Multi-granularity Textual Adversarial Attack with Behavior Cloning

TL;DR

This paper introduces MAYA, a multi-granular textual adversarial attack model that efficiently generates high-quality adversarial samples with fewer queries by combining multi-level modification strategies and reinforcement learning-based behavior cloning.

Contribution

The paper proposes a novel multi-granular attack framework and a reinforcement learning approach to train an attack agent, significantly reducing query times and improving attack quality on black-box NLP models.

Findings

Achieves better attack success rates and sample fluency.

Reduces query times substantially in black-box settings.

Effective against models like BiLSTM, BERT, and RoBERTa.

Abstract

Recently, the textual adversarial attack models become increasingly popular due to their successful in estimating the robustness of NLP models. However, existing works have obvious deficiencies. (1) They usually consider only a single granularity of modification strategies (e.g. word-level or sentence-level), which is insufficient to explore the holistic textual space for generation; (2) They need to query victim models hundreds of times to make a successful attack, which is highly inefficient in practice. To address such problems, in this paper we propose MAYA, a Multi-grAnularitY Attack model to effectively generate high-quality adversarial samples with fewer queries to victim models. Furthermore, we propose a reinforcement-learning based method to train a multi-granularity attack agent through behavior cloning with the expert knowledge from our MAYA algorithm to further reduce the query times. Additionally, we also adapt the agent to attack black-box models that only output labels without confidence scores. We conduct comprehensive experiments to evaluate our attack models by attacking BiLSTM, BERT and RoBERTa in two different black-box attack settings and three benchmark datasets. Experimental results show that our models achieve overall better attacking performance and produce more fluent and grammatical adversarial samples compared to baseline models. Besides, our adversarial attack agent significantly reduces the query times in both attack settings. Our codes are released at https://github.com/Yangyi-Chen/MAYA.