Natural Adversarial Sentence Generation with Gradient-based Perturbation

TL;DR

This paper introduces a gradient-based method for generating natural language adversarial examples to test and improve the robustness of text classification models, demonstrating effectiveness in both white-box and black-box settings.

Contribution

It presents a novel gradient-based perturbation algorithm combined with a decoder for generating natural adversarial sentences, advancing the realism and applicability of adversarial attacks in NLP.

Findings

Achieved a 20% decrease in accuracy on a sentiment analysis API.

Generated more natural adversarial examples compared to previous methods.

Proved effectiveness in black-box attack scenarios.

Abstract

This work proposes a novel algorithm to generate natural language adversarial input for text classification models, in order to investigate the robustness of these models. It involves applying gradient-based perturbation on the sentence embeddings that are used as the features for the classifier, and learning a decoder for generation. We employ this method to a sentiment analysis model and verify its effectiveness in inducing incorrect predictions by the model. We also conduct quantitative and qualitative analysis on these examples and demonstrate that our approach can generate more natural adversaries. In addition, it can be used to successfully perform black-box attacks, which involves attacking other existing models whose parameters are not known. On a public sentiment analysis API, the proposed method introduces a 20% relative decrease in average accuracy and 74% relative increase in absolute error.