令牌损失信息的通用文本攻击检测  

作　　者：陈宇涵 杜侠 王大寒 吴芸 朱顺痣 严严[2] Chen Yuhan;Du Xia;Wang Dahan;Wu Yun;Zhu Shunzhi;Yan Yan(School of Computer and Information Engineering,Xiamen University of Technology,Fujian Key Laboratory of Pattern Recognition and Image Understanding,Xiamen 361024,China;School of Informatics,Xiamen University,Xiamen 361005,China)

机构地区：[1]厦门理工学院计算机与信息工程学院福建省模式识别与图像理解重点实验室,厦门361024 [2]厦门大学信息学院,厦门361005

出　　处：《中国图象图形学报》2024年第7期1875-1888,共14页Journal of Image and Graphics

基　　金：福建省科技厅高校产学合作项目(2021H6035);厦门市留学人员科研项目(厦人社[2022]205号-02);厦门市科技计划项目(3502Z20231042);福建省自然科学基金项目(2021J011191);福厦泉国家自主创新示范项目(2022FX4)。

摘　　要：目的文本对抗攻击主要分为实例型攻击和通用非实例型攻击。以通用触发器(universal trigger,UniTrigger)为代表的通用非实例型攻击对文本预测任务造成严重影响,该方法通过生成特定攻击序列使得目标模型预测精度降至接近零。为了抵御通用文本触发器攻击的侵扰,本文从图像对抗性样本检测器中得到启发,提出一种基于令牌损失权重信息的对抗性文本检测方法(loss-based detect universal adversarial attack,LBD-UAA),针对UniTrigger攻击进行防御。方法首先LBD-UAA分割目标样本为独立令牌序列,其次计算每个序列的令牌损失权重度量值(token-loss value,TLV)以此建立全样本序列查询表。最后基于UniTrigger攻击的扰动序列在查询表中影响值较大,将全序列查询表输入设定的差异性检测器中通过阈值阀门进行对抗性文本检测。结果通过在4个数据集上进行性能检测实验,验证所提出方法的有效性。结果表明,此方法在对抗性样本识别准确率上高达97.17%,最高对抗样本召回率达到100%。与其他3种检测方法相比,LBD-UAA在真阳率和假阳率的最佳性能达到99.6%和6.8%,均实现大幅度超越。同时,通过设置先验判断将短样本检测的误判率降低约50%。结论针对UniTrigger为代表的非实例通用式对抗性攻击提出LBD-UAA检测方法,并在多个数据集上取得最优的检测结果,为文本对抗检测提供一种更有效的参考机制。Objective In recent years,adversarial text attacks have become a hot research problem in natural language processing security.An adversarial text attack is an malicious attack that misleads a text classifier by modifying the original text to craft an adversarial text.Natural language processing tasks,such as smishing scams(SMS),ad sales,malicious comments,and opinion detection,can be achieved by creating attacks corresponding to them to mislead text classifiers.A perfect text adversarial example needs to have imperceptible adversarial perturbation and unaffected syntactic-semantic correctness,which significantly increases the difficulty of the attack.The adversarial attack methods in the image domain cannot be directly applied to textual attacks due to discrete text limitation.Existing text attacks can be categorized into two dominant groups:instance-based and learning-based universal non-instance attacks.For instance-based attacks,a specific adversarial example is generated for each input.For learning-based universal non-instance attacks,universal trigger(UniTrigger) is the most representative attack,which reduces the accuracy of the objective model to near zero by generating a fixed sequence of attacks.Existing detection methods mainly tackle instance-based attacks but are seldom studied in UniTrigger attacks.Inspired by the logit-based adversarial detector in computer vision,we propose a UniTrigger defense method based on token loss weight information.Method For our proposed loss-based detect universal adversarial attack(LBD-UAA),we generalize the pre-training model to transform token sequences into word vector sequences to obtain the representation of token sequences in the semantic space.Then,we remove the target to compute the token positions and feed the remaining token sequence strings into the model.In this paper,we use the token loss value(TLV) metric to obtain the weight proportion of each token to build a full-sample sequence lookup table.The token sequences of nonUniTrigger attacks have less fluctuat

关 键 词：文本对抗样本 通用触发器 文本分类 深度学习 对抗性检测 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]