面向中文文本倾向性分类的对抗样本生成方法

doi:10.13328/j.cnki.jos.005765

微信服务号

微信订阅号

2025年3月26日 1:21 星期三

首页 > 过刊浏览>2019年第30卷第8期 >2415-2427. DOI:10.13328/j.cnki.jos.005765

PDF HTML阅读 XML下载导出引用引用提醒

面向中文文本倾向性分类的对抗样本生成方法
DOI:
                        10.13328/j.cnki.jos.005765
                    
CSTR:
                        
                    
作者:
                        王文琦王文琦
空天信息安全与可信计算教育部重点实验室(武汉大学), 湖北 武汉 430072;武汉大学 国家网络安全学院, 湖北 武汉 430072
在期刊界中查找
在百度中查找
在本站中查找
汪润汪润
空天信息安全与可信计算教育部重点实验室(武汉大学), 湖北 武汉 430072;武汉大学 国家网络安全学院, 湖北 武汉 430072
在期刊界中查找
在百度中查找
在本站中查找
王丽娜王丽娜
空天信息安全与可信计算教育部重点实验室(武汉大学), 湖北 武汉 430072;武汉大学 国家网络安全学院, 湖北 武汉 430072
在期刊界中查找
在百度中查找
在本站中查找
唐奔宵唐奔宵
空天信息安全与可信计算教育部重点实验室(武汉大学), 湖北 武汉 430072;武汉大学 国家网络安全学院, 湖北 武汉 430072
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:王文琦(1992-),男,湖北襄阳人,博士生,主要研究领域为人工智能安全,自然语言处理;王丽娜(1964-),女,博士,教授,博士生导师,主要研究领域为系统安全,信息隐藏;汪润(1991-),男,博士,主要研究领域为移动设备隐私保护,机器学习;唐奔宵(1991-),男,博士,CCF学生会员,主要研究领域为Android隐私保护,机器学习.
通讯作者:王丽娜,E-mail:lnawang@163.com
中图分类号:TP309
基金项目:国家自然科学基金（61876134）；国家重点研发计划（2016YFB0801100）；中央高校基本科研业务费专项资金（2042018kf1028）

Adversarial Examples Generation Approach for Tendency Classification on Chinese Texts

Author:

WANG Wen-Qi
WANG Wen-Qi
Key Laboratory of Aerospace Information Security and Trusted Computing(Wuhan University), Ministry of Education, Wuhan 430072, China;School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
在期刊界中查找
在百度中查找
在本站中查找
WANG Run
WANG Run
Key Laboratory of Aerospace Information Security and Trusted Computing(Wuhan University), Ministry of Education, Wuhan 430072, China;School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
在期刊界中查找
在百度中查找
在本站中查找
WANG Li-Na
WANG Li-Na
Key Laboratory of Aerospace Information Security and Trusted Computing(Wuhan University), Ministry of Education, Wuhan 430072, China;School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
在期刊界中查找
在百度中查找
在本站中查找
Tang Ben-Xiao
Tang Ben-Xiao
Key Laboratory of Aerospace Information Security and Trusted Computing(Wuhan University), Ministry of Education, Wuhan 430072, China;School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

National Natural Science Foundation of China (61876134); National Key Research and Development Program of China (2016YFB0801100); Fundamental Research Funds for the Central Universities (2042018kf1028)

摘要

图/表

访问统计

参考文献 [45]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

研究表明，在深度神经网络（DNN）的输入中添加小的扰动信息，能够使得DNN出现误判，这种攻击被称为对抗样本攻击.而对抗样本攻击也存在于基于DNN的中文文本的情感倾向性检测中，因此提出了一种面向中文文本的对抗样本生成方法WordHanding.该方法设计了新的词语重要性计算算法，并用同音词替换以生成对抗样本，用于在黑盒情况下实施对抗样本攻击.采用真实的数据集（京东购物评论和携程酒店评论），在长短记忆网络（LSTM）和卷积神经网络（CNN）这两种DNN模型上验证该方法的有效性.实验结果表明，生成的对抗样本能够很好地误导中文文本的倾向性检测系统.

