少查询文本分类模型的黑盒对抗样本攻击  

作　　者：罗森林[1] 程瑶 万韵伟 潘丽敏[1] 李新帅 LUO Senlin;CHENG Yao;WAN Yunwei;PAN Limin;LI Xinshuai(School of Information and Electronics,Beijing Institute of Technology,Beijing 100081,China)

机构地区：[1]北京理工大学信息与电子学院,北京100081

出　　处：《北京理工大学学报》2024年第12期1277-1286,共10页Transactions of Beijing Institute of Technology

基　　金：国家“二四二”信息安全项目(2020A065)。

摘　　要：面向文本分类黑盒模型,现有方法通过频繁查询易降低攻击的隐蔽性,在少查询次数下生成的样本难以跨越目标模型的决策边界,严重影响对抗样本的攻击成功率.在逐词查询目标模型的方法中,其查询次数随文本长度增加呈线性增长,在查询次数受限时攻击成功率低;且基于同义词库的方法缺少扰动词位置特征难以捕获其上下文关联性,易改变原始语义造成文本相似性低,难以欺骗目标模型从而影响攻击成功率.此方法融合动态掩码与扩散语言模型以支持高文本相似性和高攻击成功率的双重目标,生成攻击成功率高的对抗样本且显著降低查询次数.多个真实数据集的实验表明,方法平均降低50%的查询次数同时提高攻击成功率,为对抗训练任务提供优质样本.To reduce the concealment of attacks for black-box text classification models,existing methods make generally use of frequent queries.The problems of the tradition methods express as the following.Firstly when making few queries,the black-box model can difficultly generate samples to cross the target decision boundary of models,impacting the attack success rate(ASR)significantly.And,when querying the target model with word by word,the number of queries increases linearly with the length of texts.Also,limiting the number of queries,it can result in low ASR.Besides,based on thesaurus stock method,the positional features of perturbing words are lack correspondingly,causing a difficulty to capture its contextual relevance,causing a low text similarity due to semantics change drastically,making it hard to deceive target models and impacting ASR.In this paper,to reach a double goal of high similarity and ASR,a new method was proposed based on the combination of dynamic masking and diffusion language model.Some adversarial samples were demonstrated,reducing the number of queries with a high ASR.Taking experiments with multiple data,the results show that the number of queries can be reduced by 50%on average with a high ASR,making it valuable for adversarial training task.

关 键 词：对抗样本 文本分类 限制查询 扩散模型 黑盒 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]