Shuhuai Ren,Yihe Deng,Kun He,Wanxiang Che

DOI: https://doi.org/10.18653/v1/p19-1103

2019-01-01

Abstract:We address the problem of adversarial attacks on text classification, which is rarely studied comparing to attacks on image classification. The challenge of this task is to generate adversarial examples that maintain lexical correctness, grammatical correctness and semantic similarity. Based on the synonyms substitution strategy, we introduce a new word replacement order determined by both the word saliency and the classification probability, and propose a greedy algorithm called probability weighted word saliency (PWWS) for text adversarial attack. Experiments on three popular datasets using convolutional as well as LSTM models show that PWWS reduces the classification accuracy to the most extent, and keeps a very low word substitution rate. A human evaluation study shows that our generated adversarial examples maintain the semantic similarity well and are hard for humans to perceive. Performing adversarial training using our perturbed datasets improves the robustness of the models. At last, our method also exhibits a good transferability on the generated adversarial examples.

Hetvi Waghela,Sneha Rakshit,Jaydip Sen

2024-03-18

Abstract:This paper introduces a novel adversarial attack method targeting text classification models, termed the Modified Word Saliency-based Adversarial At-tack (MWSAA). The technique builds upon the concept of word saliency to strategically perturb input texts, aiming to mislead classification models while preserving semantic coherence. By refining the traditional adversarial attack approach, MWSAA significantly enhances its efficacy in evading detection by classification systems. The methodology involves first identifying salient words in the input text through a saliency estimation process, which prioritizes words most influential to the model's decision-making process. Subsequently, these salient words are subjected to carefully crafted modifications, guided by semantic similarity metrics to ensure that the altered text remains coherent and retains its original meaning. Empirical evaluations conducted on diverse text classification datasets demonstrate the effectiveness of the proposed method in generating adversarial examples capable of successfully deceiving state-of-the-art classification models. Comparative analyses with existing adversarial attack techniques further indicate the superiority of the proposed approach in terms of both attack success rate and preservation of text coherence.

Computation and Language,Cryptography and Security,Machine Learning

Lifan Yuan,Yichi Zhang,Yangyi Chen,Wei Wei

2023-06-08

Abstract:Despite recent success on various tasks, deep learning techniques still perform poorly on adversarial examples with small perturbations. While optimization-based methods for adversarial attacks are well-explored in the field of computer vision, it is impractical to directly apply them in natural language processing due to the discrete nature of the text. To address the problem, we propose a unified framework to extend the existing optimization-based adversarial attack methods in the vision domain to craft textual adversarial samples. In this framework, continuously optimized perturbations are added to the embedding layer and amplified in the forward propagation process. Then the final perturbed latent representations are decoded with a masked language model head to obtain potential adversarial samples. In this paper, we instantiate our framework with an attack algorithm named Textual Projected Gradient Descent (T-PGD). We find our algorithm effective even using proxy gradient information. Therefore, we perform the more challenging transfer black-box attack and conduct comprehensive experiments to evaluate our attack algorithm with several models on three benchmark datasets. Experimental results demonstrate that our method achieves overall better performance and produces more fluent and grammatical adversarial samples compared to strong baseline methods. The code and data are available at \url{<a class="link-external link-https" href="https://github.com/Phantivia/T-PGD" rel="external noopener nofollow">this https URL</a>}.

Computation and Language,Cryptography and Security,Machine Learning

Zhaorong Liu,Xi Xiong,Yuanyuan Li,Yan Yu,Jiazhong Lu,Shuai Zhang,Fei Xiong

DOI: https://doi.org/10.1016/j.neunet.2024.106461

Abstract:Hard-label black-box textual adversarial attacks present a highly challenging task due to the discrete and non-differentiable nature of text data and the lack of direct access to the model's predictions. Research in this issue is still in its early stages, and the performance and efficiency of existing methods has potential for improvement. For instance, exchange-based and gradient-based attacks may become trapped in local optima and require excessive queries, hindering the generation of adversarial examples with high semantic similarity and low perturbation under limited query conditions. To address these issues, we propose a novel framework called HyGloadAttack (adversarial Attacks via Hybrid optimization and Global random initialization) for crafting high-quality adversarial examples. HyGloadAttack utilizes a perturbation matrix in the word embedding space to find nearby adversarial examples after global initialization and selects synonyms that maximize similarity while maintaining adversarial properties. Furthermore, we introduce a gradient-based quick search method to accelerate the search process of optimization. Extensive experiments on five datasets of text classification and natural language inference, as well as two real APIs, demonstrate the significant superiority of our proposed HyGloadAttack method over state-of-the-art baseline methods.

