Xi Cao,Nuo Qun,Quzong Gesang,Yulei Zhu,Trashi Nyima

DOI: https://doi.org/10.1145/3589335.3652503

2024-12-03

Abstract:In social media, neural network models have been applied to hate speech detection, sentiment analysis, etc., but neural network models are susceptible to adversarial attacks. For instance, in a text classification task, the attacker elaborately introduces perturbations to the original texts that hardly alter the original semantics in order to trick the model into making different predictions. By studying textual adversarial attack methods, the robustness of language models can be evaluated and then improved. Currently, most of the research in this field focuses on English, and there is also a certain amount of research on Chinese. However, there is little research targeting Chinese minority languages. With the rapid development of artificial intelligence technology and the emergence of Chinese minority language models, textual adversarial attacks become a new challenge for the information processing of Chinese minority languages. In response to this situation, we propose a multi-granularity Tibetan textual adversarial attack method based on masked language models called TSTricker. We utilize the masked language models to generate candidate substitution syllables or words, adopt the scoring mechanism to determine the substitution order, and then conduct the attack method on several fine-tuned victim models. The experimental results show that TSTricker reduces the accuracy of the classification models by more than 28.70% and makes the classification models change the predictions of more than 90.60% of the samples, which has an evidently higher attack effect than the baseline method.

Computation and Language,Cryptography and Security

Hanyu Liu,Chengyuan Cai,Yanjun Qi

DOI: https://doi.org/10.48550/arXiv.2306.04874

2023-06-08

Computation and Language

Abstract:Recent studies have revealed that NLP predictive models are vulnerable to adversarial attacks. Most existing studies focused on designing attacks to evaluate the robustness of NLP models in the English language alone. Literature has seen an increasing need for NLP solutions for other languages. We, therefore, ask one natural question: whether state-of-the-art (SOTA) attack methods generalize to other languages. This paper investigates how to adapt SOTA adversarial attack algorithms in English to the Chinese language. Our experiments show that attack methods previously applied to English NLP can generate high-quality adversarial examples in Chinese when combined with proper text segmentation and linguistic constraints. In addition, we demonstrate that the generated adversarial examples can achieve high fluency and semantic consistency by focusing on the Chinese language's morphology and phonology, which in turn can be used to improve the adversarial robustness of Chinese NLP models.

Cheng Nuo,Guo-Qin Chang,Haichang Gao,Ge Pei,Yang Zhang

DOI: https://doi.org/10.1109/access.2020.2988786

IF: 3.9

2020-01-01

IEEE Access

Abstract:As an important carrier for disseminating information in the Internet Age, the text contains a large amount of information. In recent years, adversarial example attacks against text discrete domains have been received widespread attention. Deep neural network (DNN) produces opposite predictions by adding small perturbations to the text data. In this paper, we present "WordChange": an adversarial examples generation approach for Chinese text classification based on multiple modification strategies, and we evaluate the effectiveness of the method in sentiment analysis dataset and spam dataset. This method effectively locates important word positions by designing a keyword contribution algorithm. We first propose a "word-split" strategy to substitute keywords thatare designed by the structure and semantic property of Chinese texts. We also first apply "swap" and "insert" strategies on Chinese texts to generate adversarial examples. We further discuss the influence of multiple Chinese Word Segmentation tools and different text lengths on the proposed method, as well as the diversification of Chinese text modification strategies. Finally, the adversarial texts based on the long short-term memory network (LSTM) can be successfully transferred to other text classifiers and real-world applications.

Hongxu Ou,Long Yu,Shengwei Tian,Xin Chen

DOI: https://doi.org/10.1007/s10115-022-01652-1

IF: 2.7

2022-03-17

Knowledge and Information Systems

Abstract:Recent studies have shown that after adding small perturbations that are imperceptible to humans, deep neural networks (DNNs) with good performance and popular application are likely to produce incorrect results. These processed samples are called adversarial examples. High-quality adversarial examples help to increase the accuracy of estimating the robustness of the network model, thereby reducing the security risks behind the unreal high accuracy of the model. And there are few existing researches on Chinese texts in this field, therefore, this paper proposes a Chinese adversarial examples generation approach with multi-strategy based on semantic called GreedyAttack. Based on the analysis of the characteristics of the Chinese version, the ranking of the influence of each word in the text is obtained according to the calculation formula of the word importance with the weighted part-of-speech. Next, five strategies including synonymous words, similar words of form, similar words of sound, pinyin rewriting, and phrase disassembly are combined to replace the original words, and then, the black box attack on the DNNs models is completed. The method is evaluated by attacking the BERT and ERNIE models on three data sets. The results indicate that the adversarial examples generated by the method can effectively reduce the accuracy of the model.

