Less is More: Understanding Word-level Textual Adversarial Attack via n-gram Frequency Descend

TL;DR

This paper investigates word-level textual adversarial attacks, revealing that they often decrease n-gram frequencies, and proposes using this insight to improve NLP model robustness through frequency-based adversarial training.

Contribution

It introduces the n-gram Frequency Descend (n-FD) pattern as a key characteristic of word-level attacks and demonstrates a new robustness enhancement method using n-gram frequency information.

Findings

Approximately 90% of attacks cause n-gram frequency decrease.

Frequency-based adversarial training performs comparably to gradient-based methods.

Proposes a novel, intuitive perspective for understanding and defending against textual adversarial attacks.

Abstract

Word-level textual adversarial attacks have demonstrated notable efficacy in misleading Natural Language Processing (NLP) models. Despite their success, the underlying reasons for their effectiveness and the fundamental characteristics of adversarial examples (AEs) remain obscure. This work aims to interpret word-level attacks by examining their $n$-gram frequency patterns. Our comprehensive experiments reveal that in approximately 90\% of cases, word-level attacks lead to the generation of examples where the frequency of $n$-grams decreases, a tendency we term as the $n$-gram Frequency Descend ($n$-FD). This finding suggests a straightforward strategy to enhance model robustness: training models using examples with $n$-FD. To examine the feasibility of this strategy, we employed the $n$-gram frequency information, as an alternative to conventional loss gradients, to generate perturbed examples in adversarial training. The experiment results indicate that the frequency-based approach performs comparably with the gradient-based approach in improving model robustness. Our research offers a novel and more intuitive perspective for understanding word-level textual adversarial attacks and proposes a new direction to improve model robustness.