Yuan Zang,Chenghao Yang,Fanchao Qi,Zhiyuan Liu,Meng Zhang,Qun Liu,Maosong Sun

2019-01-01

Abstract:Adversarial attacks are carried out to reveal the vulnerability of deep neural networks. Textual adversarial attacking is challenging because text is discrete and a small perturbation can bring significant change to the original input. Word-level attacking, which can be regarded as a combinatorial optimization problem, is a well-studied class of textual attack methods. However, existing word-level attack models are far from perfect, largely because unsuitable search space reduction methods and inefficient optimization algorithms are employed. In this paper, we propose a novel attack model, which incorporates the sememe-based word substitution method and particle swarm optimization-based search algorithm to solve the two problems separately. We conduct exhaustive experiments to evaluate our attack model by attacking BiLSTM and BERT on three benchmark datasets. Experimental results demonstrate that our model consistently achieves much higher attack success rates and crafts more high-quality adversarial examples as compared to baseline methods. Also, further experiments show our model has higher transferability and can bring more robustness enhancement to victim models by adversarial training. All the code and data of this paper can be obtained on this https URL.

Shen Wang,Zhaoyang Zhang,Guopu Zhu,Xinpeng Zhang,Yicong Zhou,Jiwu Huang

DOI: https://doi.org/10.1109/tifs.2022.3222963

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the widespread use of automated speech recognition (ASR) systems in modern consumer devices, attack against ASR systems have become an attractive topic in recent years. Although related white-box attack methods have achieved remarkable success in fooling neural networks, they rely heavily on obtaining full access to the details of the target models. Due to the lack of prior knowledge of the victim model and the inefficiency in utilizing query results, most of the existing black-box attack methods for ASR systems are query-intensive. In this paper, we propose a new black-box attack called the Monte Carlo gradient sign attack (MGSA) to generate adversarial audio samples with substantially fewer queries. It updates an original sample based on the elements obtained by a Monte Carlo tree search. We attribute its high query efficiency to the effective utilization of the dominant gradient phenomenon, which refers to the fact that only a few elements of each origin sample have significant effect on the output of ASR systems. Extensive experiments are performed to evaluate the efficiency of MGSA and the stealthiness of the generated adversarial examples on the DeepSpeech system. The experimental results show that MGSA achieves 98% and 99% attack success rates on the LibriSpeech and Mozilla Common Voice datasets, respectively. Compared with the state-of-the-art methods, the average number of queries is reduced by 27% and the signal-to-noise ratio is increased by 31%.

Yuan Zang,Fanchao Qi,Chenghao Yang,Zhiyuan Liu,Meng Zhang,Qun Liu,Maosong Sun

DOI: https://doi.org/10.18653/v1/2020.acl-main.540

2020-01-01

Abstract:Adversarial attacks are carried out to reveal the vulnerability of deep neural networks. Textual adversarial attacking is challenging because text is discrete and a small perturbation can bring significant change to the original input. Word-level attacking, which can be regarded as a combinatorial optimization problem, is a well-studied class of textual attack methods. However, existing word-level attack models are far from perfect, largely because unsuitable search space reduction methods and inefficient optimization algorithms are employed. In this paper, we propose a novel attack model, which incorporates the sememe-based word substitution method and particle swarm optimization-based search algorithm to solve the two problems separately. We conduct exhaustive experiments to evaluate our attack model by attacking BiLSTM and BERT on three benchmark datasets. Experimental results demonstrate that our model consistently achieves much higher attack success rates and crafts more high-quality adversarial examples as compared to baseline methods. Also, further experiments show our model has higher transferability and can bring more robustness enhancement to victim models by adversarial training. All the code and data of this paper can be obtained on https://github.com/thunlp/SememePSO-Attack.