computer science, information systems, artificial intelligence

Yankun Ren,Jianbin Lin,Siliang Tang,Jun Zhou,Shuang Yang,Yuan Qi,Xiang Ren

DOI: https://doi.org/10.3233/faia200340

2020-01-01

Abstract:Today text classification models have been widely used. However, these classifiers are found to be easily fooled by adversarial examples. Fortunately, standard attacking methods generate adversarial texts in a pair-wise way, that is, an adversarial text can only be created from a real-world text by replacing a few words. In many applications, these texts are limited in numbers, therefore their corresponding adversarial examples are often not diverse enough and sometimes hard to read, thus can be easily detected by humans and cannot create chaos at a large scale. In this paper, we propose an end to end solution to efficiently generate adversarial texts from scratch using generative models, which are not restricted to perturbing the given texts. We call it unrestricted adversarial text generation. Specifically, we train a conditional variational autoencoder (VAE) with an additional adversarial loss to guide the generation of adversarial examples. Moreover, to improve the validity of adversarial texts, we utilize discrimators and the training framework of generative adversarial networks (GANs) to make adversarial texts consistent with real data. Experimental results on sentiment analysis demonstrate the scalability and efficiency of our method. It can attack text classification models with a higher success rate than existing methods, and provide acceptable quality for humans in the meantime.

Xi Cao,Dolma Dawa,Nuo Qun,Trashi Nyima

DOI: https://doi.org/10.18653/v1/2023.trustnlp-1.4

2024-12-03

Abstract:The textual adversarial attack refers to an attack method in which the attacker adds imperceptible perturbations to the original texts by elaborate design so that the NLP (natural language processing) model produces false judgments. This method is also used to evaluate the robustness of NLP models. Currently, most of the research in this field focuses on English, and there is also a certain amount of research on Chinese. However, to the best of our knowledge, there is little research targeting Chinese minority languages. Textual adversarial attacks are a new challenge for the information processing of Chinese minority languages. In response to this situation, we propose a Tibetan syllable-level black-box textual adversarial attack called TSAttacker based on syllable cosine distance and scoring mechanism. And then, we conduct TSAttacker on six models generated by fine-tuning two PLMs (pre-trained language models) for three downstream tasks. The experiment results show that TSAttacker is effective and generates high-quality adversarial samples. In addition, the robustness of the involved models still has much room for improvement.

Computation and Language,Cryptography and Security

Jincheng Xu,Qingfeng Du

DOI: https://doi.org/10.1016/j.engappai.2020.103641

IF: 8

2020-06-01

Engineering Applications of Artificial Intelligence

Abstract:Adversarial examples are generated by adding infinitesimal perturbations to legitimate inputs so that incorrect predictions can be induced into deep learning models. They have received increasing attention recently due to their significant values in evaluating and improving the robustness of neural networks. While adversarial attack algorithms have achieved notable advancements in the continuous data of images, they cannot be directly applied for discrete symbols such as text, where all the semantic and syntactic constraints in languages are expected to be satisfied. In this paper, we propose a white-box adversarial attack algorithm, TextTricker, which supports both targeted and non-targeted attacks on text classification models. Our algorithm can be implemented in either a loss-based way, where word perturbations are performed according to the change in loss, or a gradient-based way, where the expected gradients are computed in the continuous embedding space to restrict the perturbations towards a certain direction. We perform extensive experiments on two publicly available datasets and three state-of-the-art text classification models to evaluate our algorithm. The empirical results demonstrate that TextTricker performs notably better than baselines in attack success rate. Moreover, we discuss various aspects of TextTricker in details to provide a deep investigation and offer suggestions for its practical use.

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

Shengjun Liu,Ningkang Jiang,Yuanbin Wu

DOI: https://doi.org/10.48550/arXiv.2008.10356

2020-08-07

Abstract:Modifying characters of a piece of text to their visual similar ones often ap-pear in spam in order to fool inspection systems and other conditions, which we regard as a kind of adversarial attack to neural models. We pro-pose a way of generating such visual text attack and show that the attacked text are readable by humans but mislead a neural classifier greatly. We ap-ply a vision-based model and adversarial training to defense the attack without losing the ability to understand normal text. Our results also show that visual attack is extremely sophisticated and diverse, more work needs to be done to solve this.

