| In recent years,deep neural networks have achieved great success in various machine learning tasks and have been widely used.However,the general vulnerability of deep neural networks to adversarial examples in areas such as images and texts is a serious security threat to deep learning models.In the text domain,the discrete nature of text and the sensitivity of text to adversarial perturbations lead to the fact that the adversarial example generation task remains a challenge in terms of the success rate of attacks on the target model and the quality of the generated adversarial examples.Therefore,in this paper,we study the adversarial example generation method in the text domain and propose a method for generating adversarial examples using whole-sentence information with high attack success rate and low perturbation rate,which can generate fluent and natural adversarial examples.The main work accomplished in this paper is as follows.(1)In this paper,we propose a textual adversarial example generation method based on globalized perturbations(GInfoAttack).To address the problems of semantic bias and linguistic fluency of substitute words in the current method,a pre-trained mask language model based on global information(GInfoBERT)is proposed to generate globalized perturbations to make substitute words better satisfy semantic consistency and linguistic fluency,which then improves the effectiveness of the attack and the quality of the adversarial examples.Furthermore,to address the low search effectiveness problem of the current method in the search phase,a search algorithm based on beam search is proposed to further optimize the method and improve the search effectiveness for globalized perturbations.(2)This paper evaluates the textual adversarial example generation method and further analyzes it for attack transferability and model robustness enhancement.In this paper,the proposed GInfoAttack method is evaluated in terms of attack effectiveness and quality of generated adversarial examples using both automatic and human evaluation.The experimental results show that GInfoAttack is able to achieve better results than three state-of-the-art methods(Textfooler,BERT-ATTACK,BAE-R)on three advanced model structures(word-CNN,word-LSTM,BERT)and four standard text classification datasets(IMDB,AG,MR,YELP).After that,ablation experiments are conducted by combining the two proposed algorithms with the current popular methods to verify their effectiveness respectively.Finally,the performance of the methods is further analyzed in terms of attack transferability and model robustness improvement.The effectiveness of the method,its practicality,and the value of the generated adversarial examples in adversarial defense are demonstrated.(3)Based on the proposed adversarial example generation method,this paper designs and implements a prototype system for robustness detection of text classification models.In this paper,we analyze the system requirements,propose a hierarchical architecture scheme for the system,then design and implement the functional modules at each level.The developed system provides three main functions,namely model robustness detection,adversarial example generation and model horizontal comparison,which are useful for model developers to improve model robustness against potential adversarial attacks. |
PDF Full Text Request