Xinghao Yang,Yongshun Gong,Weifeng Liu,James Bailey,Dacheng Tao,Wei Liu

DOI: https://doi.org/10.1109/tsusc.2023.3263510

2023-01-01

IEEE Transactions on Sustainable Computing

Abstract:Deep learning models are known immensely brittle to adversarial text examples. Existing text adversarial attack strategies can be roughly divided into character-level, word-level, and sentence-level attacks. Despite the success brought by recent text attack methods, how to induce misclassification with minimal text modifications while keeping the lexical correctness, syntactic soundness, and semantic consistency is still a challenge. In this paper, we devise a Bigram and Unigram-based adaptive Semantic Preservation Optimization (BU-SPO) approach which attacks text documents not only at a unigram word level but also at a bigram level to avoid generating meaningless sentences. We also present a hybrid attack strategy that collects substitution words from both synonyms and sememe candidates, to enrich the potential candidate set. Besides, a Semantic Preservation Optimization (SPO) method is devised to determine the word substitution priority and reduce the perturbation cost. Furthermore, we constrain the SPO with a semantic Filter (dubbed SPOF) to improve the semantic similarity. To estimate the effectiveness of our proposed methods, BU-SPO and BU-SPOF, we attack four victim deep learning models trained on three text datasets. Experimental results demonstrate that our approaches accomplish the highest semantics consistency and attack success rates by making minimal word modifications compared with competitive methods.

Xinghao Yang,Yupeng Qi,Honglong Chen,Baodi Liu,Weifeng Liu

DOI: https://doi.org/10.1016/j.ins.2023.119237

IF: 8.1

2023-06-02

Information Sciences

Abstract:Text adversarial attack is an effective strategy to investigate the vulnerability of Natural Language Processing (NLP) models. Most of text attack studies focus on word-level attacks with static or dynamic optimization algorithms. However, they are hard to balance (1) attack performance (i.e., attack success rate, word substitution rate) and (2) attack efficiency. Generally, static optimization is fast but suffers from low attack performance, and the dynamic adversary improves the attacking quality but is time-consuming. To address these challenges, a Generation-based Parallel Particle Swarm Optimization (GP 2 SO) is proposed for the adversarial text attack. Specifically, the GP 2 SO employs an adaptive strategy to determine the word modification priority, which produces a high attack performance owing to the aggressive objective function. To achieve time efficiency, we parallelize the PSO on multiple pipelines in a generation-overlapping manner. Extensive experiments on four public text recognition datasets are conducted by attacking four deep models to evaluate the effectiveness of the GP 2 SO. Experimental results manifest that the proposed GP 2 SO averagely improves the time efficiency by 272% with only 0.3% success rate reduction compared to the PSO. Besides, the GP 2 SO also shows superiorities in adversarial training and transferability compared with baselines. The code is provided to ensure reproducibility https://github.com/OutdoorManofML/GPPSO .

computer science, information systems

Jincheng Xu,Qingfeng Du

DOI: https://doi.org/10.1016/j.engappai.2020.103641

IF: 8

2020-06-01

Engineering Applications of Artificial Intelligence

Abstract:Adversarial examples are generated by adding infinitesimal perturbations to legitimate inputs so that incorrect predictions can be induced into deep learning models. They have received increasing attention recently due to their significant values in evaluating and improving the robustness of neural networks. While adversarial attack algorithms have achieved notable advancements in the continuous data of images, they cannot be directly applied for discrete symbols such as text, where all the semantic and syntactic constraints in languages are expected to be satisfied. In this paper, we propose a white-box adversarial attack algorithm, TextTricker, which supports both targeted and non-targeted attacks on text classification models. Our algorithm can be implemented in either a loss-based way, where word perturbations are performed according to the change in loss, or a gradient-based way, where the expected gradients are computed in the continuous embedding space to restrict the perturbations towards a certain direction. We perform extensive experiments on two publicly available datasets and three state-of-the-art text classification models to evaluate our algorithm. The empirical results demonstrate that TextTricker performs notably better than baselines in attack success rate. Moreover, we discuss various aspects of TextTricker in details to provide a deep investigation and offer suggestions for its practical use.

