Cheng Nuo,Guo-Qin Chang,Haichang Gao,Ge Pei,Yang Zhang

DOI: https://doi.org/10.1109/access.2020.2988786

IF: 3.9

2020-01-01

IEEE Access

Abstract:As an important carrier for disseminating information in the Internet Age, the text contains a large amount of information. In recent years, adversarial example attacks against text discrete domains have been received widespread attention. Deep neural network (DNN) produces opposite predictions by adding small perturbations to the text data. In this paper, we present "WordChange": an adversarial examples generation approach for Chinese text classification based on multiple modification strategies, and we evaluate the effectiveness of the method in sentiment analysis dataset and spam dataset. This method effectively locates important word positions by designing a keyword contribution algorithm. We first propose a "word-split" strategy to substitute keywords thatare designed by the structure and semantic property of Chinese texts. We also first apply "swap" and "insert" strategies on Chinese texts to generate adversarial examples. We further discuss the influence of multiple Chinese Word Segmentation tools and different text lengths on the proposed method, as well as the diversification of Chinese text modification strategies. Finally, the adversarial texts based on the long short-term memory network (LSTM) can be successfully transferred to other text classifiers and real-world applications.

Lujia Shen,Xuhong Zhang,Shouling Ji,Yuwen Pu,Chunpeng Ge,Xing Yang,Yanghe Feng

DOI: https://doi.org/10.48550/arxiv.2302.05892

2023-01-01

Abstract: Currently, natural language processing (NLP) models are wildly used in various scenarios. However, NLP models, like all deep models, are vulnerable to adversarially generated text. Numerous works have been working on mitigating the vulnerability from adversarial attacks. Nevertheless, there is no comprehensive defense in existing works where each work targets a specific attack category or suffers from the limitation of computation overhead, irresistible to adaptive attack, etc. In this paper, we exhaustively investigate the adversarial attack algorithms in NLP, and our empirical studies have discovered that the attack algorithms mainly disrupt the importance distribution of words in a text. A well-trained model can distinguish subtle importance distribution differences between clean and adversarial texts. Based on this intuition, we propose TextDefense, a new adversarial example detection framework that utilizes the target model's capability to defend against adversarial attacks while requiring no prior knowledge. TextDefense differs from previous approaches, where it utilizes the target model for detection and thus is attack type agnostic. Our extensive experiments show that TextDefense can be applied to different architectures, datasets, and attack methods and outperforms existing methods. We also discover that the leading factor influencing the performance of TextDefense is the target model's generalizability. By analyzing the property of the target model and the property of the adversarial example, we provide our insights into the adversarial attacks in NLP and the principles of our defense method.

Xiangge Li,Hong Luo,Yan Sun

DOI: https://doi.org/10.3390/app14093831

2024-01-01

Abstract:Existing textual attacks mostly perturb keywords in sentences to generate adversarial examples by relying on the prediction confidence of victim models. In practice, attackers can only access the prediction label, meaning that the victim model can easily defend against such hard-label attacks by denying access based on the attack’s frequency. In this paper, we propose an efficient hard-label attack approach, called WordBlitz. First, based on the adversarial transferability, we train a substitute model to initialize the attack parameter set, including a candidate pool and two weight tables of keywords and candidate words. Then, adversarial examples are generated and optimized under the guidance of the two weight tables. During optimization, we design a hybrid local search algorithm with word importance to find the globally optimal solution while updating the two weight tables according to the attack results. Finally, the non-adversarial text generated during perturbation optimization is added to the training of the substitute model as data augmentation to improve the adversarial transferability. Experimental results show that WordBlitz surpasses the baseline in terms of better effectiveness, higher efficiency, and lower cost. Its efficiency is especially pronounced in scenarios with broader search spaces, and its attack success rate on a Chinese dataset is higher than on baselines.

