基于字词重现的中文文本对抗样本生成方法

doi:10.19678/j.issn.1000-3428.0069815

计算机工程 ›› 2026, Vol. 52 ›› Issue (1): 303-313. doi: 10.19678/j.issn.1000-3428.0069815

基于字词重现的中文文本对抗样本生成方法

王春东¹^,²^,*(), 赵智航¹^,², 杨伟杰¹^,², 方顺尧¹^,²

1. 天津理工大学计算机科学与工程学院, 天津 300384
2. 计算机病毒防治技术国家工程实验室, 天津 300384

收稿日期:2024-05-06 修回日期:2024-07-15 出版日期:2026-01-15 发布日期:2026-01-15
通讯作者: 王春东
作者简介:
王春东(CCF会员)，男，教授、博士生导师，主研方向为网络信息安全、普适计算
赵智航, 硕士研究生
杨伟杰, 硕士研究生
方顺尧, 硕士研究生
基金资助:
国家重点研发计划"区块链"重点专项(2023YFB2703903); 国家重点研发计划"科技助力经济2020"重点专项(SQ2020YFF0413781)

Adversarial Sample Generation Method for Chinese Text Based on Word Reproduction

WANG Chundong¹^,²^,*(), ZHAO Zhihang¹^,², YANG Weijie¹^,², FANG Shunyao¹^,²

1. School of Computer Science and Engineering, Tianjin University of Technology, Tianjin 300384, China
2. National Engineering Laboratory for Computer Virus Prevention and Control Technology, Tianjin 300384, China

Received:2024-05-06 Revised:2024-07-15 Online:2026-01-15 Published:2026-01-15
Contact: WANG Chundong

摘要/Abstract

摘要：

随着海量数据的积累以及计算能力的不断提高, 深度神经网络(DNN)已广泛应用于图像识别、文本分类等各个领域。然而, 有研究表明, 基于DNN的文本分类模型经常受到攻击者恶意构造的对抗样本攻击, 攻击者可以通过删除和修改原始文本、插入混淆语句以及加入标点符号等方式使得模型分类结果发生改变。现有的对抗样本生成方法大多以牺牲隐蔽性为代价, 采用多类型替换池杂糅的方式来提高攻击准确率, 无法兼顾攻击成功率和对抗样本的隐蔽性。为解决此问题, 提出一种针对对抗样本隐蔽性进行设计的中文对抗样本生成方法WordReproduction, 通过汉字本身词性并结合字词级维度来计算汉字的显著性得分, 在关键字词替换模块中利用形近字向量空间、字形拆分候选池和词语倒置3种字形替换方法, 分别对关键字和词进行替换, 并根据汉字的形态特征设计字形相似度评估算法, 更好地量化对抗样本与原文之间的相似程度。实验结果表明, WordReproduction方法生成的对抗样本在攻击成功率和字形相似度上均优于基线方法, 在情感分类场景的Transformer模型上, 相比WordHandling方法, WordReproduction的攻击成功率和字形相似度得分分别提高了51.64百分点和0.53, 其生成的对抗样本不仅能够误导模型的分类结果, 而且具有较高的隐蔽性, 使得人类阅读者很难察觉。

关键词: 深度神经网络, 文本分类, 对抗样本生成, 字形替换, 相似度评估

Abstract:

With the accumulation of massive amounts of data and continuous improvements in computing power, Deep Neural Networks (DNN) have been widely used in various tasks such as image recognition and text classification. However, studies have shown that DNN-based text classification models are often subjected to adversarial sample attacks that are maliciously constructed by attackers. Attackers can alter the classification results of a model by deleting or modifying the original text, inserting obfuscated statements, or adding punctuation marks. Most existing adversarial sample generation methods sacrifice concealment and adopt a hybrid approach involving a variety of replacement pools to improve attack accuracy, which cannot balance the attack success rate and the concealment of adversarial samples. To solve this problem, this study proposes a Chinese adversarial sample generation method called WordReproduction, which is designed to conceal adversarial samples. The saliency score of the Chinese characters is calculated by combining the parts-of-speech of the characters themselves with the word level dimension. In the keyword replacement module, three glyph replacement methods are used to replace keywords and words: near-word vector space, glyph splitting candidate pool, and word inversion. Based on the morphological characteristics of Chinese characters, the study also designs a glyph similarity evaluation algorithm to better quantify the similarity between adversarial samples and the original text. Experimental results show that the adversarial samples generated by WordReproduction are superior to those generated by the baseline method in terms of the attack success rate and glyph similarity. When using the Transformer model for sentiment classification, compared with the WordHandling method, the attack success rate and glyph similarity score of WordReproduction increase by 51.64 percentage points and 0.53, respectively. The generated adversarial samples not only mislead the classification results of the model but also have high concealment, making them difficult for human readers to detect.