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

Hetvi Waghela,Jaydip Sen,Sneha Rakshit

2024-06-18

Abstract:In this paper, we introduce an enhanced textual adversarial attack method, known as Saliency Attention and Semantic Similarity driven adversarial Perturbation (SASSP). The proposed scheme is designed to improve the effectiveness of contextual perturbations by integrating saliency, attention, and semantic similarity. Traditional adversarial attack methods often struggle to maintain semantic consistency and coherence while effectively deceiving target models. Our proposed approach addresses these challenges by incorporating a three-pronged strategy for word selection and perturbation. First, we utilize a saliency-based word selection to prioritize words for modification based on their importance to the model's prediction. Second, attention mechanisms are employed to focus perturbations on contextually significant words, enhancing the attack's efficacy. Finally, an advanced semantic similarity-checking method is employed that includes embedding-based similarity and paraphrase detection. By leveraging models like Sentence-BERT for embedding similarity and fine-tuned paraphrase detection models from the Sentence Transformers library, the scheme ensures that the perturbed text remains contextually appropriate and semantically consistent with the original. Empirical evaluations demonstrate that SASSP generates adversarial examples that not only maintain high semantic fidelity but also effectively deceive state-of-the-art natural language processing models. Moreover, in comparison to the original scheme of contextual perturbation CLARE, SASSP has yielded a higher attack success rate and lower word perturbation rate.

Cryptography and Security,Computation and Language,Machine Learning

Xinghao Yang,Weifeng Liu,James Bailey,Dacheng Tao,Wei Liu

DOI: https://doi.org/10.1609/aaai.v35i1.16151

2021-01-01

Abstract:Deep neural networks (DNNs) are known to be vulnerable to adversarial images, while their robustness in text classification are rarely studied. Several lines of text attack methods have been proposed in the literature, such as character-level, word-level, and sentence-level attacks. However, it is still a challenge to minimize the number of word distortions necessary to induce misclassification, while simultaneously ensuring the lexical correctness, syntactic correctness, and semantic similarity. In this paper, we propose the Bigram and Unigram based Monotonic Heuristic Search (BU-MHS) method to examine the vulnerability of deep models. Our method has three major merits. Firstly, we propose to attack text documents not only at the unigram word level but also at the bigram level to avoid producing meaningless outputs. Secondly, we propose a hybrid method to replace the input words with both their synonyms and sememe candidates, which greatly enriches potential substitutions compared to only using synonyms. Lastly, we design a search algorithm, i.e., Monotonic Heuristic Search (MHS), to determine the priority of word replacements, aiming to reduce the modification cost in an adversarial attack. We evaluate the effectiveness of BU-MHS on IMDB, AG's News, and Yahoo! Answers text datasets by attacking four state-of-the-art DNNs models. Experimental results show that our BU-MHS achieves the highest attack success rate by changing the smallest number of words compared with other existing models.

Hao Peng,Shixin Guo,Dandan Zhao,Xuhong Zhang,Jianmin Han,Shouling Ji,Xing Yang,Ming Zhong

DOI: https://doi.org/10.1109/tdsc.2023.3339802

2024-01-01

Abstract:Designing a query-efficient attack strategy to generate high-quality adversarial examples under the hard-label black-box setting is a fundamental yet challenging problem, especially in natural language processing (NLP). The process of searching for adversarial examples has many uncertainties (e.g., an unknown impact on the target model's prediction of the added perturbation) when confidence scores cannot be accessed, which must be compensated for with a large number of queries. To address this issue, we propose TextCheater, a decision-based metaheuristic search method that performs a query-efficient textual adversarial attack task by prohibiting invalid searches. The strategies of multiple initialization points and Tabu search are also introduced to keep the search process from falling into a local optimum. We apply our approach to three state-of-the-art language models (i.e., BERT, wordLSTM, and wordCNN) across six benchmark datasets and eight real-world commercial sentiment analysis platforms/models. Furthermore, we evaluate the Robustly optimized BERT pretraining Approach (RoBERTa) and models that enhance their robustness by adversarial training on toxicity detection and text classification tasks. The results demonstrate that our method minimizes the number of queries required for crafting plausible adversarial text while outperforming existing attack methods in the attack success rate, fluency of output sentences, and similarity between the original text and its adversary.

