On The Empirical Effectiveness of Unrealistic Adversarial Hardening Against Realistic Adversarial Attacks

Dyrmishi, Salijona; Ghamizi, Salah; Simonetto, Thibault; Traon, Yves Le; Cordy, Maxime

doi:10.48550/arxiv.2202.03277

Cited by 2 publications

(2 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally, because the perturbation size is known to impact success rate and human perceptibility of adversarial attacks in other domains (Simonetto et al, 2021;Dyrmishi et al, 2022), we investigate the relationship between the number of altered words and validity/naturalness.…”

Section: Rq2 (Naturalness): Are Adversarial Examplesmentioning

confidence: 99%

How do humans perceive adversarial text? A reality check on the validity and naturalness of word-based adversarial attacks

Dyrmishi¹,

Ghamizi²,

Cordy³

2023

Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers)

View full text Add to dashboard Cite

Natural Language Processing (NLP) models based on Machine Learning (ML) are susceptible to adversarial attacks -malicious algorithms that imperceptibly modify input text to force models into making incorrect predictions. However, evaluations of these attacks ignore the property of imperceptibility or study it under limited settings. This entails that adversarial perturbations would not pass any human quality gate and do not represent real threats to human-checked NLP systems. To bypass this limitation and enable proper assessment (and later, improvement) of NLP model robustness, we have surveyed 378 human participants about the perceptibility of text adversarial examples produced by state-of-the-art methods. Our results underline that existing text attacks are impractical in real-world scenarios where humans are involved. This contrasts with previous smaller-scale human studies, which reported overly optimistic conclusions regarding attack success. Through our work, we hope to position human perceptibility as a first-class success criterion for text attacks, and provide guidance for research to build effective attack algorithms and, in turn, design appropriate defence mechanisms.

show abstract

Section: Rq2 (Naturalness): Are Adversarial Examplesmentioning

confidence: 99%

How do humans perceive adversarial text? A reality check on the validity and naturalness of word-based adversarial attacks

Dyrmishi¹,

Ghamizi²,

Cordy³

2023

Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers)

View full text Add to dashboard Cite

show abstract

“…where θ are the parameters of the network, x is the input data, y i is its associated target, L(θ, x, y i ) is the loss function used, and the strength of the attack. Following Goodfellow, other attacks were proposed, first by adding iterations (I-FGSM) (Kurakin, Goodfellow, and Bengio 2016), projections and random restart (PGD) (Madry et al 2017), momentum (MIM) (Dong et al 2018) and constraints (CoEva2) (Ghamizi et al 2020;Dyrmishi et al 2022). These algorithms can be used without any change on a multi-task model if the attacker only focuses on a single task.…”

Section: Related Workmentioning

confidence: 99%

Adversarial Robustness in Multi-Task Learning: Promises and Illusions

Ghamizi

Cordy

Papadakis

et al. 2022

AAAI

Self Cite

View full text Add to dashboard Cite

Vulnerability to adversarial attacks is a well-known weakness of Deep Neural networks. While most of the studies focus on single-task neural networks with computer vision datasets, very little research has considered complex multi-task models that are common in real applications. In this paper, we evaluate the design choices that impact the robustness of multi-task deep learning networks. We provide evidence that blindly adding auxiliary tasks, or weighing the tasks provides a false sense of robustness. Thereby, we tone down the claim made by previous research and study the different factors which may affect robustness. In particular, we show that the choice of the task to incorporate in the loss function are important factors that can be leveraged to yield more robust models. We provide the appendix, all our algorithms, models, and open source-code at https://github.com/yamizi/taskaugment

show abstract

On The Empirical Effectiveness of Unrealistic Adversarial Hardening Against Realistic Adversarial Attacks

Cited by 2 publications

References 39 publications

How do humans perceive adversarial text? A reality check on the validity and naturalness of word-based adversarial attacks

How do humans perceive adversarial text? A reality check on the validity and naturalness of word-based adversarial attacks

Adversarial Robustness in Multi-Task Learning: Promises and Illusions

Contact Info

Product

Resources

About