Computer Vision and Pattern Recognition,Artificial Intelligence

Yiming Zhang,Chao Zhang,Donghong Sun,Zhou Li,Zihan Zhang,Haixin Duan,Qi Li,Mingxuan Liu

DOI: https://doi.org/10.1109/TDSC.2022.3164289

2023-03-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Natural language processing (NLP) models are known vulnerable to adversarial examples, similar to image processing models. Studying adversarial texts is an essential step to improve the robustness of NLP models. However, existing studies mainly focus on generating adversarial texts for English, with no prior knowledge that whether those attacks could be applied to Chinese. After analyzing the differences between Chinese and English, we propose a novel adversarial Chinese text generation solution Argot, by utilizing the method for adversarial English examples and several novel methods developed on Chinese characteristics. Argot could effectively and efficiently generate adversarial Chinese texts with good readability in both white-box and black-box settings. Argot could also automatically generate targeted Chinese adversarial texts, achieving a high success rate and ensuring the readability of the generated texts. Furthermore, we apply Argot to the spam detection task in both local detection models and a public toxic content detection system from a well-known security company. Argot achieves a relatively high bypass success rate with fluent readability, which proves that the real-world toxic content detection system is vulnerable to adversarial example attacks. We also evaluate some available defense strategies, and the results indicate that Argot can still achieve high attack success rates.

Computer Science

Hongxu Ou,Long Yu,Shengwei Tian,Xin Chen,Chen Shi,Bo Wang,Tiejun Zhou

DOI: https://doi.org/10.1007/s10115-023-01946-y

IF: 2.7

2023-08-10

Knowledge and Information Systems

Abstract:The generation methods of adversarial examples have been more explored on English data, while the research papers on Chinese adversarial examples are very limited. At the same time, the existing Chinese adversarial attack methods are often characterized by a single form of generation and not rich enough expression. And the attack effect of these methods still has room for improvement. Therefore, this paper proposes SentiAttack, a method to introduce 6 perturbations from two perspectives, according to the characteristics of Chinese. The 6 types of perturbation were obtained from both audiovisual deception (words with similar sound, Chinese characters with similar form, horizontal splitting of Chinese character and reverse order of adjacent Chinese characters within word) and contextualized generation (WoBERT-MLM (Su in Wobert: Word-based chinese bert model - zhuiyiai. Technical report, 2020. https://github.com/ZhuiyiTechnology/WoBERT) word generation and LongLM (Guan et al. in Trans Assoc Comput Linguist 10:434–451, 2022. https://doi.org/10.1162/tacl_a_00469) sentence-piece generation), respectively. In addition, a "fluency" metric is added to further measure the quality of the adversarial examples. We conducted experiments on five datasets (CH-SIMS 3, ChnSentiCorp, online shopping, waimai, and weibo8). With the effective constraints of semantic similarity, expression fluency and perturbation, we obtained 74.40%, 49.10%, 42.90%, 39.90% and 66.20% accuracy decrease, respectively.

computer science, information systems, artificial intelligence

Boxin Wang,Boyuan Pan,Xin Li,Bo Li

DOI: https://doi.org/10.48550/arXiv.2004.03742

2020-04-07

Computation and Language

Abstract:Recent advances in large-scale language representation models such as BERT have improved the state-of-the-art performances in many NLP tasks. Meanwhile, character-level Chinese NLP models, including BERT for Chinese, have also demonstrated that they can outperform the existing models. In this paper, we show that, however, such BERT-based models are vulnerable under character-level adversarial attacks. We propose a novel Chinese char-level attack method against BERT-based classifiers. Essentially, we generate "small" perturbation on the character level in the embedding space and guide the character substitution procedure. Extensive experiments show that the classification accuracy on a Chinese news dataset drops from 91.8% to 0% by manipulating less than 2 characters on average based on the proposed attack. Human evaluations also confirm that our generated Chinese adversarial examples barely affect human performance on these NLP tasks.

