A Multi-level Chinese Adversarial Example Generation Method Based on Glyph and Semantic

doi:10.19678/j.issn.1000-3428.0070755

Abstract

Abstract: Deep neural network language models are vulnerable to adversarial attacks during application, where adversarial samples can be generated by adding small perturbations to original samples to mislead models into making incorrect decisions. Research on adversarial sample generation methods effectively reveals and evaluates model robustness deficiencies. Existing Chinese adversarial sample generation methods mostly focus on improving attack success rates while neglecting quality metrics like sample stealthiness. This research focuses on Chinese text adversarial sample generation techniques and proposes CMSPSO, a multi-level adversarial sample generation method that combines Chinese character glyph and semantic information, considering the unique characteristics of Chinese characters in glyph structure and semantic features. CMSPSO uses particle swarm optimization algorithms to search for suitable replacement combinations in pre-designed replacement knowledge bases to generate adversarial samples. CMSPSO-M combines visually similar multi-language character features and constructs a high-quality visual replacement character knowledge base through trained siamese neural networks to calculate visual similarity for character-level adversarial sample generation. CMSPSO-S builds semantic replacement word knowledge bases based on HowNet and WordNet to generate word-level adversarial samples, evaluated through attack effectiveness and attack cost metrics. Experimental results demonstrate that CMSPSO exhibits significant attack effectiveness across multiple models and datasets. In particular, CMSPSO-M achieves an attack success rate of 84.22% against the Roberta model on the XNLI dataset. Furthermore, CMSPSO shows clear advantages in attack cost metrics and outperforms baseline methods in overall performance.

摘要： 深度神经网络语言模型在应用过程中容易受到对抗样本攻击，通过在原始样本中添加微小扰动，生成对抗样本，以误导模型做出错误决策。通过研究对抗样本的生成方法，可以有效发现并评估模型的鲁棒性缺陷。现有的中文对抗样本生成方法大多关注于如何提升对抗样本的攻击成功率，而忽略了对抗样本的隐蔽性等质量指标。该研究关注中文文本对抗样本生成技术，结合中文在字形结构和语义特征方面的独特性，提出了一种结合汉字字形和语义信息的多级对抗样本生成方法CMSPSO。CMSPSO通过利用粒子群优化算法在预先设计的替换知识库中搜索合适的替换组合生成对抗样本。其中，CMSPSO-M结合汉字的多语言形近字特征，通过训练的孪生神经网络计算形近字相似度，构建了高质量视觉替换字知识库以生成字符级对抗样本；CMSPSO-S则基于HowNet和WordNet构建语义替换词知识库生成词级对抗样本，并通过攻击效果和攻击代价指标进行评估。实验结果表明，CMSPSO在多个模型和数据集上均展现出了显著的攻击效果，尤其在XNLI数据集上，CMSPSO-M对Roberta模型的攻击成功率达到了84.22%。此外，在攻击代价指标方面，CMSPSO也表现出明显优势，整体性能优于基线方法。

SUN Yu, WANG Honejie, DU Yanhui, LIU Nan. A Multi-level Chinese Adversarial Example Generation Method Based on Glyph and Semantic[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0070755.

孙宇, 王红杰, 杜彦辉, 刘楠. 基于字形和语义的多级中文对抗样本生成方法[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0070755.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0070755

