基于分布式扰动的文本对抗训练方法

doi:10.19678/j.issn.1000-3428.0066836

摘要/Abstract

摘要：

文本对抗防御旨在增强神经网络模型对不同对抗攻击的抵御能力, 目前的文本对抗防御方法通常只能对某种特定对抗攻击有效，对于原理不同的对抗攻击效果甚微。为解决文本对抗防御方法的不足，提出一种文本对抗分布训练(TADT)方法，将TADT形式化为一个极小极大优化问题，其中内部最大化的目标是了解每个输入示例的对抗分布，外部最小化的目标是通过最小化预期损失来减小对抗示例的数量，并对基于梯度下降和同义词替换的攻击方法进行研究。在2个文本分类数据集上的实验结果表明，相比于DNE方法，在PWWS、GA、UAT等3种不同的对抗攻击下，TADT方法的准确率平均提升2%，相比于其他方法提升了10%以上，且在不影响干净样本准确率的前提下显著提升了模型的鲁棒性，并在各种对抗攻击下具有较高的准确率，展示了良好的泛化性能。

关键词: 文本对抗分布, 对抗训练, 变分自动编码器, 梯度下降, 蒙特卡罗采样

Abstract:

Text adversarial defense aims to enhance the resilience of neural network models against different adversarial attacks. The current text confrontation defense methods are usually only effective against certain specific confrontation attacks and have little effect on confrontation attacks with different principles. To address the deficiencies of existing textual adversarial defense methods and principles of adversarial attack methods, this paper proposes the Textual Adversarial Distribution Training(TADT) method and formalizes it as a minimax optimization problem. The goal of inner maximization is to learn the adversarial distribution of each input example. The goal of outer minimization is to reduce the number of adversarial examples by minimizing the expected loss. This paper mainly studies the attack method based on gradient descent and synonym replacement. The experimental results on two text classification datasets show that under three different adconfrontation attacks, Probability Weighted Word Saliency(PWWS), Genetic Attack(GA), and Unsupervised Adversarial Training(UAT), the accuracy of TADT is improved by an average of 2% compared with the latest Dirichlet Neighborhood Ensemble(DNE) method. Compared with other methods, the accuracy of TADT method is improved by more than 10%, and the accuracy of clean samples is not affected. On the premise of not affecting the accuracy of clean samples, TADT significantly improves the robustness of the model and has high accuracy under various adversarial attacks, showing good generalization performance.

Key words: textual adversarial distribution, Adversarial Training(AT), variational autoencoder, gradient descent, Monte Carlo sampling

沈志东, 岳恒宪. 基于分布式扰动的文本对抗训练方法[J]. 计算机工程, 2023, 49(9): 16-22.

Zhidong SHEN, Hengxian YUE. Textual Adversarial Training Method Based on Distributed Perturbation[J]. Computer Engineering, 2023, 49(9): 16-22.

