A Universal Adversarial Policy for Text Classifiers

TL;DR

This paper introduces a universal adversarial policy for text classifiers that generates natural, semantics-preserving adversarial examples efficiently across many texts, advancing practical adversarial attack methods.

Contribution

It proposes a novel universal adversarial setup using a learned search policy over text alterations, demonstrating the existence of universal adversarial patterns in text domain.

Findings

The approach successfully finds adversarial examples on new texts.

Reinforcement learning effectively generalizes from limited training data.

Universal adversarial patterns are feasible in text classification.

Abstract

Discovering the existence of universal adversarial perturbations had large theoretical and practical impacts on the field of adversarial learning. In the text domain, most universal studies focused on adversarial prefixes which are added to all texts. However, unlike the vision domain, adding the same perturbation to different inputs results in noticeably unnatural inputs. Therefore, we introduce a new universal adversarial setup - a universal adversarial policy, which has many advantages of other universal attacks but also results in valid texts - thus making it relevant in practice. We achieve this by learning a single search policy over a predefined set of semantics preserving text alterations, on many texts. This formulation is universal in that the policy is successful in finding adversarial examples on new texts efficiently. Our approach uses text perturbations which were extensively shown to produce natural attacks in the non-universal setup (specific synonym replacements). We suggest a strong baseline approach for this formulation which uses reinforcement learning. It's ability to generalise (from as few as 500 training texts) shows that universal adversarial patterns exist in the text domain as well.