Recent studies on adversarial examples expose vulnerabilities of natural language processing (NLP) models. Existing techniques for generating adversarial examples are typically driven by deterministic heuristic rules that are agnostic to the optimal adversarial examples, a strategy that often results in attack failures. To this end, this research proposes Fraud's Bargain Attack (FBA) which utilizes a novel randomization mechanism to enlarge the search space and enables high-quality adversarial examples to be generated with high probabilities. FBA applies the Metropolis-Hasting sampler, a member of Markov Chain Monte Carlo samplers, to enhance the selection of adversarial examples from all candidates proposed by a customized stochastic process that we call the Word Manipulation Process (WMP). WMP perturbs one word at a time via insertion, removal or substitution in a contextual-aware manner. Extensive experiments demonstrate that FBA outperforms the state-of-the-art methods in terms of both attack success rate and imperceptibility.
翻译:最近关于对抗性实例的研究暴露了自然语言处理模式的脆弱性。现有的生成对抗性实例的技术通常受确定性超常规则的驱动,这些规则对于最佳对抗性实例具有不可知性,而这种战略往往导致攻击失败。为此,本研究提出了欺诈性对抗(FBA),它利用一种新颖的随机化机制扩大搜索空间,使高质量的对抗性实例能够以高概率生成。FBA采用Meopolis-Hasting样板器,这是Markov Caincle Monte Carlo采样器的成员,以加强从所有候选人中选择对抗性实例,而这种选择是由我们称之为WMP(WMP)的定制随机化程序(WMP)提出的。WMP通过插入、删除或以环境觉悟的方式替换而时一个单词。广泛的实验表明,FBA在攻击成功率和不易感知性两方面都超越了最先进的方法。</s>