EvaLDA: Efficient Evasion Attacks Towards Latent Dirichlet Allocation

TL;DR

This paper investigates the vulnerability of Latent Dirichlet Allocation (LDA) models to adversarial evasion attacks, formalizes the attack as an NP-hard optimization problem, and proposes an efficient algorithm called EvaLDA, demonstrating its effectiveness through empirical evaluations.

Contribution

The paper introduces EvaLDA, a novel efficient algorithm for evasion attacks on LDA, and provides the first formalization and empirical analysis of LDA's security vulnerabilities.

Findings

EvaLDA can significantly increase the rank of a target topic with minimal word replacements.

Evasion attack on LDA is NP-hard, highlighting its computational complexity.

Empirical results show EvaLDA effectively manipulates LDA outputs on real datasets.

Abstract

As one of the most powerful topic models, Latent Dirichlet Allocation (LDA) has been used in a vast range of tasks, including document understanding, information retrieval and peer-reviewer assignment. Despite its tremendous popularity, the security of LDA has rarely been studied. This poses severe risks to security-critical tasks such as sentiment analysis and peer-reviewer assignment that are based on LDA. In this paper, we are interested in knowing whether LDA models are vulnerable to adversarial perturbations of benign document examples during inference time. We formalize the evasion attack to LDA models as an optimization problem and prove it to be NP-hard. We then propose a novel and efficient algorithm, EvaLDA to solve it. We show the effectiveness of EvaLDA via extensive empirical evaluations. For instance, in the NIPS dataset, EvaLDA can averagely promote the rank of a target topic from 10 to around 7 by only replacing 1% of the words with similar words in a victim document. Our work provides significant insights into the power and limitations of evasion attacks to LDA models.