面向中文文本分类的对抗样本生成方法  被引量：1

作　　者：弓燕 张晓琳[1] 刘月峰[1] 刘立新[1,2] 徐立 GONG Yan;ZHANG Xiaolin;LIU Yuefeng;LIU Lixin;XU Li(School of Information Engineering,Inner Mongolia University of Science and Technology,Baotou Inner Mongolia 014010,China;School of Information,Renmin University of China,Beijing 100872,China;Department of Computer Science and Technology,Baotou Medical College,Baotou Inner Mongolia 014010,China)

机构地区：[1]内蒙古科技大学信息工程学院,内蒙古包头014010 [2]中国人民大学信息学院,北京100872 [3]包头医学院计算机科学与技术系,内蒙古包头014010

出　　处：《电子器件》2023年第5期1349-1356,共8页Chinese Journal of Electron Devices

基　　金：国家自然科学基金项目(61562065);内蒙古自治区自然科学基金项目(2019MS06001,2019MS06036)。

摘　　要：针对深度神经网络鲁棒性问题,提出了一种面向中文文本分类的黑盒对抗样本生成方法WordBeguiler。该方法结合汉字的字形、字音特征构建对抗搜索空间,设计了新的扰动定位方式寻找影响分类结果的重要字或词组,并根据概率权重选取的方法确定修改策略生成对抗样本。使用两个主流的模型卷积神经网络(CNN)和双向长短期记忆网络(BiLSTM)在不同分类数据集上验证其有效性和可转移性。实验结果表明,与其他攻击方法相比,WordBeguiler具有攻击成功率高、扰动率低的优势,同时既保留了原始语义也一定程度上保证了语法正确性,并且可以有效地转移到BERT模型中。Aiming at the robustness of deep neural networks,a black-box adversarial example generation method for Chinese text classification,i.e.,WordBeguiler is proposed,which combines Chinese character shape and phonetic features to construct the adversarial search space,finds important words or phrases that affect the classification results by designing new perturbation localization methods,and determines modification strategies to generate adversarial examples according to the method of probability weights selection.Two mainstream models,convolutional neural network(CNN)and bidirectional long short-term memory network(BiLSTM),are used to verify their effectiveness and transferability on different classification data sets.The experimental results show that WordBeguiler has the advantage of a higher attack success rate and lower perturbation rate compared to other attack methods while retaining the original semantics and ensuring the grammatical correctness to a certain extent,and can be effectively transferred to the BERT model.

关 键 词：中文文本分类 对抗样本 深度神经网络 汉字特征 黑盒 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]