关键词:中文文本;对抗样本;深度学习模型;评分函数;黑盒

Abstract:

Studies have shown that the adversarial example attack is that small perturbations are added on the input to make deep neural network (DNN) misbehave. Meanwhile, these attacks also exist in Chinese text sentiment orientation classification based on DNN and a method "WordHandling" is proposed to generate this kind of adversarial examples. This method designs a new algorithm aiming at calculating important words. Then the words are replaced with homonym to generate adversarial examples, which are used to conduct an adversarial example attack in black-box scenario. This study also verifies the effectiveness of the proposed method with real data set, i.e. Jingdong shopping and Ctrip hotel review, on long short-term memory network (LSTM) and convolutional neural network (CNN). The experimental results show that the adversarial examples in this study can mislead Chinese text orientation detection system well.

Key words:Chinese text;adversarial examples;deep learning models;score function;black box

参考文献

[1] Krizhevsky A, Sutskever I, Hinton GE. Imagenet classification with deep convolutional neural networks. In:Proc. of the Advances in Neural Information Processing Systems. 2012. 1097-1105.[doi:10.1145/3065386]

[2] Taigman Y, Yang M, Ranzato M, Wolf L. Deepface:Closing the gap to human-level performance in face verification. In:Proc. of the Conf. on Computer Vision and Pattern Recognition (CVPR). 2014. 1701-1708.[doi:10.1109/CVPR.2014.220]

[3] Dahl GE, Yu D, Deng L, Acero A. Context-dependent pre-trained deep neural networks for large-vocabulary speech recognition. IEEE Trans. on Audio, Speech, and Language Processing, 2012,20(1):30-42.[doi:10.1109/TASL.2011.2134090]

[4] Collobert R, Weston J. A unified architecture for natural language processing:Deep neural networks with task learning. In:Proc. of the Int'l Conf. on Machine Learning. 2008. 160-167.[doi:10.1145/1390156.1390177]

[5] Zhang X, Zhao J, Lecun Y. Character-level convolutional networks for text classification. In:Proc. of the Advances in Neural Information Processing Systems. Computer Science, 2015. 649-657. http://arxiv.org/abs/1509.01626v2

[6] Kim Y, Jernite Y, Sontag D, Rush AM. Character-aware neural language models. Association for the Advance of Artificial Intelligence, 2016. https://arxiv.org/pdf/1508.06615v3

[7] Pang B, Lee LL, Vaithyanathan S. Thumbs up? Sentiment classification using machine learning techniques. In:Proc. of the Conf. on Empirical Methods in Natural Language Processing (EMNLP). 2002. 79-86.

[8] Sutskever I, Vinyals O, Le QV. Sequence to sequence learning with neural networks. In:Proc. of the Advances in Neural Information Processing Systems. 2014. 3104-3112. http://arxiv.org/abs/1409.3215v3

[9] Maas AL, Daly RE, Pham PT, Huang D, Ng AY, Potts C. Learning word vectors for sentiment analysis. In:Proc. of the 49th Annual Meeting of the Association for Computational Linguistics. 2011. 142-150.

[10] Kolosnjaji B, Zarras A, Webster G, Eckert C. Deep learning for classification of malware system call sequences. In:Proc. of the Australasian Joint Conf. on Artificial Intelligence. 2016. 137-149.[doi:https://doi.org/10.1007/978-3-319-50127-7_11]

[11] Grosse K, Papernot N, Manoharan P, Backes M, McDaniel P. In:Proc. of the Adversarial Examples for Malware Detection, European Symp. on Research in Computer Security. Cham:Springer-Verlag, 2017. 62-79.[doi:https://doi.org/10.1007/978-3-319-66399-9_4]

[12] Qing SH. Research progress on Android security. Ruan Jian Xue Bao/Journal of Software, 2016,27(1):45-71(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/4914.htm[doi:10.13328/j.cnki.jos.004914]

[13] Rajeswar S, Subramanian S, Dutil F, Pal C, Courville A. Adversarial generation of natural language. In:Proc. of the 2nd Workshop on Representation Learning for NLP. 2017. 241-251.[doi:10.18653/v1/W17-2629]

[14] Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R. Intriguing properties of neural networks. In:Proc. of the Int'l Conf. on Learning Representations (ICLR). 2014.