Key words: Deep Neural Network (DNN), text classification, adversarial sample generation, glyph replacement, similarity assessment

王春东, 赵智航, 杨伟杰, 方顺尧. 基于字词重现的中文文本对抗样本生成方法[J]. 计算机工程, 2026, 52(1): 303-313.

WANG Chundong, ZHAO Zhihang, YANG Weijie, FANG Shunyao. Adversarial Sample Generation Method for Chinese Text Based on Word Reproduction[J]. Computer Engineering, 2026, 52(1): 303-313.

https://www.ecice06.com/CN/Y2026/V52/I1/303

图/表 13

图1 WordReproduction方法整体框架

Fig.1 Overall framework of the WordReproduction method

图2 汉字字形嵌入空间生成流程

Fig.2 Process of generating embedding space for Chinese character shapes

图3 在THUCNews数据集上生成对抗样本的字形相似度数

Fig.3 Glyph similarity counts for generating adversarial samples on the THUCNews dataset

图4 在淘宝评价数据集上生成对抗样本的字形相似度数

Fig.4 Glyph similarity counts for generating adversarial samples on the Taobao evaluation dataset

图5 不同字形相似度下的攻击成功率

Fig.5 Attack success rate under different glyph similarity

参考文献 31

1	ZHOU L J, CUI P, ZHANG X X, et al. Adversarial eigen attack on BlackBox models[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2022: 15233-15241.
2	LAYKAVIRIYAKUL P , PHAISANGITTISAGUL E . Collaborative Defense-GAN for protecting adversarial attacks on classification system. Expert Systems with Applications, 2023, 214, 118957. doi: 10.1016/j.eswa.2022.118957
3	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[EB/OL]. [2023-10-05]. https://arxiv.org/abs/1412.6572.
4	MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[EB/OL]. [2023-10-05]. https://arxiv.org/abs/1706.06083.
5	DING X H, ZHANG X Y, HAN J G, et al. Scaling up your kernels to 31×31: revisiting large kernel design in CNNs[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2022: 11953-11965.
6	LONG Y X, WEN Y P, HAN J H, et al. CapDet: unifying dense captioning and open-world detection pretraining[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2023: 15233-15243.
7	MA J, GANCHEV K, WEISS D. State-of-the-art Chinese word segmentation with Bi-LSTMs[C]//Proceedings of the 2018 Conference on Empirical Methods in Natural Language Processing. [S. l. ]: ACL, 2018: 4902-4908.
8	JURAFSKY D, MARTIN J H. Sequence labeling for parts of speech and named entities[EB/OL]. [2023-10-05]. https://web.stanford.edu/~jurafsky/slp3/17.pdf.
9	WANG Y C, YU B W, ZHU H S, et al. Discontinuous named entity recognition as maximal clique discovery[EB/OL]. [2023-10-05]. https://aclanthology.org/2021.acl-long.63/.
10	LIN Z, FENG M, SANTOS C N D, et al. A structured self-attentive sentence embedding[EB/OL]. [2023-10-05]. https://arxiv.org/abs/1703.03130.
11	XU H , MA Y , LIU H C , et al. Adversarial attacks and defenses in images, graphs and text: a review. International Journal of Automation and Computing, 2020, 17 (2): 151- 178. doi: 10.1007/s11633-019-1211-x
12	GUO H C, ZHANG Q L, LUO J W, et al. Practical deep dispersed watermarking with synchronization and fusion[C]//Proceedings of the 31st ACM International Conference on Multimedia. New York, USA: ACM Press, 2023: 7922-7932.
13	BOWMAN S R, VILNIS L, VINYALS O, et al. Generating sentences from a continuous space[EB/OL]. [2023-10-05]. https://arxiv.org/abs/1511.06349.
14	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[EB/OL]. [2023-10-05]. https://arxiv.org/abs/1312.6199.
15	PAPERNOT N, MCDANIEL P, SWAMI A, et al. Crafting adversarial input sequences for recurrent neural networks[C]//Proceedings of the MILCOM IEEE Military Communications Conference. Washington D.C., USA: IEEE Press, 2016: 49-54.
