Contrasting Human- and Machine-Generated Word-Level Adversarial Examples for Text Classification

TL;DR

This paper compares human and machine-generated adversarial examples in text classification, showing humans can efficiently produce natural, sentiment-preserving attacks comparable to algorithms, with implications for NLP robustness.

Contribution

It introduces a human-in-the-loop approach to generate adversarial examples and compares their quality and efficiency to state-of-the-art algorithms.

Findings

Humans can generate many valid adversarial examples efficiently.

Human and algorithm-generated examples are similar in naturalness and sentiment preservation.

Humans are more computationally efficient in creating adversarial examples.

Abstract

Research shows that natural language processing models are generally considered to be vulnerable to adversarial attacks; but recent work has drawn attention to the issue of validating these adversarial inputs against certain criteria (e.g., the preservation of semantics and grammaticality). Enforcing constraints to uphold such criteria may render attacks unsuccessful, raising the question of whether valid attacks are actually feasible. In this work, we investigate this through the lens of human language ability. We report on crowdsourcing studies in which we task humans with iteratively modifying words in an input text, while receiving immediate model feedback, with the aim of causing a sentiment classification model to misclassify the example. Our findings suggest that humans are capable of generating a substantial amount of adversarial examples using semantics-preserving word substitutions. We analyze how human-generated adversarial examples compare to the recently proposed TextFooler, Genetic, BAE and SememePSO attack algorithms on the dimensions naturalness, preservation of sentiment, grammaticality and substitution rate. Our findings suggest that human-generated adversarial examples are not more able than the best algorithms to generate natural-reading, sentiment-preserving examples, though they do so by being much more computationally efficient.