AED: An black-box NLP classifier model attacker

TL;DR

This paper introduces AED, a novel black-box attack method for NLP classifiers that exploits interpretability and synonym substitution to generate adversarial examples, revealing vulnerabilities in DNN models used in critical domains.

Contribution

AED is the first to combine attention-based interpretability with density peaks clustering for effective synonym search in NLP adversarial attacks.

Findings

AED effectively fools NLP models while preserving input meaning.

Compared to existing methods, AED shows higher success rates in adversarial example generation.

AED enhances understanding of model vulnerabilities in high-stakes NLP applications.

Abstract

Deep Neural Networks (DNNs) have been successful in solving real-world tasks in domains such as connected and automated vehicles, disease, and job hiring. However, their implications are far-reaching in critical application areas. Hence, there is a growing concern regarding the potential bias and robustness of these DNN models. A transparency and robust model is always demanded in high-stakes domains where reliability and safety are enforced, such as healthcare and finance. While most studies have focused on adversarial image attack scenarios, fewer studies have investigated the robustness of DNN models in natural language processing (NLP) due to their adversarial samples are difficult to generate. To address this gap, we propose a word-level NLP classifier attack model called "AED," which stands for Attention mechanism enabled post-model Explanation with Density peaks clustering algorithm for synonyms search and substitution. AED aims to test the robustness of NLP DNN models by interpretability their weaknesses and exploring alternative ways to optimize them. By identifying vulnerabilities and providing explanations, AED can help improve the reliability and safety of DNN models in critical application areas such as healthcare and automated transportation. Our experiment results demonstrate that compared with other existing models, AED can effectively generate adversarial examples that can fool the victim model while maintaining the original meaning of the input.