Enhui Xu,Xiaolin Zhang,Yongping Wang,Shuai Zhang,Lixin Lu,Li Xu

DOI: https://doi.org/10.1109/access.2022.3157521

IF: 3.9

2022-01-01

IEEE Access

Abstract:Adversarial examples can evade the detection of text classification models based on Deep Neural Networks (DNNs), thus posing a potential security threat to the system. To address this problem, we propose an adversarial example defense method for Chinese text classification called WordRevert. The method first obtains the "positive text" containing the adversarial words by filtering the clauses that do not contribute to the current classification label. Then the detection network is combined with the position importance calculation function to achieve the detection of the adversarial words. Finally, the adversarial words are restored to the original words by calculating the candidate score and the detection score. The experiments show that the current popular Chinese text adversarial attack algorithms can be effectively defended by this method, and achieve a significant increase in the accuracy of the adversarial examples with a small reduction in the classification accuracy of clean samples while achieving better precision, recall, and F1 value of adversarial word detection and restoration.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yuyao Shao,Liming Wang

DOI: https://doi.org/10.1109/IJCNN55064.2022.9892804

2022-07-18

Abstract:Deep learning models are vulnerable to adversarial examples that add small perturbations to original inputs, which can help to evaluate the robustness and expose deficiencies of deep learning models. Current research mainly focus on English text adversarial attacks. Due to the differences between Chinese and English, the attack methods can not directly be used in Chinese attacks. In the mean time, in the Chinese text adversarial examples generation field, existing methods can't corporate the multi-modal characteristics of the Chinese language automatically. Therefore, in this paper, we present GPSAttack, a unified glyphs, phonetics, and semantics multi-modal attack method that can generate deceitful texts efficiently against Chinese text classification models. We conducted exhaustive attack experiments on convolutional, recurrent, and BERT networks to evaluate our method. The results show that our method achieves up to 90% attack success rate while modifying less than 4 characters per sentence and remaining readable to humans.

Computer Science

Jinfeng Li,Tianyu Du,Shouling Ji,Rong Zhang,Quan Lu,Min Yang,Ting Wang

2020-01-01

Abstract:Text-based toxic content detection is an important tool for reducing harmful interactions in online social media environments. Yet, its underlying mechanism, deep learning-based text classification (DLTC), is inherently vulnerable to maliciously crafted adversarial texts. To mitigate such vulnerabilities, intensive research has been conducted on strengthening English-based DLTC models. However, the existing defenses are not effective for Chinese-based DLTC models, due to the unique sparseness, diversity, and variation of the Chinese language. In this paper, we bridge this striking gap by presenting TEXTSHIELD, a new adversarial defense framework specifically designed for Chinese-based DLTC models. TEXTSHIELD differs from previous work in several key aspects: (i) generic - it applies to any Chinese-based DLTC models without requiring re-training; (ii) robust - it significantly reduces the attack success rate even under the setting of adaptive attacks; and (iii) accurate - it has little impact on the performance of DLTC models over legitimate inputs. Extensive evaluations show that it outperforms both existing methods and the industry-leading platforms. Future work will explore its applicability in broader practical tasks.

Zongyi Li,Jianhan Xu,Jiehang Zeng,Linyang Li,Xiaoqing Zheng,Qi Zhang,Kai-Wei Chang,Cho-Jui Hsieh

DOI: https://doi.org/10.18653/v1/2021.emnlp-main.251

2021-01-01

Abstract:Recent studies have shown that deep neural networks are vulnerable to intentionally crafted adversarial examples, and various methods have been proposed to defend against adversarial word-substitution attacks for neural NLP models. However, there is a lack of systematic study on comparing different defense approaches under the same attacking setting. In this paper, we seek to fill the gap of systematic studies through comprehensive researches on understanding the behavior of neural text classifiers trained by various defense methods under representative adversarial attacks. In addition, we propose an effective method to further improve the robustness of neural text classifiers against such attacks and achieved the highest accuracy on both clean and adversarial examples on AGNEWS and IMDB datasets by a significant margin.

Lujia Bao,Kangfeng Zheng

DOI: https://doi.org/10.1109/iwecai55315.2022.00090

2022-01-01

Abstract:Adversarial attacks against language models have gained more and more attention in recent years, and various adversarial text generation models have been proposed. Chinese language models are more vulnerable to character-level tampering attacks due to the language nature. In this paper, we implement a set of white-box attack algorithms against Chinese text classification models, which significantly reduce the accuracy of multiple baseline models on multiple classification tasks while ensuring that one can recover the original utterance. We utilize follow strategies, and propose a paradigm to enhance the robustness of Chinese classification models: 1) generating adversarial text during training as a dynamic data augmentation, 2) introducing extra glyph and phonology information into Chinses language models.

