to improve the validity of adversarial texts, we utilize discrimators and the training framework of generative adversarial networks (GANs) to make adversarial texts consistent with real data. Experimental results on sentiment analysis demonstrate the scalability and efficiency of our method. It can attack text classification models with a higher success rate than existing methods, and provide acceptable quality for humans in the meantime.

Xiaohu Du,Jie Yu,Zibo Yi,Shasha Li,Jun Ma,Yusong Tan,Qinbo Wu

DOI: https://doi.org/10.3390/app10103559

2020-01-01

Applied Sciences

Abstract:Adversarial attack against natural language has been a hot topic in the field of artificial intelligence security in recent years. It is mainly to study the methods and implementation of generating adversarial examples. The purpose is to better deal with the vulnerability and security of deep learning systems. According to whether the attacker understands the deep learning model structure, the adversarial attack is divided into black-box attack and white-box attack. In this paper, we propose a hybrid adversarial attack for different application scenarios. Firstly, we propose a novel black-box attack method of generating adversarial examples to trick the word-level sentiment classifier, which is based on differential evolution (DE) algorithm to generate semantically and syntactically similar adversarial examples. Compared with existing genetic algorithm based adversarial attacks, our algorithm can achieve a higher attack success rate while maintaining a lower word replacement rate. At the 10% word substitution threshold, we have increased the attack success rate from 58.5% to 63%. Secondly, when we understand the model architecture and parameters, etc., we propose a white-box attack with gradient-based perturbation against the same sentiment classifier. In this attack, we use a Euclidean distance and cosine distance combined metric to find the most semantically and syntactically similar substitution, and we introduce the coefficient of variation (CV) factor to control the dispersion of the modified words in the adversarial examples. More dispersed modifications can increase human imperceptibility and text readability. Compared with the existing global attack, our attack can increase the attack success rate and make modification positions in generated examples more dispersed. We’ve increased the global search success rate from 75.8% to 85.8%. Finally, we can deal with different application scenarios by using these two attack methods, that is, whether we understand the internal structure and parameters of the model, we can all generate good adversarial examples.

Xiangzhe Guo,Shikui Tu,Lei Xu

DOI: https://doi.org/10.1007/978-3-031-15919-0_17

2022-01-01

Abstract:Word substitution based textual adversarial attack is actually a combinatorial optimization problem. Existing greedy search methods are time-consuming due to extensive unnecessary victim model calls in word ranking and substitution. In this work, we propose a learnable attack method which uses neural networks to guide the greedy search to reduce victim model calls. Specifically, we use one network to predict the importance of each word, without accessing the victim model. It avoids the victim model calls proportional to the length of the text, which may be in hundreds. Moreover, we use the other network to score each substitute word for a specific substitute position and filter out the attack-inefficient and out-of-context ones, so as to reduce substitution attempts. We evaluate our method on sentiment analysis, natural language inference and paraphrase identification tasks. Experimental results show that our method can achieve higher attack success rate and adversarial example quality than the baseline methods, while requiring less computation overhead. The code is public at https://github.com/CMACH508/PredictiveTextualAttack.

Xiangzhe Guo,Ruidan Su,Shikui Tu,Lei Xu

DOI: https://doi.org/10.1007/978-981-99-1639-9_32

2022-01-01

Abstract:Adversarial attacks can help to reveal the vulnerability of neural networks. In the text classification domain, synonym replacement is an effective way to generate adversarial examples. However, the number of replacement combinations grows exponentially with the text length, making the search difficult. In this work, we propose an attack method which combines a synonym selection network and search strategies of beam search and Monte Carlo tree search (MCTS). The synonym selection network learns the patterns of synonyms which have high attack effect. We combine the network with beam search to gain a broader view by multiple search paths, and with MCTS to gain a deeper view by the exploration feedback, so as to effectively avoid local optimum. We evaluate our method with four datasets in a challenging black box setting which requires no access to the victim model’s parameters. Experimental results show that our method can generate high-quality adversarial examples with higher attack success rate and fewer number of victim model queries, and further experiments show that our method has higher transferability on the victim models. The code and data can be obtained via https://github.com/CMACH508/SearchTextualAdversarialExamples .

