Han Liu,Zhi Xu,Xiaotong Zhang,Xiaoming Xu,Feng Zhang,Fenglong Ma,Hongyang Chen,Hong Yu,Xianchao Zhang

DOI: https://doi.org/10.1609/aaai.v37i11.26553

2023-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Hard-label textual adversarial attack is a challenging task, as only the predicted label information is available, and the text space is discrete and non-differentiable. Relevant research work is still in fancy and just a handful of methods are proposed. However, existing methods suffer from either the high complexity of genetic algorithms or inaccurate gradient estimation, thus are arduous to obtain adversarial examples with high semantic similarity and low perturbation rate under the tight-budget scenario. In this paper, we propose a simple and sweet paradigm for hard-label textual adversarial attack, named SSPAttack. Specifically, SSPAttack first utilizes initialization to generate an adversarial example, and removes unnecessary replacement words to reduce the number of changed words. Then it determines the replacement order and searches for an anchor synonym, thus avoiding going through all the synonyms. Finally, it pushes substitution words towards original words until an appropriate adversarial example is obtained. The core idea of SSPAttack is just swapping words whose mechanism is simple. Experimental results on eight benchmark datasets and two real-world APIs have shown that the performance of SSPAttack is sweet in terms of similarity, perturbation rate and query efficiency.

Zhaorong Liu,Xi Xiong,Yuanyuan Li,Yan Yu,Jiazhong Lu,Shuai Zhang,Fei Xiong

DOI: https://doi.org/10.1016/j.neunet.2024.106461

Abstract:Hard-label black-box textual adversarial attacks present a highly challenging task due to the discrete and non-differentiable nature of text data and the lack of direct access to the model's predictions. Research in this issue is still in its early stages, and the performance and efficiency of existing methods has potential for improvement. For instance, exchange-based and gradient-based attacks may become trapped in local optima and require excessive queries, hindering the generation of adversarial examples with high semantic similarity and low perturbation under limited query conditions. To address these issues, we propose a novel framework called HyGloadAttack (adversarial Attacks via Hybrid optimization and Global random initialization) for crafting high-quality adversarial examples. HyGloadAttack utilizes a perturbation matrix in the word embedding space to find nearby adversarial examples after global initialization and selects synonyms that maximize similarity while maintaining adversarial properties. Furthermore, we introduce a gradient-based quick search method to accelerate the search process of optimization. Extensive experiments on five datasets of text classification and natural language inference, as well as two real APIs, demonstrate the significant superiority of our proposed HyGloadAttack method over state-of-the-art baseline methods.

Xiangge Li,Hong Luo,Yan Sun

DOI: https://doi.org/10.3390/app14093831

2024-01-01

Abstract:Existing textual attacks mostly perturb keywords in sentences to generate adversarial examples by relying on the prediction confidence of victim models. In practice, attackers can only access the prediction label, meaning that the victim model can easily defend against such hard-label attacks by denying access based on the attack’s frequency. In this paper, we propose an efficient hard-label attack approach, called WordBlitz. First, based on the adversarial transferability, we train a substitute model to initialize the attack parameter set, including a candidate pool and two weight tables of keywords and candidate words. Then, adversarial examples are generated and optimized under the guidance of the two weight tables. During optimization, we design a hybrid local search algorithm with word importance to find the globally optimal solution while updating the two weight tables according to the attack results. Finally, the non-adversarial text generated during perturbation optimization is added to the training of the substitute model as data augmentation to improve the adversarial transferability. Experimental results show that WordBlitz surpasses the baseline in terms of better effectiveness, higher efficiency, and lower cost. Its efficiency is especially pronounced in scenarios with broader search spaces, and its attack success rate on a Chinese dataset is higher than on baselines.

Zhen Yu,Xiaosen Wang,Wanxiang Che,Kun He

DOI: https://doi.org/10.48550/arXiv.2201.08193

2022-01-20

Computation and Language

Abstract:Existing textual adversarial attacks usually utilize the gradient or prediction confidence to generate adversarial examples, making it hard to be deployed in real-world applications. To this end, we consider a rarely investigated but more rigorous setting, namely hard-label attack, in which the attacker can only access the prediction label. In particular, we find we can learn the importance of different words via the change on prediction label caused by word substitutions on the adversarial examples. Based on this observation, we propose a novel adversarial attack, termed Text Hard-label attacker (TextHacker). TextHacker randomly perturbs lots of words to craft an adversarial example. Then, TextHacker adopts a hybrid local search algorithm with the estimation of word importance from the attack history to minimize the adversarial perturbation. Extensive evaluations for text classification and textual entailment show that TextHacker significantly outperforms existing hard-label attacks regarding the attack performance as well as adversary quality.