Xin Chen,Shengwei Tian,Long Yu,Hongxu Ou,Bo Wang,Tiejun Zhou

DOI: https://doi.org/10.21203/rs.3.rs-2307347/v1

2022-01-01

Abstract:Abstract Compared with the research on adversarial examples on English data, there are few models for generating adversarial examples on Chinese data. Most of the Chinese adversarial examples are in a single form. Their fluency and attack accuracy are not well performed. In this paper, we propose MixAttacker that uses word-level and sentence-level perturbations in conjunction with each other to generate adversarial examples in Chinese texts. The model uses the masked language model WoBERT [1] to generate replacement words based on the Chinese word-level transformation, then selects one of the new sentences obtained by word replacement by merit, and finally, back translate this sentence. In addition, we propose sentence fluency evaluation to control the quality of adversarial examples more effectively. The experimental results show that our model achieves 75.50%, 69.00%, 46.00%, and 55.50% accuracy decrease on four datasets, respectively, ChnsentiCorp, Hotel, TUHCNews, and Weibo, with effective perturbation, semantic and fluency control.

Wangli Yang,Jie Yang,Yi Guo,Johan Barthelemy

2024-12-10

Abstract:The field of textual adversarial defenses has gained considerable attention in recent years due to the increasing vulnerability of natural language processing (NLP) models to adversarial attacks, which exploit subtle perturbations in input text to deceive models. This paper introduces the Defensive Dual Masking (DDM) algorithm, a novel approach designed to enhance model robustness against such attacks. DDM utilizes a unique adversarial training strategy where [MASK] tokens are strategically inserted into training samples to prepare the model to handle adversarial perturbations more effectively. During inference, potentially adversarial tokens are dynamically replaced with [MASK] tokens to neutralize potential threats while preserving the core semantics of the input. The theoretical foundation of our approach is explored, demonstrating how the selective masking mechanism strengthens the model's ability to identify and mitigate adversarial manipulations. Our empirical evaluation across a diverse set of benchmark datasets and attack mechanisms consistently shows that DDM outperforms state-of-the-art defense techniques, improving model accuracy and robustness. Moreover, when applied to Large Language Models (LLMs), DDM also enhances their resilience to adversarial attacks, providing a scalable defense mechanism for large-scale NLP applications.

Computation and Language,Artificial Intelligence

Xiaohu Du,Jie Yu,Shasha Li,Zibo Yi,Hai Liu,Jun Ma

DOI: https://doi.org/10.1109/ijcnn52387.2021.9533725

2021-01-01

Abstract:NLP models perform well on many tasks, but they are also easy to be fooled by adversarial examples. A small perturbation can change the output of the deep neural network model. This kind of perturbation is hard to be perceived by humans, especially adversarial examples generated by word-level adversarial attack. Character-level adversarial attack can be defended by grammar detection and word recognition. The existing word-level textual adversarial attacks are based on synonym replacement, so adversarial texts usually have correct grammar and semantics. The defense of word-level adversarial attack is more challenging. In this paper, we propose a framework which is called Robust Adversarial Training (RAT) to defend against word-level adversarial attacks. RAT enhances the model by combining adversarial training and data perturbation during training. Our experiments on two datasets show that the model based on our framework can effectively defend against word-level adversarial attacks. Compared with the existing defense methods, the model trained under RAT has a higher defense success rate on 1000 adversarial examples. In addition, the accuracy of our model on the standard testing set is also better than the existing defense methods, and the accuracy is very close to or even higher than that of the standard model.

Xi Cao,Nuo Qun,Quzong Gesang,Yulei Zhu,Trashi Nyima

DOI: https://doi.org/10.1145/3589335.3652503

2024-12-03

Abstract:In social media, neural network models have been applied to hate speech detection, sentiment analysis, etc., but neural network models are susceptible to adversarial attacks. For instance, in a text classification task, the attacker elaborately introduces perturbations to the original texts that hardly alter the original semantics in order to trick the model into making different predictions. By studying textual adversarial attack methods, the robustness of language models can be evaluated and then improved. Currently, most of the research in this field focuses on English, and there is also a certain amount of research on Chinese. However, there is little research targeting Chinese minority languages. With the rapid development of artificial intelligence technology and the emergence of Chinese minority language models, textual adversarial attacks become a new challenge for the information processing of Chinese minority languages. In response to this situation, we propose a multi-granularity Tibetan textual adversarial attack method based on masked language models called TSTricker. We utilize the masked language models to generate candidate substitution syllables or words, adopt the scoring mechanism to determine the substitution order, and then conduct the attack method on several fine-tuned victim models. The experimental results show that TSTricker reduces the accuracy of the classification models by more than 28.70% and makes the classification models change the predictions of more than 90.60% of the samples, which has an evidently higher attack effect than the baseline method.

