White-to-Black: Efficient Distillation of Black-Box Adversarial Attacks

Gil, Yotam; Chai, Yoav; Gorodissky, Or; Berant, Jonathan

doi:10.48550/arxiv.1904.02405

Cited by 6 publications

(6 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Researchers also studied adversarial attacks targeting Perspective API [8,[14][15][16]. However, as the version iterates, Perspective API developed defensive strategies to thwart these machine-generated attacks.…”

Section: Toxic Speech Detectionmentioning

confidence: 99%

NoisyHate: Benchmarking Content Moderation Machine Learning Models with Human-Written Perturbations Online

Ye¹,

Le²,

Lee³

2023

Preprint

View full text Add to dashboard Cite

Online texts with toxic contents are a clear threat to the users on social media in particular and society in general. Although many platforms have adopted various measures (e.g., machine learning based hate-speech detection systems) to diminish their effect, toxic content writers have also attempted to evade such measures by using cleverly modified toxic words, so-called human-written text perturbations. Therefore, to help build AI-based detection to recognize those perturbations, prior methods have developed sophisticated techniques to generate diverse adversarial samples. However, we note that these algorithms-generated perturbations do not necessarily capture all the traits of human-written perturbations. Therefore, in this paper, we introduce a benchmark test set of human-written perturbations, named as NoisyHate, created from real perturbations written by human users on various social platforms, for helping develop better toxic speech detection models. Meanwhile, to check if our perturbation can be normalized to its clean version, we applied spell corrector algorithms on this dataset. Finally, we test this data on state-of-the-art language models, such as BERT and RoBERTa, and black box APIs, such as Perspective API, to demonstrate the adversarial attack with real human-written perturbations is still effective. CCS CONCEPTS• Security and privacy → Social aspects of security and privacy;• Computing methodologies → Language resources; • Information systems → Social tagging.

show abstract

Section: Toxic Speech Detectionmentioning

confidence: 99%

NoisyHate: Benchmarking Content Moderation Machine Learning Models with Human-Written Perturbations Online

Ye¹,

Le²,

Lee³

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Adversarial attack There have been a lot of works showing the vulnerability of NLP models under adversarial examples (Li et al, 2020c;Garg and Ramakrishnan, 2020;Zang et al, 2020), which are understandable by humans yet lead to significant model prediction drops. There are usually two types of attacks: (1) semantic equivalent replacement, which can be synthesized by replacing words based on vector similarity (Jin et al, 2020;, WordNet synonyms (Zang et al, 2020), masked prediction from pretrained models (Li et al, 2020c;Garg and Ramakrishnan, 2020;Li et al, 2020d), etc. (2) noise injection, which can be synthesized by adding/deleting/swapping words (Li et al, 2019a;Gil et al, 2019;, replacing words with phonetically or visually similar ones (Eger et al, 2019;Eger and Benz, 2020). For logographic languages like Chinese, the noise can be much more complex as it can be injected on both the glyph characters or romanized pinyins Nuo et al, 2020).…”

Section: Related Workmentioning

confidence: 99%

RoCBert: Robust Chinese Bert with Multimodal Contrastive Pretraining

Shen¹,

Shi²,

Shen³

et al. 2022

Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers)

View full text Add to dashboard Cite

Large-scale pretrained language models have achieved SOTA results on NLP tasks. However, they have been shown vulnerable to adversarial attacks especially for logographic languages like Chinese. In this work, we propose ROCBERT: a pretrained Chinese Bert that is robust to various forms of adversarial attacks like word perturbation, synonyms, typos, etc. It is pretrained with the contrastive learning objective which maximizes the label consistency under different synthesized adversarial examples. The model takes as input multimodal information including the semantic, phonetic and visual features. We show all these features are important to the model robustness since the attack can be performed in all the three forms. Across 5 Chinese NLU tasks, ROCBERT outperforms strong baselines under three blackbox adversarial algorithms without sacrificing the performance on clean testset. It also performs the best in the toxic content detection task under human-made attacks. * Equal contribution. 1 The concept of adversarial examples is quite wide. In this paper, we focus on adversarial examples that do NOT change the original semantics (Mozes et al., 2021)

show abstract

“…Knowledge distillation has also been used for adversarial attacks (Papernot et al, 2016b;Ross & Doshi-Velez, 2017;Gil et al, 2019;Goldblum et al, 2020), data security (Papernot et al, 2016a;Lopes et al, 2017;, image processing (Li & Hoiem, 2017;Wang et al, 2017;Chen et al, 2018;, natural language processing (Nakashole & Flauger, 2017;Mou et al, 2016;Hu et al, 2018;Freitag et al, 2017), and speech processing (Chebotar & Waters, 2016;Lu et al, 2017;Watanabe et al, 2017;Oord et al, 2018;Shen et al, 2018).…”

Section: A Extended Literature Reviewmentioning

confidence: 99%

Knowledge Distillation as Semiparametric Inference

Dao,

Kamath,

Syrgkanis

et al. 2021

Preprint

View full text Add to dashboard Cite

A popular approach to model compression is to train an inexpensive student model to mimic the class probabilities of a highly accurate but cumbersome teacher model. Surprisingly, this two-step knowledge distillation process often leads to higher accuracy than training the student directly on labeled data. To explain and enhance this phenomenon, we cast knowledge distillation as a semiparametric inference problem with the optimal student model as the target, the unknown Bayes class probabilities as nuisance, and the teacher probabilities as a plug-in nuisance estimate. By adapting modern semiparametric tools, we derive new guarantees for the prediction error of standard distillation and develop two enhancements-cross-fitting and loss correction-to mitigate the impact of teacher overfitting and underfitting on student performance. We validate our findings empirically on both tabular and image data and observe consistent improvements from our knowledge distillation enhancements.

show abstract

White-to-Black: Efficient Distillation of Black-Box Adversarial Attacks

Cited by 6 publications

References 9 publications

NoisyHate: Benchmarking Content Moderation Machine Learning Models with Human-Written Perturbations Online

NoisyHate: Benchmarking Content Moderation Machine Learning Models with Human-Written Perturbations Online

RoCBert: Robust Chinese Bert with Multimodal Contrastive Pretraining

Knowledge Distillation as Semiparametric Inference

Contact Info

Product

Resources

About