Han Liu,Zhi Xu,Xiaotong Zhang,Feng Zhang,Fenglong Ma,Hongyang Chen,Hong Yu,Xianchao Zhang

2024-02-02

Abstract:Black-box hard-label adversarial attack on text is a practical and challenging task, as the text data space is inherently discrete and non-differentiable, and only the predicted label is accessible. Research on this problem is still in the embryonic stage and only a few methods are available. Nevertheless, existing methods rely on the complex heuristic algorithm or unreliable gradient estimation strategy, which probably fall into the local optimum and inevitably consume numerous queries, thus are difficult to craft satisfactory adversarial examples with high semantic similarity and low perturbation rate in a limited query budget. To alleviate above issues, we propose a simple yet effective framework to generate high quality textual adversarial examples under the black-box hard-label attack scenarios, named HQA-Attack. Specifically, after initializing an adversarial example randomly, HQA-attack first constantly substitutes original words back as many as possible, thus shrinking the perturbation rate. Then it leverages the synonym set of the remaining changed words to further optimize the adversarial example with the direction which can improve the semantic similarity and satisfy the adversarial condition simultaneously. In addition, during the optimizing procedure, it searches a transition synonym word for each changed word, thus avoiding traversing the whole synonym set and reducing the query number to some extent. Extensive experimental results on five text classification datasets, three natural language inference datasets and two real-world APIs have shown that the proposed HQA-Attack method outperforms other strong baselines significantly.

Computation and Language,Artificial Intelligence

Guanghao Zhou,Panjia Qiu,Mingyuan Fan,Cen Chen,Yaliang Li,Wenmeng Zhou

DOI: https://doi.org/10.1145/3627673.3679640

2024-01-01

Abstract:Textual adversarial attack in black-box scenarios is a challenging task, as only the predicted label is available, and the text space is discrete and non-differentiable. Current research in this area is still in its infancy and mostly focuses on untargeted attack, lacking the capability to control the labels of the generated adversarial examples. Meanwhile, existing textual adversarial attack methods primarily rely on word substitution operations to maintain semantic similarity between the adversarial and original examples, which greatly limits the search space for adversarial examples. To address these issues, we propose a novel Lexical-Syntactic Targeted Adversarial Attack method tailored for the black-box settings, referred to as LST2A. Our approach involves adversarial perturbations at different levels of granularities, i.e., word-level with word substitution operations and syntactic-level through rewriting the syntax of the examples. Specifically, we first embed the entire text into the embedding layer of a masked language model, and then optimize perturbations at the word level within the hidden state to generate adversarial examples with the target label. For examples that are difficult to attack successfully with only word-level perturbations at higher semantic similarity thresholds, we leverage Large Language Model (LLM) to introduce syntactic-level perturbations to these examples, making them more vulnerable to the decision boundary of the victim model. Subsequently, we re-optimize the word-level perturbations for these vulnerable examples. Extensive experiments and human evaluations demonstrate that our proposed method consistently outperforms the state-of-the-art baselines, crafting smoother, more grammatically correct adversarial examples.

Xiaosen Wang,Yichen Yang,Yihe Deng,Kun He

DOI: https://doi.org/10.1609/aaai.v35i16.17648

2021-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Adversarial training is the most empirically successful approach in improving the robustness of deep neural networks for image classification. For text classification, however, existing synonym substitution based adversarial attacks are effective but not very efficient to be incorporated into practical text adversarial training. Gradient-based attacks, which are very efficient for images, are hard to be implemented for synonym substitution based text attacks due to the lexical, grammatical and semantic constraints and the discrete text input space. Thereby, we propose a fast text adversarial attack method called Fast Gradient Projection Method (FGPM) based on synonym substitution, which is about 20 times faster than existing text attack methods and could achieve similar attack performance. We then incorporate FGPM with adversarial training and propose a text defense method called Adversarial Training with FGPM enhanced by Logit pairing (ATFL). Experiments show that ATFL could significantly improve the model robustness and block the transferability of adversarial examples.