Xiangyuan Yang,Jie Lin,Hanlin Zhang,Peng Zhao

DOI: https://doi.org/10.1016/j.ins.2024.121013

IF: 8.1

2024-06-15

Information Sciences

Abstract:Black-box query attacks are effective at compromising deep-learning models using only the model's output. These attacks typically face challenges with low attack success rates (ASRs) when limited to fewer than ten queries per example. Recent approaches have improved ASRs due to the transferability of initial perturbations, yet they still suffer from inefficient querying. Our study introduces the Gradient-Aligned Attack (GAA) to enhance ASRs with minimal perturbation by focusing on the model's preference. We define a preference property where the generated adversarial example prefers to be misclassified as the wrong category with a high initial confidence. This property is further elucidated by the gradient preference, suggesting a positive correlation between the magnitude of a coefficient in a partial derivative and the norm of the derivative itself. Utilizing this, we devise the gradient-aligned CE (GACE) loss to precisely estimate gradients by aligning these coefficients between the surrogate and victim models, with coefficients assessed by the victim model's outputs. GAA, based on the GACE loss, also aims to achieve the smallest perturbation. Our tests on ImageNet, CIFAR10, and Imagga API show that GAA can increase ASRs by 25.7% and 40.3% for untargeted and targeted attacks respectively, while only needing minimally disruptive perturbations. Furthermore, the GACE loss reduces the number of necessary queries by up to 2.5x and enhances the transferability of advanced attacks by up to 14.2%, especially when using an ensemble surrogate model. Code is available at https://github.com/HaloMoto/GradientAlignedAttack .

computer science, information systems

Zhen Yu,Xiaosen Wang,Wanxiang Che,Kun He

DOI: https://doi.org/10.48550/arXiv.2201.08193

2022-01-20

Computation and Language

Abstract:Existing textual adversarial attacks usually utilize the gradient or prediction confidence to generate adversarial examples, making it hard to be deployed in real-world applications. To this end, we consider a rarely investigated but more rigorous setting, namely hard-label attack, in which the attacker can only access the prediction label. In particular, we find we can learn the importance of different words via the change on prediction label caused by word substitutions on the adversarial examples. Based on this observation, we propose a novel adversarial attack, termed Text Hard-label attacker (TextHacker). TextHacker randomly perturbs lots of words to craft an adversarial example. Then, TextHacker adopts a hybrid local search algorithm with the estimation of word importance from the attack history to minimize the adversarial perturbation. Extensive evaluations for text classification and textual entailment show that TextHacker significantly outperforms existing hard-label attacks regarding the attack performance as well as adversary quality.

Zhaohui Che,Ali Borji,Guangtao Zhai,Suiyi Ling,Jing Li,Yuan Tian,Guodong Guo,Patrick Le Callet

DOI: https://doi.org/10.1109/TIP.2021.3050303

Abstract:Saliency detection is an effective front-end process to many security-related tasks, e.g. automatic drive and tracking. Adversarial attack serves as an efficient surrogate to evaluate the robustness of deep saliency models before they are deployed in real world. However, most of current adversarial attacks exploit the gradients spanning the entire image space to craft adversarial examples, ignoring the fact that natural images are high-dimensional and spatially over-redundant, thus causing expensive attack cost and poor perceptibility. To circumvent these issues, this paper builds an efficient bridge between the accessible partially-white-box source models and the unknown black-box target models. The proposed method includes two steps: 1) We design a new partially-white-box attack, which defines the cost function in the compact hidden space to punish a fraction of feature activations corresponding to the salient regions, instead of punishing every pixel spanning the entire dense output space. This partially-white-box attack reduces the redundancy of the adversarial perturbation. 2) We exploit the non-redundant perturbations from some source models as the prior cues, and use an iterative zeroth-order optimizer to compute the directional derivatives along the non-redundant prior directions, in order to estimate the actual gradient of the black-box target model. The non-redundant priors boost the update of some "critical" pixels locating at non-zero coordinates of the prior cues, while keeping other redundant pixels locating at the zero coordinates unaffected. Our method achieves the best tradeoff between attack ability and perturbation redundancy. Finally, we conduct a comprehensive experiment to test the robustness of 18 state-of-the-art deep saliency models against 16 malicious attacks, under both of white-box and black-box settings, which contributes a new robustness benchmark to the saliency community for the first time.

