HotFlip: White-Box Adversarial Examples for Text Classification
Javid Ebrahimi, Anyi Rao, Daniel Lowd, Dejing Dou
TL;DR
This paper introduces HotFlip, an efficient white-box method for generating adversarial examples in text classification by manipulating tokens based on gradient information, improving model robustness through adversarial training.
Contribution
The paper presents a novel gradient-based atomic flip method for creating adversarial text examples and extends it to word-level classifiers with semantic constraints.
Findings
Few token manipulations significantly reduce classifier accuracy.
Adversarial training with HotFlip improves model robustness.
Method adapts to both character-level and word-level classifiers.
Abstract
We propose an efficient method to generate white-box adversarial examples to trick a character-level neural classifier. We find that only a few manipulations are needed to greatly decrease the accuracy. Our method relies on an atomic flip operation, which swaps one token for another, based on the gradients of the one-hot input vectors. Due to efficiency of our method, we can perform adversarial training which makes the model more robust to attacks at test time. With the use of a few semantics-preserving constraints, we demonstrate that HotFlip can be adapted to attack a word-level classifier as well.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Topic Modeling · Advanced Malware Detection Techniques