We study the behavior of several black-box search algorithms used for generating adversarial examples for natural language processing (NLP) tasks. We perform a fine-grained analysis of three elements relevant to search: search algorithm, search space, and search budget. When new search algorithms are proposed in past work, the attack search space is often modified alongside the search algorithm. Without ablation studies benchmarking the search algorithm change with the search space held constant, one cannot tell if an increase in attack success rate is a result of an improved search algorithm or a less restrictive search space. Additionally, many previous studies fail to properly consider the search algorithms' run-time cost, which is essential for downstream tasks like adversarial training. Our experiments provide a reproducible benchmark of search algorithms across a variety of search spaces and query budgets to guide future research in adversarial NLP. Based on our experiments, we recommend greedy attacks with word importance ranking when under a time constraint or attacking long inputs, and either beam search or particle swarm optimization otherwise. Code implementation shared via https://github.com/QData/TextAttack-Search-Benchmark
翻译:我们研究了用来为自然语言处理任务(NLP)生成对抗性实例的几种黑盒搜索算法的行为。 我们对与搜索有关的三个要素进行了精细分析: 搜索算法、 搜索空间和搜索预算。 在过去工作中提出新的搜索算法时, 攻击搜索空间往往与搜索算法一起被修改。 在不进行通缩研究的情况下, 搜索算法变化与搜索空间保持基准的情况下, 我们无法判断攻击成功率的增加是否是由于搜索算法的改进或较少限制的搜索空间的结果。 此外, 许多先前的研究没有适当考虑搜索算法的运行时间成本, 这对于诸如对抗性培训等下游任务至关重要。 我们的实验为各种搜索空间和查询预算提供了可复制的搜索算法基准, 以指导未来在对抗性 NLP 中的研究。 根据我们的实验, 我们建议在时间限制下或攻击长期投入时, 以名词重要性排序为贪婪攻击, 并且通过 Basam 搜索或粒子温度优化 。 通过 https://github.com/ Qata/ TextAttack- sarch-stash-stash- search- sargine-stagestage- press
相关内容
微信扫码咨询专知VIP会员