Lifan Yuan,Yichi Zhang,Yangyi Chen,Wei Wei

2023-06-08

Abstract:Despite recent success on various tasks, deep learning techniques still perform poorly on adversarial examples with small perturbations. While optimization-based methods for adversarial attacks are well-explored in the field of computer vision, it is impractical to directly apply them in natural language processing due to the discrete nature of the text. To address the problem, we propose a unified framework to extend the existing optimization-based adversarial attack methods in the vision domain to craft textual adversarial samples. In this framework, continuously optimized perturbations are added to the embedding layer and amplified in the forward propagation process. Then the final perturbed latent representations are decoded with a masked language model head to obtain potential adversarial samples. In this paper, we instantiate our framework with an attack algorithm named Textual Projected Gradient Descent (T-PGD). We find our algorithm effective even using proxy gradient information. Therefore, we perform the more challenging transfer black-box attack and conduct comprehensive experiments to evaluate our attack algorithm with several models on three benchmark datasets. Experimental results demonstrate that our method achieves overall better performance and produces more fluent and grammatical adversarial samples compared to strong baseline methods. The code and data are available at \url{<a class="link-external link-https" href="https://github.com/Phantivia/T-PGD" rel="external noopener nofollow">this https URL</a>}.

Computation and Language,Cryptography and Security,Machine Learning

Linyang Li,Yunfan Shao,Demin Song,Xipeng Qiu,Xuanjing Huang

DOI: https://doi.org/10.48550/arXiv.2012.14769

2020-12-29

Computation and Language

Abstract:Adversarial attacks in texts are mostly substitution-based methods that replace words or characters in the original texts to achieve success attacks. Recent methods use pre-trained language models as the substitutes generator. While in Chinese, such methods are not applicable since words in Chinese require segmentations first. In this paper, we propose a pre-train language model as the substitutes generator using sentence-pieces to craft adversarial examples in Chinese. The substitutions in the generated adversarial examples are not characters or words but \textit{'pieces'}, which are more natural to Chinese readers. Experiments results show that the generated adversarial samples can mislead strong target models and remain fluent and semantically preserved.

Linyang Li,Ruotian Ma,Qipeng Guo,Xiangyang Xue,Xipeng Qiu

DOI: https://doi.org/10.18653/v1/2020.emnlp-main.500

2020-01-01

Abstract:Adversarial attacks for discrete data (such as texts) have been proved significantly more challenging than continuous data (such as images) since it is difficult to generate adversarial samples with gradient-based methods. Current successful attack methods for texts usually adopt heuristic replacement strategies on the character or word level, which remains challenging to find the optimal solution in the massive space of possible combinations of replacements while preserving semantic consistency and language fluency. In this paper, we propose BERT-Attack, a high-quality and effective method to generate adversarial samples using pre-trained masked language models exemplified by BERT. We turn BERT against its fine-tuned models and other deep neural models in downstream tasks so that we can successfully mislead the target models to predict incorrectly. Our method outperforms state-of-theart attack strategies in both success rate and perturb percentage, while the generated adversarial samples are fluent and semantically preserved. Also, the cost of calculation is low, thus possible for large-scale generations. The code is available at https://github.com/LinyangLee/BERT- Attack.

Enhui Xu,Xiaolin Zhang,Yongping Wang,Shuai Zhang,Lixin Lu,Li Xu

DOI: https://doi.org/10.1109/access.2022.3157521

IF: 3.9

2022-01-01

IEEE Access

Abstract:Adversarial examples can evade the detection of text classification models based on Deep Neural Networks (DNNs), thus posing a potential security threat to the system. To address this problem, we propose an adversarial example defense method for Chinese text classification called WordRevert. The method first obtains the "positive text" containing the adversarial words by filtering the clauses that do not contribute to the current classification label. Then the detection network is combined with the position importance calculation function to achieve the detection of the adversarial words. Finally, the adversarial words are restored to the original words by calculating the candidate score and the detection score. The experiments show that the current popular Chinese text adversarial attack algorithms can be effectively defended by this method, and achieve a significant increase in the accuracy of the adversarial examples with a small reduction in the classification accuracy of clean samples while achieving better precision, recall, and F1 value of adversarial word detection and restoration.

computer science, information systems,telecommunications,engineering, electrical & electronic