http://www.ecice06.com/CN/Y2023/V49/I9/16

图/表 6

参考文献 38

1	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1312.6199.
2	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1412.6572.
3	MIYATO T, DAI A M, GOODFELLOW I. Adversarial training methods for semi-supervised text classification[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1605.07725.
4	WANG S, GONG Y X. Adversarial example detection based on saliency map features. Applied Intelligence, 2022, 52 (6): 6262- 6275. doi: 10.1007/s10489-021-02759-8
5	TRAMÈR F, KURAKIN A, PAPERNOT N, et al. Ensemble adversarial training: attacks and defenses[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1705.07204.
6	MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1706.06083.
7	DANSKIN J M. The theory of max-min and its application to weapons allocation problems. Berlin, Germany: Springer, 1967.
8	DONG Y P, LIAO F Z, PANG T Y, et al. Boosting adversarial attacks with momentum[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2018: 9185-9193.
9	KURAKIN A, GOODFELLOW I, BENGIO S. Adversarial machine learning at scale[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1611.01236.
10	TSIPRAS D, SANTURKAR S, ENGSTROM L, et al. Robustness may be at odds with accuracy[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1805.12152.
11	PAPERNOT N, MCDANIEL P, WU X, et al. Distillation as a defense to adversarial perturbations against deep neural networks[C]//Proceedings of IEEE Symposium on Security and Privacy. Washington D. C., USA: IEEE Press, 2016: 582-597.
12	CARLINI N, WAGNER D. Adversarial examples are not easily detected: bypassing ten detection methods[C]//Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. New York, USA: ACM Press, 2017: 3-14.
13	MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. DeepFool: a simple and accurate method to fool deep neural networks[C]//Proceedings of IEEE Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2016: 2574-2582.
14	FEINMAN R, CURTIN R R, SHINTRE S, et al. Detecting adversarial samples from artifacts[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1703.00410.
15	MENG D Y, CHEN H. MagNet: a two-pronged defense against adversarial examples[C]//Proceedings of 2017 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2017: 135-147.
16	KURAKIN A, GOODFELLOW I, BENGIO S, et al. Adversarial attacks and defences competition. Berlin, Germany: Springer, 2018.
17	HAARNOJA T, ZHOU A, ABBEEL P, et al. Soft actor-critic: off-policy maximum entropy deep reinforcement learning with a stochastic actor[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1801.01290.
18	LIU Y P, CHEN X Y, LIU C, et al. Delving into transferable adversarial examples and black-box attacks[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1611.02770.
19	XIE C H, ZHANG Z S, ZHOU Y Y, et al. Improving transferability of adversarial examples with input diversity[C]//Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2020: 2725-2734.
20	PAPERNOT N, MCDANIEL P, GOODFELLOW I. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1605.07277.
21	QIN C L, MARTENS J, GOWAL S, et al. Adversarial robustness through local linearization[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1907.02610.
22	XIE C H, TAN M X, GONG B Q, et al. Adversarial examples improve image recognition[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1911.09665.
23	DAI Z H, YANG Z L, YANG F, et al. Good semi-supervised learning that requires a bad GAN[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1705.09783.
24	XIAO C, ZHONG P L, ZHENG C X. Enhancing adversarial defense by k-winners-take-all[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1905.10510.
25	ZHANG H C, WANG J Y. Defense against adversarial attacks using feature scattering-based adversarial training[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1907.10764.
26	DAI Z H, ALMAHAIRI A, BACHMAN P, et al. Calibrating energy-based generative adversarial networks[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1702.01691.
27	LOUIZOS C, WELLING M. Structured and efficient variational deep learning with matrix Gaussian posteriors[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1603.04733.
28	LOUIZOS C, WELLING M. Multiplicative normalizing flows for variational Bayesian neural networks[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1703.01961.
29	徐彦. 基于梯度下降的脉冲神经元在线学习方法. 计算机工程, 2015, 41 (12): 150-155, 160. URL
	XU Y. Spiking neuron online learning method based on gradient descent. Computer Engineering, 2015, 41 (12): 150-155, 160. URL
30	YE M, GONG C Y, LIU Q. SAFER: a structure-free approach for certified robustness to adversarial word substitutions[EB/OL]. [2021-12-20]. https://arxiv.org/abs/2005.14424.
31	陈健, 唐俊遥, 朱生光, 等. 深度堆栈自编码网络在船舶重量估算中的应用. 计算机工程, 2019, 45 (5): 315- 320. URL
	CHEN J, TANG J Y, ZHU S G, et al. Application of deep stack autoencoder network in ship weight estimation. Computer Engineering, 2019, 45 (5): 315- 320. URL
32	REN S H, DENG Y H, HE K, et al. Generating natural language adversarial examples through probability weighted word saliency[C]//Proceedings of the 57th Annual Meeting of the Association for Computational Linguistics. Washington D. C., USA: IEEE Press, 2019: 1581-1595.
33	WALLACE E, RODRIGUEZ P, FENG S, et al. Trick me if you can: human-in-the-loop generation of adversarial examples for question answering. Transactions of the Association for Computational Linguistics, 2019, 7, 387- 401. doi: 10.1162/tacl_a_00279
34	MICHEL P, LI X A, NEUBIG G, et al. On evaluation of adversarial perturbations for sequence-to-sequence models[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1903.06620.
35	HUANG P S, STANFORTH R, WELBL J, et al. Achieving verified robustness to symbol substitutions via interval bound propagation[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1909.01492.
36	PENNINGTON J, SOCHER R, MANNING C. GLOVE: global vectors for word representation[C]//Proceedings of 2014 Conference on Empirical Methods in Natural Language Processing. Washington D. C., USA: IEEE Press, 2014: 1532-1543.
37	EBRAHIMI J, RAO A Y, LOWD D, et al. HotFlip: white-box adversarial examples for text classification[EB/OL]. [2021-12-20]. https://arxiv.org/abs/1712.06751.
38	JIN D, JIN Z J, ZHOU J T, et al. Is BERT really robust? A strong baseline for natural language attack on text classification and entailment[C]//Proceedings of AAAI Conference on Artificial Intelligence. [S. 1. ]: AAAI Press, 2020: 8018-8025.

