Gradient-based adversarial attacks on categorical sequence models via traversing an embedded world

Fursov, Ivan; Zaytsev, Alexey; Kluchnikov, Nikita; Кравченко, А. В.; Burnaev, Evgeny

doi:10.48550/arxiv.2003.04173

Cited by 2 publications

(4 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We compare this scenario to a more dangerous but less realistic white-box attack. This setting is close to works such as [9] for NLP and [22] for CV models.…”

Section: Introductionsupporting

confidence: 68%

“…The scheme of such attack is in Figure 4. Replacement and concatenation attacks Sampling Fool (SF) [9]. It uses a trained Masked Language Model (MLM) [5], to sample from a categorical distribution new tokens to replace random masked tokens.…”

Section: Attack Methodsmentioning

confidence: 99%

“…Adversarial attacks and defences from them are of crucial importance in financial applications [28]. The literature of adversarial attacks on transaction records includes [8,9]. However, the authors do not consider the peculiarities of transaction records data and apply general approaches to adversarial attacks on discrete sequence data.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Adversarial Attacks on Deep Models for Financial Transaction Records

Fursov¹,

Morozov²,

Kaploukhaya³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Machine learning models using transaction records as inputs are popular among financial institutions. The most efficient models use deep-learning architectures similar to those in the NLP community, posing a challenge due to their tremendous number of parameters and limited robustness. In particular, deep-learning models are vulnerable to adversarial attacks: a little change in the input harms the model's output.In this work, we examine adversarial attacks on transaction records data and defences from these attacks. The transaction records data have a different structure than the canonical NLP or time series data, as neighbouring records are less connected than words in sentences, and each record consists of both discrete merchant code and continuous transaction amount. We consider a black-box attack scenario, where the attack doesn't know the true decision model, and pay special attention to adding transaction tokens to the end of a sequence. These limitations provide more realistic scenario, previously unexplored in NLP world.The proposed adversarial attacks and the respective defences demonstrate remarkable performance using relevant datasets from the financial industry. Our results show that a couple of generated transactions are sufficient to fool a deep-learning model. Further, we improve model robustness via adversarial training or separate adversarial examples detection. This work shows that embedding protection from adversarial attacks improves model robustness, allowing a wider adoption of deep models for transaction records in banking and finance.

show abstract

“…We compare this scenario to a more dangerous but less realistic white-box attack. This setting is close to works such as [9] for NLP and [22] for CV models.…”

Section: Introductionsupporting

confidence: 68%

Section: Attack Methodsmentioning

confidence: 99%

See 1 more Smart Citation

Adversarial Attacks on Deep Models for Financial Transaction Records

Fursov¹,

Morozov²,

Kaploukhaya³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…In our opinion, the state of the art mechanisms such as attention [33] should be used instead of standard RNNs to improve seq2seq models. Authors of [9] move in the right direction, but the performance metrics are worse than of competitors'.…”

Section: Related Workmentioning

confidence: 95%

Differentiable Language Model Adversarial Attacks on Categorical Sequence Classifiers

Fursov,

Zaytsev,

Kluchnikov

et al. 2020

Preprint

View full text Add to dashboard Cite

An adversarial attack paradigm explores various scenarios for the vulnerability of deep learning models: minor changes of the input can force a model failure. Most of the state of the art frameworks focus on adversarial attacks for images and other structured model inputs, but not for categorical sequences models. Successful attacks on classifiers of categorical sequences are challenging because the model input is tokens from finite sets, so a classifier score is non-differentiable with respect to inputs, and gradient-based attacks are not applicable. Common approaches deal with this problem working at a token level, while the discrete optimization problem at hand requires a lot of resources to solve. We instead use a fine-tuning of a language model for adversarial attacks as a generator of adversarial examples. To optimize the model, we define a differentiable loss function that depends on a surrogate classifier score and on a deep learning model that evaluates approximate edit distance. So, we control both the adversability of a generated sequence and its similarity to the initial sequence. As a result, we obtain semantically better samples. Moreover, they are resistant to adversarial training and adversarial detectors. Our model works for diverse datasets on bank transactions, electronic health records, and NLP datasets.Preprint. Under review.

show abstract

Gradient-based adversarial attacks on categorical sequence models via traversing an embedded world

Cited by 2 publications

References 30 publications

Adversarial Attacks on Deep Models for Financial Transaction Records

Adversarial Attacks on Deep Models for Financial Transaction Records

Differentiable Language Model Adversarial Attacks on Categorical Sequence Classifiers

Contact Info

Product

Resources

About