Muchao Ye,Jinghui Chen,Chenglin Miao,Han Liu,Ting Wang,Fenglong Ma

DOI: https://doi.org/10.1145/3580305.3599461

2023-01-01

Abstract:Despite a plethora of prior explorations, conducting text adversarial attacks in practical settings is still challenging with the following constraints: black box -- the inner structure of the victim model is unknown; hard label -- the attacker only has access to the top-1 prediction results; and semantic preservation - the perturbation needs to preserve the original semantics. In this paper, we present PAT, a novel adversarial attack method employed under all these constraints. Specifically, PAT explicitly models the adversarial and non-adversarial prototypes and incorporates them to measure semantic changes for replacement selection in the hard-label black-box setting to generate high-quality samples. In each iteration, PAT finds original words that can be replaced back and selects better candidate words for perturbed positions in a geometry-aware manner guided by this estimation, which maximally improves the perturbation construction and minimally impacts the original semantics. Extensive evaluation with benchmark datasets and state-of-the-art models shows that PAT outperforms existing text adversarial attacks in terms of both attack effectiveness and semantic preservation. Moreover, we validate the efficacy of PAT against industry-leading natural language processing platforms in real-world settings.

Hao Peng,Shixin Guo,Dandan Zhao,Xuhong Zhang,Jianmin Han,Shouling Ji,Xing Yang,Ming Zhong

DOI: https://doi.org/10.1109/tdsc.2023.3339802

2024-01-01

Abstract:Designing a query-efficient attack strategy to generate high-quality adversarial examples under the hard-label black-box setting is a fundamental yet challenging problem, especially in natural language processing (NLP). The process of searching for adversarial examples has many uncertainties (e.g., an unknown impact on the target model's prediction of the added perturbation) when confidence scores cannot be accessed, which must be compensated for with a large number of queries. To address this issue, we propose TextCheater, a decision-based metaheuristic search method that performs a query-efficient textual adversarial attack task by prohibiting invalid searches. The strategies of multiple initialization points and Tabu search are also introduced to keep the search process from falling into a local optimum. We apply our approach to three state-of-the-art language models (i.e., BERT, wordLSTM, and wordCNN) across six benchmark datasets and eight real-world commercial sentiment analysis platforms/models. Furthermore, we evaluate the Robustly optimized BERT pretraining Approach (RoBERTa) and models that enhance their robustness by adversarial training on toxicity detection and text classification tasks. The results demonstrate that our method minimizes the number of queries required for crafting plausible adversarial text while outperforming existing attack methods in the attack success rate, fluency of output sentences, and similarity between the original text and its adversary.

Xiaosen Wang,Yichen Yang,Yihe Deng,Kun He

2020-01-01

Abstract:Adversarial training is the most empirically successful approach in improving the robustness of deep neural networks for image classification.For text classification, however, existing synonym substitution based adversarial attacks are effective but not efficient to be incorporated into practical text adversarial training. Gradient-based attacks, which are very efficient for images, are hard to be implemented for synonym substitution based text attacks due to the lexical, grammatical and semantic constraints and the discrete text input space. Thereby, we propose a fast text adversarial attack method called Fast Gradient Projection Method (FGPM) based on synonym substitution, which is about 20 times faster than existing text attack methods and could achieve similar attack performance. We then incorporate FGPM with adversarial training and propose a text defense method called Adversarial Training with FGPM enhanced by Logit pairing (ATFL). Experiments show that ATFL could significantly improve the model robustness and block the transferability of adversarial examples.