[15] Ma YK, Wu LF, Jian M, Liu FH, Yang Z. Approach to generate adversarial examples for face-spoofing detection. Ruan Jian Xue Bao/Journal of Software, 2018,29(1):1-10(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5568.htm[doi:10. 13328/j.cnki.jos.005568]

[16] Carlini N, Wagner D. Towards evaluating the robustness of neural networks. In:Proc. of the 2017 IEEE Symp. on Security and Privacy (SP). IEEE, 2017. 39-57.[doi:10.1109/SP.2017.49]

[17] Liang B, Li H, Su M, Bian P, Li X, Shi W. Deep text classification can be fooled. In:Proc. of the 27th Int'l Joint Conf. on Artificial Intelligence. 2018. 4208-4215.[doi:10.24963/ijcai.2018/585]

[18] Ebrahimi J, Rao A, Lowd D, Dou D. Hotflip:White-box adversarial examples for text classification. In:Proc. of the 56th Annual Meeting of the Association for Computational Linguistics (ACL 2018). Melbourne, 2018. https://aclanthology.info/papers/P18-2006/p18-2006

[19] Papernot N, McDaniel P, Swami A, Harang R. Crafting adversarial input sequences for recurrent neural networks. In:Proc. of the Military Communications Conf. (MILCOM 2016). 2016. 49-54.

[20] Papernot N, Mcdaniel P, Goodfellow I, Jha S, Celik ZB, Swami A. Practical black-box attacks against machine learning. In:Proc. of the Asia Conf. on Computer and Communications Security. 2017.[doi:10.1145/3052973.3053009]

[21] Gao J, Lanchantin J, Soffa ML, Qi Y. Black-box generation of adversarial text sequences to evade deep learning classifiers. In:Proc. of the 2018 IEEE Security and Privacy Workshops (SP Workshops 2018). San Francisco:IEEE, 2018. 50-56.

[22] Barreno M, Nelson B, Sears R, Loseph AD, Tygar AD. Can machine learning be secure? In:Proc. of the ACM Symp. on Information, Computer and Communications Security. ACM Press, 2006. 16-25.[doi:10.1145/1128817.1128824]

[23] Rubinstein BIP, Nelson B, Huang L, Joseph AD, Lau S, Rao S, Taft N, Tygar JD. Antidote:Understanding and defending against poisoning of anomaly detectors. In:Proc. of the 9th ACM SIGCOMM Conf. on Internet Measurement Conf. ACM Press, 2009. 1-14.[doi:10.1145/1644893.1644895]

[24] Shafahi A, Huang WR, Najibi M, Suciu O, Studer C, Dumitras T, Goldstein T. Poison frogs! Targeted clean-label poisoning attacks on neural networks. In:Proc. of the Advances in Neural Information Processing Systems. 2018. No.7849.

[25] Biggio B, Corona I, Maiorca D, Nelson B, Šrndić N, Laskov P, Giacinto G, Roli F. Evasion attacks against machine learning at test time. In:Proc. of the Joint European Conf. on Machine Learning and Knowledge Discovery in Databases. Springer-Verlag, 2013. 387-402.[doi:10.1007/978-3-642-40994-3_25]

[26] Šrndić N, Laskov P. Practical evasion of a learning-based classifier:A case study. In:Proc. of the 2014 IEEE Symp. on Security and Privacy. Washington:IEEE Computer Society, 2014. 197-211.[doi:10.1109/SP.2014.20]

[27] Liang B, Su M, You W, Shi W, Yang G. Cracking classifiers for evasion:A case study on the Google's phishing pages filter. In:Proc. of the 25th Int'l Conf. on World Wide Web. 2016. 345-356.[doi:10.1145/2872427.2883060]

[28] Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. In:Proc. of the Int'l Conf. on Learning Representations. 2015.