Shuhuai Ren,Yihe Deng,Kun He,Wanxiang Che

DOI: https://doi.org/10.18653/v1/p19-1103

2019-01-01

Abstract:We address the problem of adversarial attacks on text classification, which is rarely studied comparing to attacks on image classification. The challenge of this task is to generate adversarial examples that maintain lexical correctness, grammatical correctness and semantic similarity. Based on the synonyms substitution strategy, we introduce a new word replacement order determined by both the word saliency and the classification probability, and propose a greedy algorithm called probability weighted word saliency (PWWS) for text adversarial attack. Experiments on three popular datasets using convolutional as well as LSTM models show that PWWS reduces the classification accuracy to the most extent, and keeps a very low word substitution rate. A human evaluation study shows that our generated adversarial examples maintain the semantic similarity well and are hard for humans to perceive. Performing adversarial training using our perturbed datasets improves the robustness of the models. At last, our method also exhibits a good transferability on the generated adversarial examples.

Yufei Liu,Dongmei Zhang,Chunhua Wu,Wei Liu

DOI: https://doi.org/10.1007/978-3-030-88480-2_15

2021-01-01

Abstract:Adversarial examples mislead the deep neural networks (DNNs) by adding slight human-imperceptible perturbations to the input, they reveal the vulnerability of DNNs and can be applied to improve the robustness of the model. Recent work generates adversarial examples by performing word-level substitutions. However, these methods can lead to contextually inappropriate or semantically deviant substitutions because they do not take full advantage of the whole-sentence information and are inefficient in searching. The aim of this study is to improve current methods to enhance the effectiveness of adversarial examples. This study proposes an adversarial example generation method based on an improved application of the masked language model exemplified by BERT. The method injects fuzzy target word information into BERT to predict substitutes by regularizing its token embedding, which empowers BERT to integrate whole-sentence information, and then searches for adversarial examples within the substitute space using beam search with the guidance of word importance. Exhaustive experiments show that it not only significantly outperforms state-of-the-art attack methods, but also has high application value as it can generate fluent and natural samples with minimal perturbation. The work indicates that the method proved to be both effective and efficient in generating adversarial examples.

Hongxu Ou,Long Yu,Shengwei Tian,Xin Chen

DOI: https://doi.org/10.1007/s10115-022-01652-1

IF: 2.7

2022-03-17

Knowledge and Information Systems

Abstract:Recent studies have shown that after adding small perturbations that are imperceptible to humans, deep neural networks (DNNs) with good performance and popular application are likely to produce incorrect results. These processed samples are called adversarial examples. High-quality adversarial examples help to increase the accuracy of estimating the robustness of the network model, thereby reducing the security risks behind the unreal high accuracy of the model. And there are few existing researches on Chinese texts in this field, therefore, this paper proposes a Chinese adversarial examples generation approach with multi-strategy based on semantic called GreedyAttack. Based on the analysis of the characteristics of the Chinese version, the ranking of the influence of each word in the text is obtained according to the calculation formula of the word importance with the weighted part-of-speech. Next, five strategies including synonymous words, similar words of form, similar words of sound, pinyin rewriting, and phrase disassembly are combined to replace the original words, and then, the black box attack on the DNNs models is completed. The method is evaluated by attacking the BERT and ERNIE models on three data sets. The results indicate that the adversarial examples generated by the method can effectively reduce the accuracy of the model.

computer science, information systems, artificial intelligence

Yupeng Qi,Xinghao Yang,Baodi Liu,Kai Zhang,Weifeng Liu

DOI: https://doi.org/10.1109/cac59555.2023.10451064

2023-01-01

Abstract:Natural Language Processing (NLP) models are immensely vulnerable to adversarial text examples. Various word-level attacks have been proposed to modify input texts by carefully-picked substitute words via static or dynamic opti-mization algorithms. However, existing word-level attack methods usually ignore text fluency and semantic consistency for seeking a high attack success ratio, often resulting in unnatural adversarial text examples. In this paper, we propose to generate Prompt-based adversarial texts via Variable Neighborhood Search (P-VNS), which achieves a high attack success ratio while simulta-neously keeping text fluency and semantic similarity. Specifically, the well-designed prompt texts are constructed for input texts and the substitute words are obtained by mask-and-filling procedure under the effect of prompt texts, so the text fluency and semantic similarity can be enhanced. Additionally, the word modification priority is adaptively determined by employing the variable neighborhood search algorithm, yielding an improvement in the attack success ratio. Extensive experiments demonstrate that the P- VNS accomplishes the highest attack success ratio meanwhile preserving text fluency and semantic similarity. Besides, the pro-posed P- VNS also manifests effectiveness in adversarial training and transfer attack.