Hai Zhu,Zhaoqing Yang,Weiwei Shang,Yuren Wu

2024-01-10

Abstract:Natural language processing models are vulnerable to adversarial examples. Previous textual adversarial attacks adopt gradients or confidence scores to calculate word importance ranking and generate adversarial examples. However, this information is unavailable in the real world. Therefore, we focus on a more realistic and challenging setting, named hard-label attack, in which the attacker can only query the model and obtain a discrete prediction label. Existing hard-label attack algorithms tend to initialize adversarial examples by random substitution and then utilize complex heuristic algorithms to optimize the adversarial perturbation. These methods require a lot of model queries and the attack success rate is restricted by adversary initialization. In this paper, we propose a novel hard-label attack algorithm named LimeAttack, which leverages a local explainable method to approximate word importance ranking, and then adopts beam search to find the optimal solution. Extensive experiments show that LimeAttack achieves the better attacking performance compared with existing hard-label attack under the same query budget. In addition, we evaluate the effectiveness of LimeAttack on large language models, and results indicate that adversarial examples remain a significant threat to large language models. The adversarial examples crafted by LimeAttack are highly transferable and effectively improve model robustness in adversarial training.

Computation and Language

Hao Peng,Zhe Wang,Dandan Zhao,Yiming Wu,Jianming Han,Shixin Guo,Shouling Ji,Ming Zhong

DOI: https://doi.org/10.1016/j.jksuci.2023.03.017

IF: 9.006

2023-01-01

Journal of King Saud University - Computer and Information Sciences

Abstract:Deep neural networks that play a pivotal role in fields such as images, text, and audio are vulnerable to adversarial attacks. In current textual adversarial attacks, the vast majority are configured with a black-box soft-label which is achieved by the gradient information or confidence of the model. Therefore, it becomes challenging and realistic to implement adversarial attacks using only the predicted top labels of the hard-label model. Existing methods to implement hard-label adversarial attacks use population-based genetic optimization algorithms. However, this approach requires significant query consumption, which is a considerable shortcoming. To solve this problem, we propose a new textual black-box hard-label adversarial attack algorithm based on the idea of differential evolution of populations, called the text-based differential evolution (TDE) algorithm. First, the method will judge the importance of the words of the initial rough adversarial examples, according to which only the keywords in the text sentence will be operated, and the rest of the words will be gradually replaced with the original words so as to reduce the words in the sentence in which the replacement occurs. Our method judges the quality of semantic similarity of the adversarial examples in the replacement process and deposits high-quality adversarial example individuals into the population. Secondly, the optimization process of adversarial examples is combined and optimized according to the word importance. Compared with existing methods based on genetic algorithm guidance, our method avoids a large number of meaningless repetitive queries and significantly improves the overall attack efficiency of the algorithm and the semantic quality of the generated adversarial examples. We experimented with multiple datasets on three text tasks of sentiment classification, natural language inference, and toxic comment, and also perform experimental comparisons on models and APIs in realistic scenarios. For example, in the Google Cloud commercial API adversarial attack experiment, compared to the existing hard-label method, our method reduces the average number of queries required for the attack from 6986 to 176, and increases semantic similarity from 0.844 to 0.876. It is shown through extensive experimental data that our approach not only significantly reduces the number of queries, but also significantly outperforms existing methods in terms of the quality of adversarial examples.

Yupeng Qi,Xinghao Yang,Baodi Liu,Kai Zhang,Weifeng Liu

DOI: https://doi.org/10.1016/j.neucom.2024.127667

IF: 6

2024-01-01

Neurocomputing

Abstract:Natural Language Processing (NLP) models are known vulnerable to adversarial text attacks. Various word-level attacks have been proposed to modify input words by a pre-calculated word saliency order or the heuristic optimization algorithm. However, the predefined fixed order usually leads to a low attack success ratio, and the heuristic algorithm is often inefficient due to many model queries. In this paper, an Adaptive Gradient-based Word Saliency (AGWS) is proposed to improve the query-efficiency and simultaneously preserve a high attack success ratio for the word-level adversarial text attack. Firstly, the AGWS calculates the word saliency with a one-time gradient to all words instead of iterative queries, so the query-efficiency is enhanced. Secondly, the AGWS adaptively updates the word saliency via the variable neighborhood search algorithm to avoid the fixed modification order, which is significant in improving the attack success ratio. Additionally, the AGWS collect substitutes with a hybrid sememe and synonym strategy to enlarge adversary options. Extensive experiments and ablation studies manifest that the AGWS achieves the highest or second highest attack success ratio with lowest word perturbation percentage and improves the query-efficiency compared with baselines. Besides, the AGWS also shows superiorities in adversarial training and transferability.