[1]	朱红, 牛浩然, 朱彤. 基于字词融合与对抗训练的行业人物实体识别[J]. 计算机工程, 2023, 49(5): 56-62.
[2]	冉懿, 王润年, 潘红伟, 俞海猛, 袁培森. 面向停电分类预测的因子分解机模型[J]. 计算机工程, 2022, 48(5): 98-103,111.
[3]	胡彬, 王晓军, 张雷. 一种半监督对抗鲁棒模型无关元学习方法[J]. 计算机工程, 2022, 48(12): 112-118.
[4]	沈学利, 马玉营, 梁振兴. 融合复杂先验与注意力机制的变分自动编码器[J]. 计算机工程, 2022, 48(11): 55-61.
[5]	金柯君, 于洪涛, 吴翼腾, 李邵梅, 操晓春. 基于改进投影梯度下降算法的图卷积网络投毒攻击[J]. 计算机工程, 2022, 48(10): 176-183.
[6]	李博文, 谢在鹏, 毛莺池, 徐媛媛, 朱晓瑞, 张基. 一种基于分布式编码的同步梯度下降算法[J]. 计算机工程, 2021, 47(4): 68-76,83.
[7]	王晓鹏, 罗威, 秦克, 杨锦涛, 王敏. 一种针对快速梯度下降对抗攻击的防御方法[J]. 计算机工程, 2021, 47(11): 121-128.
[8]	陈建平, 周鑫, 傅启明, 高振, 付保川, 吴宏杰. 基于二阶时序差分误差的双网络DQN算法[J]. 计算机工程, 2020, 46(5): 78-85,93.
[9]	杨静, 徐彦, 赵欣. 带延迟调整的脉冲神经元梯度下降学习算法[J]. 计算机工程, 2019, 45(9): 169-175.
[10]	庄立纯, 张正军, 张乃今, 李君娣. 基于非线性Logistic模型的改进UDEED算法[J]. 计算机工程, 2019, 45(7): 208-211.
[11]	陈健,唐俊遥,朱生光,周兆钊. 深度堆栈自编码网络在船舶重量估算中的应用[J]. 计算机工程, 2019, 45(5): 315-320.
[12]	林金钏,艾浩军. 噪声可容忍的标记组合半监督学习算法[J]. 计算机工程, 2019, 45(4): 157-162,168.
[13]	杨林,顾军华,官磊. PMUS-HOSGD张量分解方法及其在标签推荐中的应用[J]. 计算机工程, 2018, 44(11): 300-305,312.
[14]	余琨,伍孝金. 基于KL散度矩阵迹的潜映射半监督社区发现[J]. 计算机工程, 2017, 43(12): 296-302.
[15]	李平,戴月明,王艳. 基于混合卡方统计量与逻辑回归的文本情感分析[J]. 计算机工程, 2017, 43(12): 192-196,202.

选择文件类型/文献管理软件名称

选择包含的内容