Research On Adversarial Example Generation And Defense For Chinese Text

The rapid development of natural language processing technology has provided great convenience for the human society,but there are hidden security risks behind the outstanding technology.Researchers found that natural language processing technology is very vulnerable to adversarial example attacks,leading to a decline in model accuracy,which affects the safe operation of related systems.Therefore,the research on the adversarial examples of natural language confrontation has gradually attracted the attention of researchers.At present,the research in this field has been relatively perfect in the English scene,but the research results in the Chinese scene are insufficient,and due to the differences between Chinese and English,the mature methods in the English scene cannot be directly transferred to the Chinese scene.In view of the lack of research results on Chinese scenes,this paper conducts research from the perspectives of Chinese text adversarial example generation and defense.The main contributions are as follows:1.In order to solve the problem that it is difficult to add disturbance to the existing Chinese text adversarial example generation methods,a new method named Word Illusion is proposed.First of all,a new Chinese keyword seletion function CKSF is constructed to measure the importance of words,so as to solve the problem of how to filter keywords when existing methods ignore the same contribution.Secondly,the psychological theory of Rectification Understanding is integrated into the generation of adversarial examples to solve the problem of weak deception against disturbances,in order to generate new adversarial examples.The experimental results show that the method has three advantages.(1)Effectiveness-Under the same perturbation rate,the attack success rate of Word Illusion in different scenes is higher than that of the baseline method.(2)Highly deceptive-the difference between the adversarial examples generated by Word Illumination and the original text is not easy to be discovered.(3)Strong generalization-Word Illumination has successfully attacked several text classification models,which almost cover most of the current text classification models.2.Aiming at the problems of the existing Chinese text adversarial examples defense methods,such as single defense target,long defense time,and difficulty in transferring English methods to Chinese,a Chinese text adversarial examples defense framework named WEC is proposed.According to the different categories of the known adversarial examples attack methods,the framework proposes three word modification strategies.This strategy uses the Delete and Transfer strategies in the traditional text error correction,and uses multimodal thinking to build the glyph embedding space.Based on the glyph embedding space and the homophone library,a Replace strategy is proposed to eliminate the character replacement disturbance in the adversarial examples.With a view to conducting a comprehensive and effective defense against existing attacks.The experimental results prove that WEC has three advantages:(1)Lightweight-the process time cost of WEC defense adversarial examples is low,which is convenient for large-scale defense adversarial examples.(2)Effectiveness-WEC defends against adversarial example attacks,has no impact on the classification success rate of the model itself,and ensures the readability of the defended text.(3)Strong generalization-WEC has a high defense success rate against the adversarial example generated by various text adversarial example attack methods.