References

[1] BHARADIYA J. A comprehensive survey of deep learning techniques natural language processing[J]. European Journal of Technology, 2023, 7(1): 58-66.
[2] WANG X, WANG H, YANG D. Measure and improve robustness in NLP models: A survey[J]. arXiv preprint arXiv:2112.08313, 2021.
[3] GOYAL S, DODDAPANENI S, KHAPRA M M, et al. A survey of adversarial defenses and robustness in nlp[J]. ACM Computing Surveys, 2023, 55(14s): 1-39.
[4] SZEGEDY C. Intriguing properties of neural networks[J]. arXiv preprint arXiv:1312.6199, 2013.
[5] HENDRYCKS D, ZHAO K, BASART S, et al. Natural adversarial examples[C]//Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2021: 15262-15271.
[6] SHARIF M, BHAGAVATULA S, BAUER L, et al. A general framework for adversarial examples with objectives[J]. ACM Transactions on Privacy and Security (TOPS), 2019, 22(3): 1-30.
[7] WANG W, WANG R, WANG L, et al. Towards a robust deep neural network in texts: A survey[J]. arXiv preprint arXiv:1902.07285, 2019.
[8] 仝鑫,王斌君,王润正,等.面向自然语言处理的深度学习对抗样本综述[J].计算机科学,2021,48(01):258-267. TONG Xin, WANG Binjun, WANG Runzheng, et al. Survey on Adversarial $ample of Deep Learning Towards Natural Language Processing [J]. Computer Science, 2021, 48(01): 258-267.
[9] 尹思纯.中国书法在日本的传播及其对中文教学的影响研究[D].江苏大学,2022. YIN Sichun. The Dissemination of Chinese Calligraphy and Its Influence onChinese Language Teaching in Japan [D]. Jiangsu University, 2022.
[10] QI F, YANG C, LIU Z, et al. Openhownet: An open sememe-based lexical knowledge base[J]. arXiv preprint arXiv:1901.09957, 2019.
[11] FELLBAUM C. WordNet[M]//Theory and applications of ontology: computer applications. Dordrecht: Springer Netherlands, 2010: 231-243.
[12] MARINI F, WALCZAK B. Particle swarm optimization (PSO). A tutorial[J]. Chemometrics and Intelligent Laboratory Systems, 2015, 149: 153-165.
[13] KOCH G, ZEMEL R, SALAKHUTDINOV R. Siamese neural networks for one-shot image recognition[C]//ICML deep learning workshop. 2015, 2(1): 1-30.
[14] GARG S, RAMAKRISHNAN G. Bae: Bert-based adversarial examples for text classification[J]. arXiv preprint arXiv:2004.01970, 2020.
[15] XIAO C, LI B, ZHU J Y, et al. Generating adversarial examples with adversarial networks[J]. arXiv preprint arXiv:1801.02610, 2018.
[16] ZANG Y, QI F, YANG C, et al. Word-level textualadversarial attacking as combinatorial optimization[J]. arXiv preprint arXiv:1910.12196, 2019.
[17] JIN D, JIN Z, ZHOU J T, et al. Is bert really robust? a strong baseline for natural language attack on text classification and entailment[C]//Proceedings of the AAAI conference on artificial intelligence. 2020, 34(05): 8018-8025.
[18] REN S, DENG Y, HE K, et al. Generating natural language adversarial examples through probability weighted word saliency[C]//Proceedings of the 57th annual meeting of the association for computational linguistics. 2019: 1085-1097.
[19] XU X, KONG K, LIU N, et al. An LLM can Fool Itself: A Prompt-Based Adversarial Attack[EB/OL]. 2023. arXiv preprint arXiv:2310.13345.
[20] 仝鑫,王罗娜,王润正,等.面向中文文本分类的词级对抗样本生成方法[J].信息网络安全,2020,20(09):12-16. TONG Xin, WANG Luona, WANG Runzheng, et al. A Generation Method of Word-level Adversarial Samples for Chinese Text Classification [J]. Netinfo Security, 2020, 20(09): 12-16.
[21] 弓燕,张晓琳,刘月峰,等.面向中文文本分类的对抗样本生成方法[J].电子器件,2023,46(05):1349-1356. GONG Yan, ZHANG Xiaolin, LIU Yuefeng, et al. Adversarial Examples Generation Method for Chinese Text Classification [J]. Electronic Devices, 2023, 46(05): 1349-1356.
[22] 李相葛,罗红,孙岩.基于汉语特征的中文对抗样本生成方法[J].软件学报,2023,34(11):5143-5161. LI Xiangge, LUO Hong, SUN Yan. Adversarial Sample Generation Method Based on Chinese Features [J]. Journal of Software, 2023, 34(11): 5143-5161.
[23] 张云婷,叶麟,唐浩林,等.基于掩码语言模型的中文 BERT 攻击方法[J].软件学报,2024,35(07):3392-3409. ZHANG Yunting, YE Lin, TANG Haolin, et al. Chinese BERT Attack Method Based on Masked Language Model [J]. Journal of Software, 2024, 35(07): 3392-3409.
[24] 陈鸣,杜庆治,邵玉斌,等.基于音形码的汉字相似度比对算法[J].信息技术,2018,(11):73-75. CHEN Ming, DU Qingzhi, SHAO Yubin, et al. Chinese characters similarity comparison algorithm based on phonetic code and shape code[J]. Information Technology, 2018, (11): 73-75.
[25] LIJUAN Z, YINGYING Z, ZHIWEI L, et al. The role of orthographic and phonological processing during reading Chinese sentences: Evidence from eye movements[J]. Frontiers in Psychology, 2023, 14: 1148815.
[26] TAYLOR I, TAYLOR M M. Writing and Literacy in Chinese, Korean and Japanese: Revised edition[M]. John Benjamins Publishing Company, 2014.
[27] WAND Y, KEULEERS E. Simplified Chinese Character Distance Based on Ideographic Description Sequences[C]//Proceedings of the Second Workshop on Computation and Written Language (CAWL)@ LREC-COLING 2024. 2024: 59-66.
[28] NIU Y, XIE R, LIU Z, et al. Improved word representation learning with sememes[C]//Proceedings of the 55th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). 2017: 2049-2058.
[29] RANA S, JASOLA S, KUMAR R. A review on particle swarm optimization algorithms and their applications to data clustering[J]. Artificial Intelligence Review, 2011, 35: 211-222.
[30] 孙茂松，李景阳，郭志芃,等. THUCTC：一个高效的中文文本分类工具包 [EB/OL]. [2024-09-15]. http://thuctc.thunlp.org/. SUN Maosong, LI Jingyang, GUO Zhipeng, et al. THUCTC: An Efficient Chinese Text Classifier[EB/OL]. [2024-09-15]. http://thuctc.thunlp.org/.
[31] CONNEAU A, LAMPLE G, RINOTT R, et al. XNLI: Evaluating cross-lingual sentence representations[J]. arXiv preprint arXiv:1809.05053, 2018.
[32] ZENG G, QI F, ZHOU Q, et al. Openattack: An open-source textual adversarial attack toolkit[J]. arXiv preprint arXiv:2009.09191, 2020.
[33] RUBLEE E, RABAUD V, KONOLIGE K, et al. ORB: An efficient alternative to SIFT or SURF[C]//2011 International conference on computer vision. Ieee, 2011:2564-2571.
[34] KARAMI E, PRASAD S, SHEHATA M. Image matching using SIFT, SURF, BRIEF and ORB: performance comparison for distorted images[J]. arXiv preprint arXiv:1710.02726, 2017.
[35] AGBEMUKO D I, OKOKPUJIE I P, SALAMI M J E, et al. Automated data extraction and character recognition for handwritten test scripts using image processing and convolutional neural networks[J]. Nigerian Journal of Technological Development, 2024, 21(4): 97-115.
[36] DUBEY R, DAS I. Handwritten image detection using DCGAN with sift and orb optical features[C]//2023 6th International Conference on Information Systems and Computer Networks (ISCON). IEEE, 2023: 1-6.

Please choose a citation manager

Content to export