Text Adversarial Examples Based On Word-Level Perturbation

Studies have shown that deep neural network models are easily affected by adversarial examples,which have imperceptible changes compared with the original inputbut can deceive the models into making wrong decisions,which has aroused strong global attention to this issue.This paper explores in depth both the generation and defense of textual adversarial examples and proposes algorithms for the generation and defense of adversarial examples against word-level perturbations respectively.The purpose is to reduce the damage of the deep neural network models and improve their robustness by exposing the weaknesses of the model.The main work of this paper is as follows:(1)In terms of adversarial example generation,to address the problem that some existing generation algorithms based on word-level perturbation have a large number of word replacements and poor replacement order,resulting in poor readability of adversarial examples,this paper proposes an algorithm for generating text adversarial examples based on word importance jointed with classification probability for improvement.To improve the problem of a large number of wordsubstitutions,the algorithm uses a word importance calculation function to obtain a word importance score,then builds multiplestop words setsaccording to the text characteristics and uses classification probability to determine the best replacement words for the words.To obtain a better replacement order,the influence of the original word and the best replacement word is fully considered,and the word importance combined with the classification probability determines the replacement order of the words.In this experiment three popular text classification tasks were compared using a convolutional neural network model,a long short-term memory network model and a bi-directional long short-term memory network model.The results show that the adversarial examples generated by the algorithms in this paper have low classification accuracy and perturbation rates,and show better migration performance on some models.(2)In terms of adversarial example defense,to address the problem that most of the existing adversarial training algorithms have limited types of defense against attacks,this paper proposes an adversarial training algorithm based on a mixture of multiple adversarial examples to improve the above-mentioned problems.The algorithm trains the original model on a retraining set with a mixture of multiple adversarial examples and clean examples to learn the features of different examples in order to make the obtained reinforced model immune to multiple adversarial examples and thus achieve the purpose of defending against multiple attacks.The experimental results show that the reinforcement model trained by the algorithm successfully improves the classification correction rateof different kinds of adversarial examples and the defense rise rate of the model,verifying that the algorithm can effectively defend against multiple attacks and outperforms other baseline algorithms in terms of defensive performance.Figure[19]Table[11]Reference[69]...