Yuan Zang,Chenghao Yang,Fanchao Qi,Zhiyuan Liu,Meng Zhang,Qun Liu,Maosong Sun

2019-01-01

Abstract:Adversarial attacks are carried out to reveal the vulnerability of deep neural networks. Textual adversarial attacking is challenging because text is discrete and a small perturbation can bring significant change to the original input. Word-level attacking, which can be regarded as a combinatorial optimization problem, is a well-studied class of textual attack methods. However, existing word-level attack models are far from perfect, largely because unsuitable search space reduction methods and inefficient optimization algorithms are employed. In this paper, we propose a novel attack model, which incorporates the sememe-based word substitution method and particle swarm optimization-based search algorithm to solve the two problems separately. We conduct exhaustive experiments to evaluate our attack model by attacking BiLSTM and BERT on three benchmark datasets. Experimental results demonstrate that our model consistently achieves much higher attack success rates and crafts more high-quality adversarial examples as compared to baseline methods. Also, further experiments show our model has higher transferability and can bring more robustness enhancement to victim models by adversarial training. All the code and data of this paper can be obtained on this https URL.

Jin Yong Yoo,Yanjun Qi

DOI: https://doi.org/10.48550/arXiv.2109.00544

2021-09-01

Computation and Language

Abstract:Adversarial training, a method for learning robust deep neural networks, constructs adversarial examples during training. However, recent methods for generating NLP adversarial examples involve combinatorial search and expensive sentence encoders for constraining the generated instances. As a result, it remains challenging to use vanilla adversarial training to improve NLP models' performance, and the benefits are mainly uninvestigated. This paper proposes a simple and improved vanilla adversarial training process for NLP models, which we name Attacking to Training (A2T). The core part of A2T is a new and cheaper word substitution attack optimized for vanilla adversarial training. We use A2T to train BERT and RoBERTa models on IMDB, Rotten Tomatoes, Yelp, and SNLI datasets. Our results empirically show that it is possible to train robust NLP models using a much cheaper adversary. We demonstrate that vanilla adversarial training with A2T can improve an NLP model's robustness to the attack it was originally trained with and also defend the model against other types of word substitution attacks. Furthermore, we show that A2T can improve NLP models' standard accuracy, cross-domain generalization, and interpretability. Code is available at https://github.com/QData/Textattack-A2T .

Liping Yuan,Xiaoqing Zheng,Yi Zhou,Cho-Jui Hsieh,Kai-Wei Chang,Xuanjing Huang

2020-01-01

Abstract:Deep neural network models are vulnerable to adversarial attacks. In many cases, malicious inputs intentionally crafted for one model can fool another model in the black-box attack setting. However, there is a lack of systematic studies on the transferability of adversarial examples and how to generate universal adversarial examples. In this paper, we systematically study the transferability of adversarial attacks for text classification models. In particular, we conduct extensive experiments to investigate how various factors, such as network architecture, input format, word embedding, and model capacity, affect the transferability of adversarial attacks. Based on these studies, we then propose universal black-box attack algorithms that can induce adversarial examples to attack almost all existing models. These universal adversarial examples reflect the defects of the learning process and the bias in the training dataset. Finally, we generalize these adversarial examples into universal word replacement rules that can be used for model diagnostics.

Linyang Li,Yunfan Shao,Demin Song,Xipeng Qiu,Xuanjing Huang

DOI: https://doi.org/10.48550/arXiv.2012.14769

2020-12-29

Computation and Language

Abstract:Adversarial attacks in texts are mostly substitution-based methods that replace words or characters in the original texts to achieve success attacks. Recent methods use pre-trained language models as the substitutes generator. While in Chinese, such methods are not applicable since words in Chinese require segmentations first. In this paper, we propose a pre-train language model as the substitutes generator using sentence-pieces to craft adversarial examples in Chinese. The substitutions in the generated adversarial examples are not characters or words but \textit{'pieces'}, which are more natural to Chinese readers. Experiments results show that the generated adversarial samples can mislead strong target models and remain fluent and semantically preserved.