Xiangzhe Guo,Ruidan Su,Shikui Tu,Lei Xu

DOI: https://doi.org/10.1007/978-981-99-1639-9_32

2022-01-01

Abstract:Adversarial attacks can help to reveal the vulnerability of neural networks. In the text classification domain, synonym replacement is an effective way to generate adversarial examples. However, the number of replacement combinations grows exponentially with the text length, making the search difficult. In this work, we propose an attack method which combines a synonym selection network and search strategies of beam search and Monte Carlo tree search (MCTS). The synonym selection network learns the patterns of synonyms which have high attack effect. We combine the network with beam search to gain a broader view by multiple search paths, and with MCTS to gain a deeper view by the exploration feedback, so as to effectively avoid local optimum. We evaluate our method with four datasets in a challenging black box setting which requires no access to the victim model’s parameters. Experimental results show that our method can generate high-quality adversarial examples with higher attack success rate and fewer number of victim model queries, and further experiments show that our method has higher transferability on the victim models. The code and data can be obtained via https://github.com/CMACH508/SearchTextualAdversarialExamples .

Guoqin Chang,Haichang Gao,Zhou Yao,Haoquan Xiong

DOI: https://doi.org/10.1016/j.neucom.2023.01.071

IF: 6

2023-01-01

Neurocomputing

Abstract:Adversarial examples greatly compromise the security of deep learning models. The key to improving the robustness of a natural language processing (NLP) model is to study attacks and defenses involving adver-sarial text. However, the current adversarial attack methods still face problems, such as the low success rates of attacks on some datasets, and the existing defense methods can already successfully defend against some attack methods. As a result, such attacks are unable to dig deeper into the flaws of NLP mod-els to inform further defense improvements. Hence, it is necessary to design an adversarial attack method with a wider attack range and stronger performance. Aiming at the advantages and disadvantages of existing methods, this paper proposes a new adaptive black-box text adversarial example generation scheme, TextGuise. First, we design a keyword selection method in which word scores are calculated by combining context semantics to select the appropriate keywords to modify. Second, to maintain semantics, new keyword substitution rules are designed in combination with the characteristics of text and popular text expressions. Finally, the best modification strategy is adaptively selected through a querying model to reduce the magnitudes of disturbances. TextGuise can automatically select replace-ment keywords and replacement strategies that efficiently generate adversarial examples with good readability for various text classification tasks. Attack experiments conducted with TextGuise on 5 data -sets yield high attack success rates that can surpass 80% when the perturbation ratio does not exceed 0.2. In addition, we present and discuss experiments focusing on defense, text similarity, query times, time consumption, etc., to test the attack performance of TextGuise. The results show that our attack method can achieve a good balance among various metrics.(c) 2023 Elsevier B.V. All rights reserved.

Xiaoyan Xia,Wei Xue,Pengcheng Wan,Hui Zhang,Xinyu Wang,Zhiting Zhang

DOI: https://doi.org/10.1007/978-981-99-2287-1_98

2023-01-01

Abstract:Deep neural network is sensitive to adversarial samples that crafted by adding imperceptible perturbations to original images, and many methods of generating adversarial samples have emerged. Although existing methods based on gradient direction have good attack performance, some ill-conditioned issues may reduce their performance on occasion. In this paper, we propose a novel attack method based on three-terms conjugate gradient direction, which is effectively for improving this limitation, and its is named as fast conjugate gradient sign method (FCGSM). The proposed method FCGSM can jump from the local maximum during the process of finding the maximum value of loss function, thus generating more adversarial samples than the SOTA methods APGD and ACG. Experiments conducted on two benchmark datasets show that the FCGSM works well in attacking deep neural network-based classification models.

Xiangzhe Guo,Shikui Tu,Lei Xu

DOI: https://doi.org/10.1007/978-3-031-15919-0_17

2022-01-01

Abstract:Word substitution based textual adversarial attack is actually a combinatorial optimization problem. Existing greedy search methods are time-consuming due to extensive unnecessary victim model calls in word ranking and substitution. In this work, we propose a learnable attack method which uses neural networks to guide the greedy search to reduce victim model calls. Specifically, we use one network to predict the importance of each word, without accessing the victim model. It avoids the victim model calls proportional to the length of the text, which may be in hundreds. Moreover, we use the other network to score each substitute word for a specific substitute position and filter out the attack-inefficient and out-of-context ones, so as to reduce substitution attempts. We evaluate our method on sentiment analysis, natural language inference and paraphrase identification tasks. Experimental results show that our method can achieve higher attack success rate and adversarial example quality than the baseline methods, while requiring less computation overhead. The code is public at https://github.com/CMACH508/PredictiveTextualAttack.