Computation and Language,Cryptography and Security

Xiaohu Du,Zibo Yi,Shasha Li,Jun Ma,Jie Yu,Yusong Tan,Qinbo Wu

DOI: https://doi.org/10.1007/978-3-030-57884-8_37

2020-01-01

Abstract:In this paper, we propose a novel white-box attack against word-level CNN text classifier. On the one hand, we use an Euclidean distance and cosine distance combined metric to find the most semantically similar substitution when generating perturbations, which can effectively increase the attack success rate. We’ve increased global search success rate from 75.8% to 85.8%. On the other hand, we can control the dispersion of the location of the modified words in the adversarial examples by introducing the coefficient of variation(CV) factor, because greedy search sometimes has poor readability for the modified positions in adversarial examples are close. More dispersed modifications can increase human imperceptibility and text readability. We use the attack success rate to evaluate the validity of the attack method, and use CV value to measure the dispersion degree of the modified words in the generated adversarial examples. Finally, we use the combination of these two methods, which can increase the attack success rate and make modification positions in generated examples more dispersed.

Zhao Meng,Yihan Dong,Mrinmaya Sachan,Roger Wattenhofer

DOI: https://doi.org/10.48550/arXiv.2107.07610

2021-07-15

Computation and Language

Abstract:In this paper, we present an approach to improve the robustness of BERT language models against word substitution-based adversarial attacks by leveraging adversarial perturbations for self-supervised contrastive learning. We create a word-level adversarial attack generating hard positives on-the-fly as adversarial examples during contrastive learning. In contrast to previous works, our method improves model robustness without using any labeled data. Experimental results show that our method improves robustness of BERT against four different word substitution-based adversarial attacks, and combining our method with adversarial training gives higher robustness than adversarial training alone. As our method improves the robustness of BERT purely with unlabeled data, it opens up the possibility of using large text datasets to train robust language models against word substitution-based adversarial attacks.

Hui Liu,Yongzheng Zhang,Yipeng Wang,Zheng Lin,Yige Chen

DOI: https://doi.org/10.1609/AAAI.V34I05.6356

2020-01-01

Abstract:Text classification is a basic task in natural language processing, but the small character perturbations in words can greatly decrease the effectiveness of text classification models, which is called character-level adversarial example attack. There are two main challenges in character-level adversarial examples defense, which are out-of-vocabulary words in word embedding model and the distribution difference between training and inference. Both of these two challenges make the character-level adversarial examples difficult to defend. In this paper, we propose a framework which jointly uses the character embedding and the adversarial stability training to overcome these two challenges. Our experimental results on five text classification data sets show that the models based on our framework can effectively defend character-level adversarial examples, and our models can defend 93.19% gradient-based adversarial examples and 94.83% natural adversarial examples, which outperforms the state-of-the-art defense models.

Huijun Liu,Bin Ji,Jie Yu,Shasha Li,Jun Ma,Zibo Yi,Mengxue Du,Miaomiao Li,Jie Liu,Zeyao Mo

DOI: https://doi.org/10.1109/tkde.2023.3325315

IF: 9.235

2024-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Textual adversarial attacks expose the vulnerabilities of text classifiers and can be used to improve their robustness. Previous context-aware attack models suffer from several limitations. They generally rely on out-of-date substitutes, solely consider the gold label probability, and use the greedy search when generating adversarial examples, often limiting the attack efficiency. To tackle these issues, we propose MC-PDBS , a M ore C ontext-aware textual adversarial attack model using P robability D ifference-guided B eam S earch. MC-PDBS generates substitutes using the newest perturbed text sequences in each attack iteration, enabling the generation of more context-aware adversarial examples. The probability difference is an overall consideration of the probabilities of all class labels, which is more effective than the gold label probability in guiding the selection of attack paths. In addition, the beam search enables MC-PDBS to search attack paths from multiple search channels, thereby avoiding the limited search space problem. Extensive experiments and human evaluation demonstrate that MC-PDBS outperforms previous best models in a series of evaluation metrics, particularly bringing up to a +19.5% attack success rate. Extensive analyses further confirm the effectiveness of MC-PDBS.

