Adversarial Attacks on Deep Learning Models in Natural Language Processing: A Survey

Zhang, Wei Emma; Sheng, Quan Z.; Alhazmi, Ahoud; Li, Chenliang

doi:10.48550/arxiv.1901.06796

Cited by 22 publications

(20 citation statements)

References 96 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Since the TextCNN model has good performances and is quite fast, it is one of the most widely used methods for text classification task in industrial applications [34]. As we aim to attack models used in practice, we take the TextCNN model [13] as our targeted model.…”

Section: Targeted Modelmentioning

confidence: 99%

Generating Natural Language Adversarial Examples on a Large Scale with Generative Models

Ren,

Lin,

Tang

et al. 2020

Preprint

View full text Add to dashboard Cite

Today text classification models have been widely used. However, these classifiers are found to be easily fooled by adversarial examples. Fortunately, standard attacking methods generate adversarial texts in a pair-wise way, that is, an adversarial text can only be created from a real-world text by replacing a few words. In many applications, these texts are limited in numbers, therefore their corresponding adversarial examples are often not diverse enough and sometimes hard to read, thus can be easily detected by humans and cannot create chaos at a large scale. In this paper, we propose an end to end solution to efficiently generate adversarial texts from scratch using generative models, which are not restricted to perturbing the given texts. We call it unrestricted adversarial text generation. Specifically, we train a conditional variational autoencoder (VAE) with an additional adversarial loss to guide the generation of adversarial examples. Moreover, to improve the validity of adversarial texts, we utilize discrimators and the training framework of generative adversarial networks (GANs) to make adversarial texts consistent with real data. Experimental results on sentiment analysis demonstrate the scalability and efficiency of our method. It can attack text classification models with a higher success rate than existing methods, and provide acceptable quality for humans in the meantime.

show abstract

Section: Targeted Modelmentioning

confidence: 99%

Generating Natural Language Adversarial Examples on a Large Scale with Generative Models

Ren,

Lin,

Tang

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…Adversarial attacks (Yuan et al, 2019) in all application areas including computer vision (Akhtar and Mian, 2018;Khrulkov and Oseledets, 2018), natural language processing (Zhang et al, 2019b;Morris et al, 2020), and graphs (Sun et al, 2018) seek to reveal non-robustness of deep learning models. An adversarial attack on a text classification model perturbs the input sentence in such a way that the deep learning model is fooled, while the perturbations adhere to certain constraints, utilising morphology or grammar patterns or semantic similarity.…”

Section: Introductionmentioning

confidence: 99%

A Differentiable Language Model Adversarial Attack on Text Classifiers

Fursov¹,

Zaytsev²,

Burnyshev³

et al. 2021

Preprint

View full text Add to dashboard Cite

Robustness of huge Transformer-based models for natural language processing is an important issue due to their capabilities and wide adoption. One way to understand and improve robustness of these models is an exploration of an adversarial attack scenario: check if a small perturbation of an input can fool a model.Due to the discrete nature of textual data, gradient-based adversarial methods, widely used in computer vision, are not applicable per se. The standard strategy to overcome this issue is to develop token-level transformations, which do not take the whole sentence into account.In this paper, we propose a new black-box sentence-level attack. Our method fine-tunes a pre-trained language model to generate adversarial examples. A proposed differentiable loss function depends on a substitute classifier score and an approximate edit distance computed via a deep learning model.We show that the proposed attack outperforms competitors on a diverse set of NLP problems for both computed metrics and human evaluation. Moreover, due to the usage of the finetuned language model, the generated adversarial examples are hard to detect, thus current models are not robust. Hence, it is difficult to defend from the proposed attack, which is not the case for other attacks.

show abstract

“…In recent years, the research and application of deep neural networks have become a prevalent domain within the academic field and a wide range of deep neural networks applications in solving real-world tasks have achieved good results, such as image classification [12] and natural language processing [29] as well as other fields. However, due to frequent and covert hacking activities, security and privacy of neural networks has gained attentions [5].…”

Section: Introductionmentioning

confidence: 99%

An Attention Score Based Attacker for Black-box NLP Classifier

Liu¹,

Lee²,

Cai³

2021

Preprint

View full text Add to dashboard Cite

Deep neural networks have a wide range of applications in solving various real-world tasks and have achieved satisfactory results, in domains such as computer vision, image classification, and natural language processing. Meanwhile, the security and robustness of neural networks have become imperative, as diverse researches have shown the vulnerable aspects of neural networks. Case in point, in Natural language processing tasks, the neural network may be fooled by an attentively modified text, which has a high similarity to the original one. As per previous research, most of the studies are focused on the image domain [4][18][27]; Different from image adversarial attacks, the text represents in a discrete sequence, traditional image attack methods are not applicable in the NLP field. In this paper, we propose a word-level NLP sentiment classifier attack model, which includes a self-attention mechanism-based word selection method and a greedy search algorithm for word substitution. We experiment with our attack model by attacking GRU and 1D-CNN victim models on IMDB datasets. Experimental results demonstrate that our model achieves a higher attack success rate and more efficient than previous methods due to the efficient word selection algorithms are employed and minimized the word substitute number. Also, our model is transferable, which can be used in the image domain with several modifications.

show abstract

Adversarial Attacks on Deep Learning Models in Natural Language Processing: A Survey

Cited by 22 publications

References 96 publications

Generating Natural Language Adversarial Examples on a Large Scale with Generative Models

Generating Natural Language Adversarial Examples on a Large Scale with Generative Models

A Differentiable Language Model Adversarial Attack on Text Classifiers

An Attention Score Based Attacker for Black-box NLP Classifier

Contact Info

Product

Resources

About