Xu Han,Qiang Li,Hongbo Cao,Lei Han,Bin Wang,Xuhua Bao,Yufei Han,Wei Wang

DOI: https://doi.org/10.1016/j.cose.2024.103817

IF: 5.105

2024-03-28

Computers & Security

Abstract:The advent of Machine Learning as a Service (MLaaS) and deep learning applications has increased the susceptiblility of models to adversarial textual attacks, particularly in black-box settings. Prior work on black-box adversarial textual attacks generally follows a stable strategy that involves leveraging char-level, world-level, and sentence-level perturbations, as well as using queries to the target model to find adversarial examples in the search space. However, existing approaches prioritize query efficiency by reducing the search space, thereby overlooking hard-to-attack textual instances. To address this issue, we propose BFS2Adv , a brute force algorithm that generates adversarial examples for both easy-to-attack and hard-to-attack textual inputs. BFS2Adv, starting with an original text, employs word-level perturbations and synonym substitution to construct a comprehensive search space, with each node representing a potential adversarial example. The algorithm systematically explores this space through a breadth-first search, combined with queries to the target model, to effectively identify qualified adversarial examples. We implemented and evaluated a prototype of BFS2Adv against renowned models such as ALBERT and BERT, utilizing the SNLI and MR datasets. Our results demonstrate that BFS2Adv outperforms state-of-the-art algorithms and effectively improves the success rate of short-text adversarial attacks. Furthermore, we provide detailed insights into the robustness of BFS2Adv by analyzing those hard-to-attack examples.

computer science, information systems

Yuan Zang,Chenghao Yang,Fanchao Qi,Zhiyuan Liu,Meng Zhang,Qun Liu,Maosong Sun

2019-01-01

Abstract:Adversarial attacks are carried out to reveal the vulnerability of deep neural networks. Textual adversarial attacking is challenging because text is discrete and a small perturbation can bring significant change to the original input. Word-level attacking, which can be regarded as a combinatorial optimization problem, is a well-studied class of textual attack methods. However, existing word-level attack models are far from perfect, largely because unsuitable search space reduction methods and inefficient optimization algorithms are employed. In this paper, we propose a novel attack model, which incorporates the sememe-based word substitution method and particle swarm optimization-based search algorithm to solve the two problems separately. We conduct exhaustive experiments to evaluate our attack model by attacking BiLSTM and BERT on three benchmark datasets. Experimental results demonstrate that our model consistently achieves much higher attack success rates and crafts more high-quality adversarial examples as compared to baseline methods. Also, further experiments show our model has higher transferability and can bring more robustness enhancement to victim models by adversarial training. All the code and data of this paper can be obtained on this https URL.

Lifan Yuan,Yichi Zhang,Yangyi Chen,Wei Wei

2023-06-08

Abstract:Despite recent success on various tasks, deep learning techniques still perform poorly on adversarial examples with small perturbations. While optimization-based methods for adversarial attacks are well-explored in the field of computer vision, it is impractical to directly apply them in natural language processing due to the discrete nature of the text. To address the problem, we propose a unified framework to extend the existing optimization-based adversarial attack methods in the vision domain to craft textual adversarial samples. In this framework, continuously optimized perturbations are added to the embedding layer and amplified in the forward propagation process. Then the final perturbed latent representations are decoded with a masked language model head to obtain potential adversarial samples. In this paper, we instantiate our framework with an attack algorithm named Textual Projected Gradient Descent (T-PGD). We find our algorithm effective even using proxy gradient information. Therefore, we perform the more challenging transfer black-box attack and conduct comprehensive experiments to evaluate our attack algorithm with several models on three benchmark datasets. Experimental results demonstrate that our method achieves overall better performance and produces more fluent and grammatical adversarial samples compared to strong baseline methods. The code and data are available at \url{<a class="link-external link-https" href="https://github.com/Phantivia/T-PGD" rel="external noopener nofollow">this https URL</a>}.

Computation and Language,Cryptography and Security,Machine Learning