Qian Wang,Baolin Zheng,Qi Li,Chao Shen,Zhongjie Ba

DOI: https://doi.org/10.1109/tifs.2020.3026543

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Adversarial attacks, which attract explosive rese- arch attention in recent years, have achieved fantastic success in fooling neural networks, especially for image-classification tasks. While for automatic speech recognition (ASR) tasks, the state-of-the-arts mainly focus on white-box attacks where the adversary is assumed to get full access to the details inside the system, e.g., network architecture, weights, etc. However, this assumption does not hold in practice. The construction of real-world adversarial examples against ASR systems is still a very challenging problem. In this paper, we, for the first time, present a novel and effective attack on ASR systems, named Selective Gradient Estimation Attack (SGEA). Compared with prior literatures, SGEA only needs limited access to the output probabilities of neural networks, and achieves extremely high efficiency and success rates. We attacked the DeepSpeech system on Mozilla Common Voice and LibriSpeech datasets in our experiments. The results demonstrate that SGEA improves the attack success rate from 35% to 98%, while reducing the number of queries by 66%.

computer science, theory & methods,engineering, electrical & electronic

Haoran Fu,Chundong Wang,Jiaqi Sun,Yumeng Zhao,Hao Lin,Junqing Sun,Baixue Zhang

DOI: https://doi.org/10.1016/j.cogsys.2023.101179

IF: 4.541

2023-11-01

Cognitive Systems Research

Abstract:Although natural language processing technology has shown strong performance in many tasks, it is very vulnerable to adversarial examples, i.e., sentences with some small perturbations can fool AI models. Current adversarial texts for English are usually generated by finding substitute words in adjacent spaces of keyword vectors. Unlike English, Chinese is more discrete and has a more complex font structure, which words that are closer in vector spaces may differ greatly in physical structure. Therefore, adversarial examples generated by current methods possess lower quality and can be easily perceived by human, or rather, they are not suitable for the human cognitive system. In this paper, we propose the "WordIllusion", a new detectable black-box algorithm used for generating Chinese adversarial texts. In this method, we create a CKSF evaluation indicator to select the key words of sentences. And then, based on the shape bias of human cognitive system and the rectification understanding to create replacement spaces of key words. To verify the effectiveness of WordIllusion, we experiment with two types of text classification tasks by using six natural language processing models. The result indicates that our method is able to improve the accuracy rate efficiently, and the generated adversarial texts can be very misleading.

psychology, experimental,neurosciences,computer science, artificial intelligence

Yuan Zang,Bairu Hou,Fanchao Qi,Zhiyuan Liu,Xiaojun Meng,Maosong Sun

DOI: https://doi.org/10.48550/arXiv.2009.09192

2020-09-19

Computation and Language

Abstract:Adversarial attacking aims to fool deep neural networks with adversarial examples. In the field of natural language processing, various textual adversarial attack models have been proposed, varying in the accessibility to the victim model. Among them, the attack models that only require the output of the victim model are more fit for real-world situations of adversarial attacking. However, to achieve high attack performance, these models usually need to query the victim model too many times, which is neither efficient nor viable in practice. To tackle this problem, we propose a reinforcement learning based attack model, which can learn from attack history and launch attacks more efficiently. In experiments, we evaluate our model by attacking several state-of-the-art models on the benchmark datasets of multiple tasks including sentiment analysis, text classification and natural language inference. Experimental results demonstrate that our model consistently achieves both better attack performance and higher efficiency than recently proposed baseline methods. We also find our attack model can bring more robustness improvement to the victim model by adversarial training. All the code and data of this paper will be made public.

Junjie Wu,Lemao Liu,Wei Bi,Dit-Yan Yeung

2024-07-07

Abstract:Targeted adversarial attacks are widely used to evaluate the robustness of neural machine translation systems. Unfortunately, this paper first identifies a critical issue in the existing settings of NMT targeted adversarial attacks, where their attacking results are largely overestimated. To this end, this paper presents a new setting for NMT targeted adversarial attacks that could lead to reliable attacking results. Under the new setting, it then proposes a Targeted Word Gradient adversarial Attack (TWGA) method to craft adversarial examples. Experimental results demonstrate that our proposed setting could provide faithful attacking results for targeted adversarial attacks on NMT systems, and the proposed TWGA method can effectively attack such victim NMT systems. In-depth analyses on a large-scale dataset further illustrate some valuable findings. 1 Our code and data are available at <a class="link-external link-https" href="https://github.com/wujunjie1998/TWGA" rel="external noopener nofollow">this https URL</a>.

Computation and Language