16	YANG P , CHEN J , HSIEH C J , et al. Greedy attack and gumbel attack: generating adversarial examples for discrete data. Journal of Machine Learning Research, 2020, 21 (43): 1- 36.
17	SAMUELSON W , ZECKHAUSER R . Status quo bias in decision making. Journal of Risk and Uncertainty, 1988, 1 (1): 7- 59. doi: 10.1007/BF00055564
18	王文琦, 汪润, 王丽娜, 等. 面向中文文本倾向性分类的对抗样本生成方法. 软件学报, 2019, 30 (8): 2415- 2427.
	WANG W Q , WANG R , WANG L N , et al. Adversarial examples generation approach for tendency classification on Chinese texts. Journal of Software, 2019, 30 (8): 2415- 2427.
19	仝鑫, 王罗娜, 王润正, 等. 面向中文文本分类的词级对抗样本生成方法. 信息网络安全, 2020, 20 (9): 12- 16.
	TONG X , WANG L N , WANG R Z , et al. A word-level adversarial sample generation method for Chinese text categorization. Information Network Security, 2020, 20 (9): 12- 16.
20	JIN R, WU C H. WordErrorSim: an adversarial examples generation method in Chinese by erroneous knowledge[C]//Proceedings of the 2021 International Conference on Compute and Data Analysis. New York, USA: ACM Press, 2021: 155-161.
21	王春东, 孙嘉琪, 杨文军. 基于矫正理解的中文文本对抗样本生成方法. 计算机工程, 2023, 49 (2): 37- 45. doi: 10.19678/j.issn.1000-3428.0065762
	WANG C D , SUN J Q , YANG W J . A method for generating adversarial samples of Chinese text based on corrective understanding. Computer Engineering, 2023, 49 (2): 37- 45. doi: 10.19678/j.issn.1000-3428.0065762
22	李相葛, 罗红, 孙岩. 基于汉语特征的中文对抗样本生成方法. 软件学报, 2023, 34 (11): 5143- 5161.
	LI X G , LUO H , SUN Y . A method for generating Chinese adversarial samples based on Chinese features. Journal of Software, 2023, 34 (11): 5143- 5161.
23	RIEGLER A. The role of anticipation in cognition[EB/OL]. [2023-10-05]. https://constructivist.info/riegler/pub/Riegler%20A.%20(2001)%20The%20role%20of%20anticipation%20in%20cognition.pdf.
24	WANG W, WANG R, WANG L, et al. Towards a robust deep neural network in texts: a survey[EB/OL]. [2023-10-05]. https://arxiv.org/abs/1902.07285.
25	张鹏. 论文字图形的视觉心理特征[D]. 桂林: 广西师范大学, 2010.
	ZHANG P. On the visual psychological characteristics of characters and graphics[D]. Guilin: Guangxi Normal University, 2010. (in Chinese)
26	于海燕, 陆慧娟, 郑文斌. 情感分类中基于词性嵌入的特征权重计算方法. 计算机工程与应用, 2017, 53 (22): 121- 125.
	YU H Y , LU H J , ZHENG W B . Feature weighting method based on part of speech embedding for sentiment classification. Computer Engineering and Applications, 2017, 53 (22): 121- 125.
27	OU H X , YU L , TIAN S W , et al. An adversarial-example generation method for Chinese sentiment tendency classification based on audiovisual confusion and contextual association. Knowledge and Information Systems, 2023, 65 (12): 5231- 5258. doi: 10.1007/s10115-023-01946-y
28	黄大方. 四角号码法及其优化. 汕头大学学报, 1994 (2): 1- 11.
	HUANG D F . Four-corner numbering method and its optimization. Journal of Shantou University, 1994 (2): 1- 11.
29	JOHNSON R, ZHANG T. Deep pyramid convolutional neural networks for text categorization[C]//Proceedings of the 55th Annual Meeting of the Association for Computational Linguistics. [S. l. ]: ACL, 2017: 562-570.
30	VASWANI A, SHAZEER N, PARMAR N, et al. Attention is all you need[EB/OL]. [2023-10-05]. https://arxiv.org/abs/1706.03762.
31	SUN Y, WANG S, LI Y, et al. ERNIE: enhanced representation through knowledge integration[EB/OL]. [2023-10-05]. https://arxiv.org/abs/1904.09223.

