基于汉语特征的中文对抗样本生成方法
作者:
作者单位:

作者简介:

李相葛(1995-),男,博士生,主要研究领域为自然语言处理;罗红(1968-),女,博士,教授,博士生导师,CCF高级会员,主要研究领域为物联网大数据智能分析,自然语言处理;孙岩(1970-),女,博士,教授,博士生导师,CCF高级会员,主要研究领域为物联网,区块链,大数据分析与挖掘

通讯作者:

罗红,luoh@bupt.edu.cn

中图分类号:

TP18

基金项目:

国家自然科学基金(62172051, 61877005)


Adversarial Sample Generation Method Based on Chinese Features
Author:
Affiliation:

Fund Project:

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    深度神经网络容易受到来自对抗样本的攻击, 例如在文本分类任务中修改原始文本中的少量字、词、标点符号即可改变模型分类结果. 目前NLP领域对中文对抗样本的研究较少且未充分结合汉语的语言特征. 从中文情感分类场景入手, 结合了汉语象形、表音等语言特征, 提出一种字词级别的高质量的对抗样本生成方法CWordCheater, 涵盖字音、字形、标点符号等多个角度. 针对形近字的替换方式, 引入ConvAE网络完成汉字视觉向量的嵌入, 进而生成形近字替换候选池. 同时提出一种基于USE编码距离的语义约束方法避免对抗样本的语义偏移问题. 构建一套多维度的对抗样本评估方法, 从攻击效果和攻击代价两方面评估对抗样本的质量. 实验结果表明, CWordAttacker在多个分类模型和多个数据集上能使分类准确率至少下降27.9%, 同时拥有更小的基于视觉和语义的扰动代价.

    Abstract:

    Deep neural networks are vulnerable to attacks from adversarial samples. For instance, in a text classification task, the model can be fooled by modifying a few characters, words, or punctuation marks in the original text to change the classification result. Currently, studies of Chinese adversarial samples are limited in the field of natural language processing (NLP), and they fail to give due consideration to the language features of Chinese. This study proposes CWordCheater, a character-level and word-level high-quality method to generate adversarial samples covering the aspects of pronunciation, glyphs, and punctuation marks by approaching from the Chinese sentiment classification scenarios and taking into account the pictographic, alphabetic, and other language features of Chinese. The ConvAE network is adopted to embed Chinese visual vectors for the replacement modes of visually similar characters and further obtain the candidate pool of such characters for replacement. Moreover, a semantic constraint method based on universal sentence encoder (USE) distance is proposed to avoid the semantic offset in the adversarial sample. Finally, the study proposes a set of multi-dimensional evaluation methods to evaluate the quality of adversarial samples from the two aspects of attack effect and attack cost. Experiment results show that CWordAttacker can reduce the classification accuracy by at least 27.9% on multiple classification models and multiple datasets and has a lower perturbation cost based on vision and semantics.

    参考文献
    相似文献
    引证文献
引用本文

李相葛,罗红,孙岩.基于汉语特征的中文对抗样本生成方法.软件学报,2023,34(11):5143-5161

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2022-01-08
  • 最后修改日期:2022-04-13
  • 录用日期:
  • 在线发布日期: 2023-06-16
  • 出版日期:
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号