Semantic-Preserving Adversarial Text Attacks

Yang, X; Gong, Y; Liu, W; Bailey, J; Tao, D; Liu, W

Semantic-Preserving Adversarial Text Attacks

Yang, X

Gong, Y Liu, W

Bailey, J Tao, D Liu, W

Permalink

Publisher:: Institute of Electrical and Electronics Engineers (IEEE)
Publication Type:: Journal Article
Citation:: IEEE Transactions on Sustainable Computing, 2023, PP, (99), pp. 1-13
Issue Date:: 2023-01-01

Embargoed

	Filename	Description	Size
	Semantic-Preserving Adversarial Text Attacks.pdf	Accepted version	302.47 kB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Embargoed
Open Access

This item is currently unavailable due to the publisher's embargo.

The embargo period expires on 31 Mar 2025

Full metadata record

Field	Value	Language
dc.contributor.author	Yang, X https://orcid.org/0000-0001-6487-3183
dc.contributor.author	Gong, Y
dc.contributor.author	Liu, W https://orcid.org/0000-0002-3003-1313
dc.contributor.author	Bailey, J
dc.contributor.author	Tao, D
dc.contributor.author	Liu, W https://orcid.org/0000-0002-3003-1313
dc.date.accessioned	2023-07-18T12:05:56Z
dc.date.available	2023-07-18T12:05:56Z
dc.date.issued	2023-01-01
dc.identifier.citation	IEEE Transactions on Sustainable Computing, 2023, PP, (99), pp. 1-13
dc.identifier.issn	2377-3790
dc.identifier.issn	2377-3782
dc.identifier.uri	http://hdl.handle.net/10453/171563
dc.description.abstract	Deep learning models are known immensely brittle to adversarial text examples. Existing text adversarial attack strategies can be roughly divided into character-level, word-level, and sentence-level attacks. Despite the success brought by recent text attack methods, how to induce misclassification with minimal text modifications while keeping the lexical correctness, syntactic soundness, and semantic consistency is still a challenge. In this paper, we devise a Bigram and Unigram-based adaptive Semantic Preservation Optimization (BU-SPO) approach which attacks text documents not only at a unigram word level but also at a bigram level to avoid generating meaningless sentences. We also present a hybrid attack strategy that collects substitution words from both synonyms and sememe candidates, to enrich the potential candidate set. Besides, a Semantic Preservation Optimization (SPO) method is devised to determine the word substitution priority and reduce the perturbation cost. Furthermore, we constrain the SPO with a semantic Filter (dubbed SPOF) to improve the semantic similarity. To estimate the effectiveness of our proposed methods, BU-SPO and BU-SPOF, we attack four victim deep learning models trained on three text datasets. Experimental results demonstrate that our approaches accomplish the highest semantics consistency and attack success rates by making minimal word modifications compared with competitive methods.
dc.language	en
dc.publisher	Institute of Electrical and Electronics Engineers (IEEE)
dc.relation.ispartof	IEEE Transactions on Sustainable Computing
dc.relation.isbasedon	10.1109/TSUSC.2023.3263510
dc.rights	info:eu-repo/semantics/embargoedAccess
dc.subject.classification	40 Engineering
dc.subject.classification	46 Information and computing sciences
dc.title	Semantic-Preserving Adversarial Text Attacks
dc.type	Journal Article
utslib.citation.volume	PP
pubs.organisational-group	/University of Technology Sydney
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney/Strength - AAI - Advanced Analytics Institute Research Centre
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	embargoed	*
utslib.copyright.embargo	2025-03-31T00:00:00+1000Z
dc.date.updated	2023-07-18T12:05:54Z
pubs.issue	99
pubs.publication-status	Published
pubs.volume	PP
utslib.citation.issue	99

Abstract:

Deep learning models are known immensely brittle to adversarial text examples. Existing text adversarial attack strategies can be roughly divided into character-level, word-level, and sentence-level attacks. Despite the success brought by recent text attack methods, how to induce misclassification with minimal text modifications while keeping the lexical correctness, syntactic soundness, and semantic consistency is still a challenge. In this paper, we devise a Bigram and Unigram-based adaptive Semantic Preservation Optimization (BU-SPO) approach which attacks text documents not only at a unigram word level but also at a bigram level to avoid generating meaningless sentences. We also present a hybrid attack strategy that collects substitution words from both synonyms and sememe candidates, to enrich the potential candidate set. Besides, a Semantic Preservation Optimization (SPO) method is devised to determine the word substitution priority and reduce the perturbation cost. Furthermore, we constrain the SPO with a semantic Filter (dubbed SPOF) to improve the semantic similarity. To estimate the effectiveness of our proposed methods, BU-SPO and BU-SPOF, we attack four victim deep learning models trained on three text datasets. Experimental results demonstrate that our approaches accomplish the highest semantics consistency and attack success rates by making minimal word modifications compared with competitive methods.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/171563