[1]	王熠, 李智, 张丽, 石雪丽, 刘登波, 卢妤. 基于遥感图像场景分类的频域量化对抗攻击[J]. 计算机工程, 2026, 52(1): 266-281.
[2]	夏倪明, 张洁. 基于自适应集束搜索算法的中文对抗样本生成[J]. 计算机工程, 2025, 51(8): 131-140.
[3]	田青, 王斌, 周子枭. 无监督行人重识别研究综述[J]. 计算机工程, 2025, 51(7): 12-30.
[4]	侯彦, 车蕾, 李慧. 面向中文的多层次扰动定位文本对抗样本生成方法[J]. 计算机工程, 2025, 51(7): 232-243.
[5]	郑诚, 李鹏飞. 基于双超图神经网络特征融合的文本分类[J]. 计算机工程, 2025, 51(6): 127-135.
[6]	郭佩林, 张德, 王怀秀. 基于特征可视化探究跳跃连接结构对深度神经网络特征提取的影响[J]. 计算机工程, 2025, 51(4): 149-157.
[7]	赵宏, 宋馥荣, 李文改. 基于SE-AdvGAN的图像对抗样本生成方法研究[J]. 计算机工程, 2025, 51(2): 300-311.
[8]	黄舒怡, 谭光. 基于分区的高效视频目标检测[J]. 计算机工程, 2025, 51(2): 65-77.
[9]	杨翰林, 黄瑞章, 秦永彬. 融合标签关系与法条逻辑的案情要素识别方法[J]. 计算机工程, 2025, 51(12): 119-129.
[10]	刘婷, 董理, 严迪群, 王让定. 基于先验分布的抗JPEG压缩的鲁棒图像隐写[J]. 计算机工程, 2025, 51(11): 235-245.
[11]	路悦, 周翔宇, 张世周, 梁国强, 邢颖慧, 程德, 张艳宁. 基于预训练的持续学习方法综述(特邀)[J]. 计算机工程, 2025, 51(10): 1-17.
[12]	钱来, 赵卫伟. 基于对比学习和注意力机制的文本分类方法[J]. 计算机工程, 2024, 50(7): 104-111.
[13]	宫阿娟, 潘天荣. 多病种眼底疾病诊断的深度学习策略讨论[J]. 计算机工程, 2024, 50(5): 363-372.
[14]	游奔, 李晓红, 姚锦, 冯绍杰. 基于多粒度图与注意力机制的半监督短文本分类[J]. 计算机工程, 2024, 50(5): 83-90.
[15]	刘帅威, 李智, 王国美, 张丽. 基于Transformer和GAN的对抗样本生成算法[J]. 计算机工程, 2024, 50(2): 180-187.

选择文件类型/文献管理软件名称

选择包含的内容

基于字词重现的中文文本对抗样本生成方法

Adversarial Sample Generation Method for Chinese Text Based on Word Reproduction

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 13

参考文献 31

相关文章 15

编辑推荐

Metrics

本文评价

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

基于字词重现的中文文本对抗样本生成方法

Adversarial Sample Generation Method for Chinese Text Based on Word Reproduction

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 13

参考文献 31

相关文章 15

编辑推荐

Metrics

本文评价