基于梯度的对抗排序攻击方法  被引量：1

作　　者：吴晨 张儒清 郭嘉丰[1,2] 范意兴 WU Chen;ZHANG Ruqing;GUO Jiafeng;FAN Yixing(Key Laboratory of Network Data Science and Technology,Institute of Computing Technology,Chinese Academy of Sciences,Beijing 100190;School of Computer and Control Engineering,University of Chinese Academy of Sciences,Beijing 100190)

机构地区：[1]中国科学院计算技术研究所,网络数据科学与技术重点实验室,北京100190 [2]中国科学院大学计算机与控制学院,北京100190

出　　处：《模式识别与人工智能》2022年第3期254-261,共8页Pattern Recognition and Artificial Intelligence

基　　金：国家自然科学基金项目(No.62006218,61902381,61773362,61872338);北京智源人工智能研究院项目(No.BAAI2019ZD 0306);中国科学院青年创新促进会项目(No.20144310,2016102,2021100);联想-中科院联合实验室青年科学家项目(No.cstc2017jcjyBX0059)资助。

摘　　要：互联网检索中普遍存在排名竞争这种对抗攻击行为,会产生许多不良影响,因此对攻击方法的研究有助于设计更鲁棒的排序模型.已有的攻击方法容易被人识别且无法有效攻击神经排序模型.因此,文中提出基于梯度的对抗排序攻击方法.方法分为3个模块:基于梯度大小的词重要度排序、基于梯度的排序攻击和基于词嵌入的同义词替换.针对给定的目标排序模型,首先基于构建的排序攻击目标进行梯度回传,利用梯度信息在指定文档上找到最重要的词.然后,基于投影梯度攻击原理,在词向量空间上对这些最重要的词进行扰动.最后,利用同义词替换技术将这些最重要的词替换为和原词语义相近且和扰动后的词向量最近邻的词,完成文档扰动.在MQ2007、MS MARCO数据集上的实验验证文中方法的有效性.Ranking competition is prevalent in Web retrieval,and undesirable effects are caused by this adversarial attack behavior.Thus,the study on attack methods is conducive to designing a more robust ranking model.The existing attack methods are recognized by people easily and cannot attack neural ranking models effectively.In this paper,a gradient-based adversarial attack method(GARA)is proposed,including gradient-based word importance ranking,gradient-based adversarial ranking attack and embedding-based word replacement.Given a target ranking model,the backpropagation is firstly conducted based on the constructed ranking-based adversarial attack objective.Then the most important words of a specific document is recognized based on the gradient information.These important words are perturbed in the word embedding space based on the projected gradient descent.Finally,by adopting the counter-fitting technology,the document perturbation is completed by substituting the important word with its synonym which is semantically similar to the original word and nearest to the perturbed word vector.Experiments on MQ2007 and MS MARCO datasets demonstrate the effectiveness of the proposed method.

关 键 词：排名竞争 对抗攻击 梯度攻击 神经排序模型 网页检索 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]