Jiayi Wang,Rongzhou Bao,Zhuosheng Zhang,Hai Zhao

DOI: https://doi.org/10.48550/arXiv.2208.10251

2022-07-21

Computation and Language

Abstract:Although pre-trained language models (PrLMs) have achieved significant success, recent studies demonstrate that PrLMs are vulnerable to adversarial attacks. By generating adversarial examples with slight perturbations on different levels (sentence / word / character), adversarial attacks can fool PrLMs to generate incorrect predictions, which questions the robustness of PrLMs. However, we find that most existing textual adversarial examples are unnatural, which can be easily distinguished by both human and machine. Based on a general anomaly detector, we propose a novel metric (Degree of Anomaly) as a constraint to enable current adversarial attack approaches to generate more natural and imperceptible adversarial examples. Under this new constraint, the success rate of existing attacks drastically decreases, which reveals that the robustness of PrLMs is not as fragile as they claimed. In addition, we find that four types of randomization can invalidate a large portion of textual adversarial examples. Based on anomaly detector and randomization, we design a universal defense framework, which is among the first to perform textual adversarial defense without knowing the specific attack. Empirical results show that our universal defense framework achieves comparable or even higher after-attack accuracy with other specific defenses, while preserving higher original accuracy at the same time. Our work discloses the essence of textual adversarial attacks, and indicates that (1) further works of adversarial attacks should focus more on how to overcome the detection and resist the randomization, otherwise their adversarial examples would be easily detected and invalidated; and (2) compared with the unnatural and perceptible adversarial examples, it is those undetectable adversarial examples that pose real risks for PrLMs and require more attention for future robustness-enhancing strategies.

Hongxu Ou,Long Yu,Shengwei Tian,Xin Chen,Chen Shi,Bo Wang,Tiejun Zhou

DOI: https://doi.org/10.1007/s10115-023-01946-y

IF: 2.7

2023-08-10

Knowledge and Information Systems

Abstract:The generation methods of adversarial examples have been more explored on English data, while the research papers on Chinese adversarial examples are very limited. At the same time, the existing Chinese adversarial attack methods are often characterized by a single form of generation and not rich enough expression. And the attack effect of these methods still has room for improvement. Therefore, this paper proposes SentiAttack, a method to introduce 6 perturbations from two perspectives, according to the characteristics of Chinese. The 6 types of perturbation were obtained from both audiovisual deception (words with similar sound, Chinese characters with similar form, horizontal splitting of Chinese character and reverse order of adjacent Chinese characters within word) and contextualized generation (WoBERT-MLM (Su in Wobert: Word-based chinese bert model - zhuiyiai. Technical report, 2020. https://github.com/ZhuiyiTechnology/WoBERT) word generation and LongLM (Guan et al. in Trans Assoc Comput Linguist 10:434–451, 2022. https://doi.org/10.1162/tacl_a_00469) sentence-piece generation), respectively. In addition, a "fluency" metric is added to further measure the quality of the adversarial examples. We conducted experiments on five datasets (CH-SIMS 3, ChnSentiCorp, online shopping, waimai, and weibo8). With the effective constraints of semantic similarity, expression fluency and perturbation, we obtained 74.40%, 49.10%, 42.90%, 39.90% and 66.20% accuracy decrease, respectively.

computer science, information systems, artificial intelligence

Shufan Yang,Qianmu Li,Zhichao Lian,Pengchuan Wang,Jun Hou

DOI: https://doi.org/10.1007/978-981-99-8076-5_1

2024-01-01

Abstract:Backdoor attacks, which manipulate model output, have garnered significant attention from researchers. However, some existing word-level backdoor attack methods in NLP models are difficult to defend effectively due to their concealment and diversity. These covert attacks use two words that appear similar to the naked eye but will be mapped to different word vectors by the NLP model as a way of bypassing existing defenses. To address this issue, we propose incorporating triple metric learning into the standard training phase of NLP models to defend against existing word-level backdoor attacks. Specifically, metric learning is used to minimize the distance between vectors of similar words while maximizing the distance between them and vectors of other words. Additionally, given that metric learning may reduce a model’s sensitivity to semantic changes caused by subtle perturbations, we added contrastive learning after the model’s standard training. Experimental results demonstrate that our method performs well against the two most stealthy existing word-level backdoor attacks.