Chain Association-based Attacking and Shielding Natural Language Processing Systems

TL;DR

This paper introduces a novel chain association-based adversarial attack on NLP systems, exploiting the comprehension gap between humans and machines, and proposes shielding methods to defend against such attacks.

Contribution

It presents a new attack method using chain association graphs and particle swarm optimization, and explores defense strategies like adversarial training and associative graph recovery.

Findings

NLP models are vulnerable to the proposed attack.

Humans can understand perturbed text better than models.

Shielding methods improve system robustness.

Abstract

Association as a gift enables people do not have to mention something in completely straightforward words and allows others to understand what they intend to refer to. In this paper, we propose a chain association-based adversarial attack against natural language processing systems, utilizing the comprehension gap between humans and machines. We first generate a chain association graph for Chinese characters based on the association paradigm for building search space of potential adversarial examples. Then, we introduce an discrete particle swarm optimization algorithm to search for the optimal adversarial examples. We conduct comprehensive experiments and show that advanced natural language processing models and applications, including large language models, are vulnerable to our attack, while humans appear good at understanding the perturbed text. We also explore two methods, including adversarial training and associative graph-based recovery, to shield systems from chain association-based attack. Since a few examples that use some derogatory terms, this paper contains materials that may be offensive or upsetting to some people.