Xin Chen,Shengwei Tian,Long Yu,Hongxu Ou,Bo Wang,Tiejun Zhou

DOI: https://doi.org/10.21203/rs.3.rs-2307347/v1

2022-01-01

Abstract:Abstract Compared with the research on adversarial examples on English data, there are few models for generating adversarial examples on Chinese data. Most of the Chinese adversarial examples are in a single form. Their fluency and attack accuracy are not well performed. In this paper, we propose MixAttacker that uses word-level and sentence-level perturbations in conjunction with each other to generate adversarial examples in Chinese texts. The model uses the masked language model WoBERT [1] to generate replacement words based on the Chinese word-level transformation, then selects one of the new sentences obtained by word replacement by merit, and finally, back translate this sentence. In addition, we propose sentence fluency evaluation to control the quality of adversarial examples more effectively. The experimental results show that our model achieves 75.50%, 69.00%, 46.00%, and 55.50% accuracy decrease on four datasets, respectively, ChnsentiCorp, Hotel, TUHCNews, and Weibo, with effective perturbation, semantic and fluency control.

Xiaosen Wang,Yifeng Xiong,Kun He

2021-01-01

Abstract:A line of work has shown that natural text processing models are vulnerable to adversarial examples. Correspondingly, various defense methods are proposed to mitigate the threat of textual adversarial examples, e.g. adversarial training, certified defense, input pre-processing, detection, etc. In this work, we treat the optimization process for synonym substitution based textual adversarial attacks as a specific sequence of word replacement, in which each word mutually influences other words. We identify that we could destroy such mutual interaction and eliminate the adversarial perturbation by randomly substituting a word with its synonyms. Based on this observation, we propose a novel textual adversarial example detection method, termed Randomized Substitution and Vote (RS&V), which votes the prediction label by accumulating the logits of k samples generated by randomly substituting the words in the input text with synonyms. The proposed RS&V is generally applicable to any existing neural networks without modification on the architecture or extra training, and it is orthogonal to prior work on making the classification network itself more robust. Empirical evaluations on three benchmark datasets demonstrate that RS&V could detect the textual adversarial examples more successfully than the existing detection methods while maintaining the high classification accuracy on benign samples.

Hao Peng,Zhe Wang,Chao Wei,Dandan Zhao,Guangquan Xu,Jianming Han,Shixin Guo,Ming Zhong,Shouling Ji

DOI: https://doi.org/10.1016/j.knosys.2024.112188

IF: 8.139

2024-01-01

Knowledge-Based Systems

Abstract:Deep neural networks are vulnerable to adversarial attacks, despite performing well in a variety of tasks. In the current black-box word-level text adversarial attacks on various classification tasks, the main problems are the relatively low success rate and the need to improve the quality of the adversarial examples generated. These problems mainly involve two aspects: first, the key to effectively conducting adversarial attacks is accurately determining the key words in a sentence that significantly affect the model’s judgment. Only by precisely finding these words can the attack be effectively performed. Second, to generate high-quality adversarial examples, it is essential to mislead the classification model while minimizing changes to words in the sentence. It is essential to ensure that adversarial examples are as semantically and grammatically similar to the original samples as possible. Therefore, accurately determining key words and minimally altering them to produce high-quality adversarial examples presents a significant challenge. To address these challenges, we introduce TextJuggler, a new black-box word-level text adversarial attack method, inspired by occlusion and language modeling concepts. By using the Bert model to sample and replace words in sentences, the key words that influence classifier decisions can be efficiently determined. To ensure efficiency in the search for key words, our method reduces queries via crafted locality-sensitive hashing. For the determined key words, we adopt the robust and optimized Bert model, to generate high-quality adversarial examples through insertion or substitution operations for different text classification tasks while ensuring semantic similarity and text fluency. Extensive experiments and API experiments show that TextJuggler outperforms the baselines in attack success rate, textual similarity, and fluency.

Xiaohu Du,Zibo Yi,Shasha Li,Jun Ma,Jie Yu,Yusong Tan,Qinbo Wu

DOI: https://doi.org/10.1007/978-3-030-57884-8_37

2020-01-01

Abstract:In this paper, we propose a novel white-box attack against word-level CNN text classifier. On the one hand, we use an Euclidean distance and cosine distance combined metric to find the most semantically similar substitution when generating perturbations, which can effectively increase the attack success rate. We’ve increased global search success rate from 75.8% to 85.8%. On the other hand, we can control the dispersion of the location of the modified words in the adversarial examples by introducing the coefficient of variation(CV) factor, because greedy search sometimes has poor readability for the modified positions in adversarial examples are close. More dispersed modifications can increase human imperceptibility and text readability. We use the attack success rate to evaluate the validity of the attack method, and use CV value to measure the dispersion degree of the modified words in the generated adversarial examples. Finally, we use the combination of these two methods, which can increase the attack success rate and make modification positions in generated examples more dispersed.