Haoran Fu,Chundong Wang,Jiaqi Sun,Yumeng Zhao,Hao Lin,Junqing Sun,Baixue Zhang

DOI: https://doi.org/10.1016/j.cogsys.2023.101179

IF: 4.541

2023-11-01

Cognitive Systems Research

Abstract:Although natural language processing technology has shown strong performance in many tasks, it is very vulnerable to adversarial examples, i.e., sentences with some small perturbations can fool AI models. Current adversarial texts for English are usually generated by finding substitute words in adjacent spaces of keyword vectors. Unlike English, Chinese is more discrete and has a more complex font structure, which words that are closer in vector spaces may differ greatly in physical structure. Therefore, adversarial examples generated by current methods possess lower quality and can be easily perceived by human, or rather, they are not suitable for the human cognitive system. In this paper, we propose the "WordIllusion", a new detectable black-box algorithm used for generating Chinese adversarial texts. In this method, we create a CKSF evaluation indicator to select the key words of sentences. And then, based on the shape bias of human cognitive system and the rectification understanding to create replacement spaces of key words. To verify the effectiveness of WordIllusion, we experiment with two types of text classification tasks by using six natural language processing models. The result indicates that our method is able to improve the accuracy rate efficiently, and the generated adversarial texts can be very misleading.

psychology, experimental,neurosciences,computer science, artificial intelligence

Boxin Wang,Chejian Xu,Xiangyu Liu,Yu Cheng,Bo Li

DOI: https://doi.org/10.48550/arXiv.2205.01287

2022-06-11

Abstract:Recent studies show that pre-trained language models (LMs) are vulnerable to textual adversarial attacks. However, existing attack methods either suffer from low attack success rates or fail to search efficiently in the exponentially large perturbation space. We propose an efficient and effective framework SemAttack to generate natural adversarial text by constructing different semantic perturbation functions. In particular, SemAttack optimizes the generated perturbations constrained on generic semantic spaces, including typo space, knowledge space (e.g., WordNet), contextualized semantic space (e.g., the embedding space of BERT clusterings), or the combination of these spaces. Thus, the generated adversarial texts are more semantically close to the original inputs. Extensive experiments reveal that state-of-the-art (SOTA) large-scale LMs (e.g., DeBERTa-v2) and defense strategies (e.g., FreeLB) are still vulnerable to SemAttack. We further demonstrate that SemAttack is general and able to generate natural adversarial texts for different languages (e.g., English and Chinese) with high attack success rates. Human evaluations also confirm that our generated adversarial texts are natural and barely affect human performance. Our code is publicly available at <a class="link-external link-https" href="https://github.com/AI-secure/SemAttack" rel="external noopener nofollow">this https URL</a>.

Computation and Language

Jinfeng Li,Tianyu Du,Shouling Ji,Rong Zhang,Quan Lu,Min Yang,Ting Wang

2020-01-01

Abstract:Text-based toxic content detection is an important tool for reducing harmful interactions in online social media environments. Yet, its underlying mechanism, deep learning-based text classification (DLTC), is inherently vulnerable to maliciously crafted adversarial texts. To mitigate such vulnerabilities, intensive research has been conducted on strengthening English-based DLTC models. However, the existing defenses are not effective for Chinese-based DLTC models, due to the unique sparseness, diversity, and variation of the Chinese language. In this paper, we bridge this striking gap by presenting TEXTSHIELD, a new adversarial defense framework specifically designed for Chinese-based DLTC models. TEXTSHIELD differs from previous work in several key aspects: (i) generic - it applies to any Chinese-based DLTC models without requiring re-training; (ii) robust - it significantly reduces the attack success rate even under the setting of adaptive attacks; and (iii) accurate - it has little impact on the performance of DLTC models over legitimate inputs. Extensive evaluations show that it outperforms both existing methods and the industry-leading platforms. Future work will explore its applicability in broader practical tasks.

Yuan Zang,Chenghao Yang,Fanchao Qi,Zhiyuan Liu,Meng Zhang,Qun Liu,Maosong Sun

2019-01-01

Abstract:Adversarial attacks are carried out to reveal the vulnerability of deep neural networks. Textual adversarial attacking is challenging because text is discrete and a small perturbation can bring significant change to the original input. Word-level attacking, which can be regarded as a combinatorial optimization problem, is a well-studied class of textual attack methods. However, existing word-level attack models are far from perfect, largely because unsuitable search space reduction methods and inefficient optimization algorithms are employed. In this paper, we propose a novel attack model, which incorporates the sememe-based word substitution method and particle swarm optimization-based search algorithm to solve the two problems separately. We conduct exhaustive experiments to evaluate our attack model by attacking BiLSTM and BERT on three benchmark datasets. Experimental results demonstrate that our model consistently achieves much higher attack success rates and crafts more high-quality adversarial examples as compared to baseline methods. Also, further experiments show our model has higher transferability and can bring more robustness enhancement to victim models by adversarial training. All the code and data of this paper can be obtained on this https URL.