Text Adversarial Attack Method For Combining Synonym Character Substitution

Deep learning models have been widely used in many scenarios in the image field,including face recognition,image classification,and object detection,etc.In the field of natural language processing,more and more researchers are trying to use deep learning models to solve various problems,such as spam classification and emotion analysis.Deep neural networks are vulnerable to adversarial examples,and model classification errors arise from interference with the correctly classified examples.In the field of image,these disturbances naturally meet the characteristics of being easy to be ignored by the human eye and making the machine make mistakes.However,in the field of natural language,no matter how small the disturbance is,it is obviously easy to perceive.Word replacement,sentence deformation and so on can greatly change the semantics of documents.This does not meet the construction condition of the confrontation sample,that is,"low disturbance,strong attack effect".Complex syntactic and semantic data are included in the text information,so the behavior of editing the original data is easier to be found by humans,and the newly obtained adversarial data loses hidden.On the other hand,unlike the continuous image pixel values,words in the sentence are discrete labeled.Therefore,it is not possible to calculate the gradient of the network loss function relative to the input word.The article provides a technique based on the text and data of the combined synonym character substitution,and the research project includes multiple phases as follows.1.The general idea First,this paper introduces two new judgment models,and studies how to judge the influence of a word in the original text on the classification results in both white box and black box scenarios.Furthermore,the word importance of each word is obtained.In the case of white box,the algorithm based on the multiple attention mechanism evaluation word importance,in black box case,proposed a new method of considering semantic,context and context information and the importance of adjacent words to the model of confidence score,generate the global optimal sorting results,to avoid the local optimal solution of traditional methods in special context.2.This paper proposed a attack model of combination synonym character substitution,the model through integrated learning to determine each set of data suitable for using charactercharacters,character-synonyms,and can determine the location allocation and the number of modification,finally find the lowest disturbance rate and achieve the effect of successful attack against the sample,through the integration learning to decide the combination of replacing keywords to generate text against sample.We analyzed the attack success rate of the confrontation sample and designed three sets of experiments to verify the effectiveness of the generated confrontation sample.In these experiments,we attacked the Bi-LSTM,Word CNN,and LSTM models separately using the generated confrontation samples.Experimental results show that for YAHO,News AGNews dataset and IMDB emotion comment dataset,this method can significantly reduce the model classification with lower perturbation rate and that the training time is moderate.3.This paper designs and implements a text against sample generation and defense system.The system is based on the existing speech,image system to make the corresponding expansion,expanded after the text confrontation areas mainly including text classification against algorithm,emotion analysis against algorithm,against sample defense,such as multifunction,through simple interface design interactive shows the multiple classification scenarios against the whole process from generation to defense.In conclusion,this paper uses the "method based on integration learning combination synonym character replacement" method to generate against samples,the method through integration method to judge word character substitution based on similar words,based on the combination of gradient projection synonym attack substitution in each time in lower disturbance can have better effect on deep learning model.The combination of the character replacement method is based on the levenshtein distance calculation vector distance generated can avoid spelling check legitimate words,can ensure that the disturbance rate as small as possible,with good concealment,the selected synonym attack way "synonym based on gradient projection" attack method,the final design related experiments to verify the effectiveness of the attack method.By studying the adversarial sample,it can not only evaluate the security of the model,but also improve the robustness of the model after the adversarial training,and promote people’s trust in the deep learning model in real scenarios.