Wenqi Wang,Run Wang,Lina Wang,Zhibo Wang,Aoshuang Ye

DOI: https://doi.org/10.48550/arXiv.1902.07285

2021-04-21

Abstract:Deep neural networks (DNNs) have achieved remarkable success in various tasks (e.g., image classification, speech recognition, and natural language processing (NLP)). However, researchers have demonstrated that DNN-based models are vulnerable to adversarial examples, which cause erroneous predictions by adding imperceptible perturbations into legitimate inputs. Recently, studies have revealed adversarial examples in the text domain, which could effectively evade various DNN-based text analyzers and further bring the threats of the proliferation of disinformation. In this paper, we give a comprehensive survey on the existing studies of adversarial techniques for generating adversarial texts written by both English and Chinese characters and the corresponding defense methods. More importantly, we hope that our work could inspire future studies to develop more robust DNN-based text analyzers against known and unknown adversarial techniques. We classify the existing adversarial techniques for crafting adversarial texts based on the perturbation units, helping to better understand the generation of adversarial texts and build robust models for defense. In presenting the taxonomy of adversarial attacks and defenses in the text domain, we introduce the adversarial techniques from the perspective of different NLP tasks. Finally, we discuss the existing challenges of adversarial attacks and defenses in texts and present the future research directions in this emerging and challenging field.

Computation and Language,Cryptography and Security,Machine Learning

Xinze Zhang,Junzhe Zhang,Zhenhua Chen,Kun He

DOI: https://doi.org/10.18653/v1/2021.acl-long.153

2021-01-01

Abstract:Effective adversary generation for neural machine translation (NMT) is a crucial prerequisite for building robust machine translation systems. In this work, we investigate veritable evaluations of NMT adversarial attacks, and propose a novel method to craft NMT adversarial examples. We first show the current NMT adversarial attacks may be improperly estimated by the commonly used monodirectional translation, and we propose to leverage the round-trip translation technique to build valid metrics for evaluating NMT adversarial attacks. Our intuition is that an effective NMT adversarial example, which imposes minor shifting on the source and degrades the translation dramatically, would naturally lead to a semantic-destroyed round-trip translation result. We then propose a promising black-box attack method calledWord Saliency speedup Local Search (WSLS) that could effectively attack the mainstream NMT architectures. Comprehensive experiments demonstrate that the proposed metrics could accurately evaluate the attack effectiveness, and the proposed WSLS could significantly break the state-of-art NMT models with small perturbation. Besides, WSLS exhibits strong transferability on attacking Baidu and Bing online translators.

Wenqi Wang,Run Wang,Lina Wang,Zhibo Wang,Aoshuang Ye

DOI: https://doi.org/10.1109/tkde.2021.3117608

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Deep neural networks (DNNs) have achieved remarkable success in various tasks (e.g., image classification, speech recognition, and natural language processing (NLP)). However, researchers have demonstrated that DNN-based models are vulnerable to adversarial examples, which cause erroneous predictions by adding imperceptible perturbations into legitimate inputs. Recently, studies have revealed adversarial examples in the text domain, which could effectively evade various DNN-based text analyzers and further bring the threats of the proliferation of disinformation. In this paper, we give a comprehensive survey on the existing studies of adversarial techniques for generating adversarial texts written by both English and Chinese characters and the corresponding defense methods. More importantly, we hope that our work could inspire future studies to develop more robust DNN-based text analyzers against known and unknown adversarial techniques. We classify the existing adversarial techniques for crafting adversarial texts based on the perturbation units, helping to better understand the generation of adversarial texts and build robust models for defense. In presenting the taxonomy of adversarial attacks and defenses in the text domain, we introduce the adversarial techniques from the perspective of different NLP tasks. Finally, we discuss the existing challenges of adversarial attacks and defenses in texts and present the future research directions in this emerging and challenging field.