[29] Kereliuk C, Sturm B, Larsen J. Deep learning and music adversaries. IEEE Trans. on Multimedia, 2015,17(11):2059-2071.[doi:10. 1109/TMM. 2015.2478068]

[30] Nguyen A, Yosinski J, Clune J. Deep neural networks are easily fooled:High confidence predictions for unrecognizable images. In:Proc. of the 2015 IEEE Conf. on Computer Vision and Pattern Recognition (CVPR). IEEE, 2015.[doi:10.1109/CVPR.2015. 7298640]

[31] Papernot N, Mcdaniel P, Jha S, Fredrikson M, Celik ZB, Swami A. The limitations of deep learning in adversarial settings. In:Proc. of the 2016 IEEE European Symp. on Security and Privacy (EuroS&P). IEEE, 2016. 372-387.[doi:10.1109/EuroSP.2016.36]

[32] Moosavidezfooli SM, Fawzi A, Frossard P. DeepFool:A simple and accurate method to fool deep neural networks. In:Proc. of the 2016 IEEE Conf. on Computer Vision and Pattern Recognition (CVPR). IEEE, 2016.[doi:10.1109/CVPR.2016.282]

[33] Johnson R, Zhang T. Effective use of word order for text categorization with convolutional neural networks. In:Proc. of the 2015 Annual Conf. of the North American Chapter of the ACL. 2015. 103-112.[doi:10.3115/v1/N15-1011]

[34] Johnson R, Zhang T. Supervised and semi-supervised text categorization using LSTM for region embeddings. In:Proc. of the Int'l Conf. on Machine Learning. 2016. 526-534.

[35] Lecun Y, Bottou L, Bengio Y, Haffner P. Gradient-based learning applied to document recognition. Proc. of the IEEE, 1998,86(11):2278-2324.[doi:10.1109/5.726791]

[36] Kim Y. Convolutional neural networks for sentence classification. In:Proc. of the Conf. on Empirical Methods in Natural Language Processing (EMNLP). 2014. 1746-1751.[doi:10.3115/v1/D14-1181]

[37] Hochreiter S, Schmidhuber J. Long short-term memory. Neural Computation, 1997,9(8):1735-1780.[doi:10.1162/neco.1997.9.8. 1735]

[38] Takeru M, Dai Andrew M, Ian G. Adversarial training methods for semi-supervised text classification. In:Proc. of the Int'l Conf. on Learning Representations. 2017.

[39] Sundermeyer M, Ney H, Schluter R. From feedforward to recurrent LSTM neural networks for language modeling. IEEE/ACM Trans. on Audio, Speech, and Language Processing, 2015,23(3):517-529.[doi:10.1109/TASLP.2015.2400218]

[40] Graves A, Jaitly N, Mohamed AR. Hybrid speech recognition with deep bidirectional LSTM. In:Proc. of the Automatic Speech Recognition and Understanding. IEEE, 2014. 273-278.[doi:10.1109/ASRU.2013.6707742]

[41] Kusner MJ, Sun Y, Kolkin NI, Weinberger KQ. From word embeddings to document distances. In:Proc. of the Int'l Conf. on Int'l Conf. on Machine Learning. 2015. 957-966.

[42] Rubner Y, Tomasi C, Guibas LJ. The earth mover's distance as a metric for image retrieval. Int'l Journal of Computer Vision, 2000, 40(2):99-121.[doi:10.1023/A:1026543900054]

附中文参考文献:

[12] 卿斯汉.Android安全研究进展.软件学报,2016,27(01):45-71. http://www.jos.org.cn/1000-9825/4914.htm[doi:10.13328/j.cnki. jos.004914]

[15] 马玉琨,毋立芳,简萌,刘方昊,杨洲.一种面向人脸活体检测的对抗样本生成算法.软件学报,2018,29(1):1-10. http://www.jos.org.cn/1000-9825/5568.htm[doi:10.13328/j.cnki.jos.005568]

引用本文

王文琦,汪润,王丽娜,唐奔宵.面向中文文本倾向性分类的对抗样本生成方法.软件学报,2019,30(8):2415-2427

复制

文章指标

点击次数:4862
下载次数: 8974
HTML阅读次数: 3544
引用次数: 0

历史

收稿日期:2018-05-31
最后修改日期:2018-09-21
录用日期:
在线发布日期: 2019-04-03
出版日期:

微信服务号

微信订阅号

引用本文

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码