Towards a Robust Deep Neural Network against Adversarial Texts: A Survey

Wang, Wenqi; Wang, Run; Wang, Lina; Wang, Zhen; Ye, Aoshuang

doi:10.1109/tkde.2021.3117608

Cited by 41 publications

(33 citation statements)

References 128 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…4. Consistent with prior black-box attack settings [8], [13], [14], [28], [42], the hacker can query the target model with a text example 𝒘 consisting of a sequence of 𝑁 tokens (𝒘 = [𝑤 1 , 𝑤 2 , … , 𝑤 𝑁 ]). The model will return the predicted class as 𝑦, i.e., ℱ(𝒘) = 𝑦, as well as the predicted probability for class 𝑦 ℱ 𝑦 (𝒘).…”

Section: Proposed Adversarial Text Attack Methodsmentioning

confidence: 99%

“…Explainable DL methods can be broadly grouped into two categories: the global and the local explainable methods, depending on the scope of the explanation [8]. Global explainable methods enable people to inspect and visualize the model structures and parameters.…”

Section: Insights From Explainable DL Studiesmentioning

confidence: 99%

“…1). Therefore, adversarial attacks have received increasing attention from researchers as they can help assess model robustness and security against potential attacks in the real world [8]- [10].…”

Section: Introductionmentioning

confidence: 99%

“…Token sensitivity can also be computed by explainable DL methods [8], [16]. Explainable DL is an emerging branch of machine learning that aims to access DL models' decision processes.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Additive Feature Attribution Explainable Methods to Craft Adversarial Attacks for Text Classification and Text Regression

Chai¹,

Liang²,

Zhu³

et al. 2022

Preprint

View full text Add to dashboard Cite

Deep learning models have significantly advanced various natural language processing tasks. However, they are strikingly vulnerable to adversarial text attacks, even in the black-box setting where no model knowledge is accessible to hackers. Such attacks are conducted with a two-phase framework: 1) a sensitivity estimation phase to evaluate each element’s sensitivity to the target model’s prediction, and 2) a perturbation execution phase to craft the adversarial examples based on estimated element sensitivity. This study explored the connections between the local post-hoc explainable methods for deep learning and black-box adversarial text attacks and proposed a novel eXplanation-based method for crafting Adversarial Text Attacks (XATA). XATA leverages local post-hoc explainable methods (e.g., LIME or SHAP) to measure input elements’ sensitivity and adopts the word replacement perturbation strategy to craft adversarial examples. We evaluated the attack performance of the proposed XATA on three commonly used text-based datasets: IMDB Movie Review, Yelp Reviews-Polarity, and Amazon Reviews-Polarity. The proposed XATA outperformed existing baselines in various target models, including LSTM, GRU, CNN, and BERT. Moreover, we found that improved local post-hoc explainable methods (e.g., SHAP) lead to more effective adversarial attacks. These findings showed that when researchers constantly advance the explainability of deep learning models with local post-hoc methods, they also provide hackers with weapons to craft more targeted and dangerous adversarial attacks.

show abstract

Section: Proposed Adversarial Text Attack Methodsmentioning

confidence: 99%

Section: Insights From Explainable DL Studiesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

“…Token sensitivity can also be computed by explainable DL methods [8], [16]. Explainable DL is an emerging branch of machine learning that aims to access DL models' decision processes.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Additive Feature Attribution Explainable Methods to Craft Adversarial Attacks for Text Classification and Text Regression

Chai¹,

Liang²,

Zhu³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Existing black-box attacks, from character-level flipping [8] to sentence-level paraphrasing [9], all achieve good performance. In Particular, the word-level attack method based on word replacement performs particularly well in terms of attack efficiency and adversarial example quality [10]. This kind of method can be viewed as a combinatorial optimization problem that combines search space reduction and adversarial example search [11].…”

Section: Introductionmentioning

confidence: 99%

Textual Adversarial Attacking with Limited Queries

Zhang

Yang

et al. 2021

Electronics

View full text Add to dashboard Cite

Recent studies have shown that natural language processing (NLP) models are vulnerable to adversarial examples, which are maliciously designed by adding small perturbations to benign inputs that are imperceptible to the human eye, leading to false predictions by the target model. Compared to character- and sentence-level textual adversarial attacks, word-level attack can generate higher-quality adversarial examples, especially in a black-box setting. However, existing attack methods usually require a huge number of queries to successfully deceive the target model, which is costly in a real adversarial scenario. Hence, finding appropriate models is difficult. Therefore, we propose a novel attack method, the main idea of which is to fully utilize the adversarial examples generated by the local model and transfer part of the attack to the local model to complete ahead of time, thereby reducing costs related to attacking the target model. Extensive experiments conducted on three public benchmarks show that our attack method can not only improve the success rate but also reduce the cost, while outperforming the baselines by a significant margin.

show abstract

Better constraints of imperceptibility, better adversarial examples in the text

Wang

et al. 2021

Int J of Intelligent Sys

Self Cite

View full text Add to dashboard Cite

State‐of‐the‐art adversarial attacks in the text domain have shown their power to induce machine learning models to produce abnormal outputs. The samples generated in these attacks have three important attributes: attack ability, transferability, and imperceptibility. However, compared with the other two attributes, the imperceptibility of adversarial examples has not been well investigated. Unlike the pixel‐level perturbations in images, adversarial perturbations in the text are usually traceable, reflecting changes in characters, words, or sentences. The generation of imperceptible samples in texts is more difficult than in images. Therefore, how to constrain adversarial perturbations added in the text is a crucial step to construct more natural adversarial texts. Unfortunately, recent studies merely select measurements to constrain the added adversarial perturbations, but none of them explain where these measurements are suitable, which one is better, and how they perform in different kinds of adversarial attacks. In this paper, we fill this gap by comparing the performance of these metrics in various attacks. Furthermore, we propose a stricter constraint for word‐level attacks to obtain more imperceptible samples. It is also helpful to enhance existing word‐level attacks for adversarial training.

show abstract

Towards a Robust Deep Neural Network against Adversarial Texts: A Survey

Cited by 41 publications

References 128 publications

Additive Feature Attribution Explainable Methods to Craft Adversarial Attacks for Text Classification and Text Regression

Additive Feature Attribution Explainable Methods to Craft Adversarial Attacks for Text Classification and Text Regression

Textual Adversarial Attacking with Limited Queries

Better constraints of imperceptibility, better adversarial examples in the text

Contact Info

Product

Resources

About