Identifying Human Strategies for Generating Word-Level Adversarial Examples

TL;DR

This paper analyzes how humans generate word-level adversarial examples in NLP, revealing behavioral patterns and preferences that can inform the development of more robust models.

Contribution

It provides a detailed analysis of human strategies in creating adversarial examples, highlighting key tendencies and decision patterns during the process.

Findings

Humans prefer to replace words based on frequency, saliency, and sentiment.

Humans tend to replace words at specific positions in the input sequence.

Identified statistically significant patterns in human adversarial generation strategies.

Abstract

Adversarial examples in NLP are receiving increasing research attention. One line of investigation is the generation of word-level adversarial examples against fine-tuned Transformer models that preserve naturalness and grammaticality. Previous work found that human- and machine-generated adversarial examples are comparable in their naturalness and grammatical correctness. Most notably, humans were able to generate adversarial examples much more effortlessly than automated attacks. In this paper, we provide a detailed analysis of exactly how humans create these adversarial examples. By exploring the behavioural patterns of human workers during the generation process, we identify statistically significant tendencies based on which words humans prefer to select for adversarial replacement (e.g., word frequencies, word saliencies, sentiment) as well as where and when words are replaced in an input sequence. With our findings, we seek to inspire efforts that harness human strategies for more robust NLP models.