HydraText: Multi-objective Optimization for Adversarial Textual Attack

Liu, Shengcai; Lu, Ning; Chen, Cheng; Qian, Chao; Tang, Ke

doi:10.48550/arxiv.2111.01528

Cited by 2 publications

(2 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A decision maker can then select a final solution based on their requirements. Compared with traditional optimization methods for multiple objectives (e.g., weighted-sum [37]), Pareto optimization algorithms are designed via different meta-heuristics without any trade-off parameters [62,36].…”

Section: Related Workmentioning

confidence: 99%

Pareto Optimization for Active Learning under Out-of-Distribution Data Scenarios

Zhan¹,

Dai²,

Wang³

et al. 2022

Preprint

View full text Add to dashboard Cite

Pool-based Active Learning (AL) has achieved great success in minimizing labeling cost by sequentially selecting informative unlabeled samples from a large unlabeled data pool and querying their labels from oracle/annotators. However, existing AL sampling strategies might not work well in out-of-distribution (OOD) data scenarios, where the unlabeled data pool contains some data samples that do not belong to the classes of the target task. Achieving good AL performance under OOD data scenarios is a challenging task due to the natural conflict between AL sampling strategies and OOD sample detection -AL selects data that are hard to be classified by the current basic classifier (e.g., samples whose predicted class probabilities have high entropy), while OOD samples tend to have more uniform predicted class probabilities (i.e., high entropy) than in-distribution (ID) data. In this paper, we propose a sampling scheme, Monte-Carlo Pareto Optimization for Active Learning (POAL), which selects optimal subsets of unlabeled samples with fixed batch size from the unlabeled data pool. We cast the AL sampling task as a multi-objective optimization problem, and thus we utilize Pareto optimization based on two conflicting objectives: (1) the normal AL data sampling scheme (e.g., maximum entropy), and (2) the confidence of not being an OOD sample. Experimental results show its effectiveness on both classical Machine Learning (ML) and Deep Learning (DL) tasks.

show abstract

Section: Related Workmentioning

confidence: 99%

Pareto Optimization for Active Learning under Out-of-Distribution Data Scenarios

Zhan¹,

Dai²,

Wang³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Deep neural networks (DNNs) have achieved significant progress in wide applications, such as image classification [9], face recognition [27], object detection [28], speech recognition [14] and machine translation [3]. Despite their success, deep learning models have exhibited vulnerability to adversarial attacks [12,20,21,36]. Crafted by adding some small perturbations to benign inputs, adversarial examples (AEs) can fool DNNs into making wrong predictions, which is a critical threat especially for some security-sensitive scenarios such as autonomous driving [34].…”

Section: Introductionmentioning

confidence: 99%

Saliency Attack: Towards Imperceptible Black-box Adversarial Attack

Dai¹,

Liu²,

Tang³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Deep neural networks are vulnerable to adversarial examples, even in the black-box setting where the attacker is only accessible to the model output. Recent studies have devised effective black-box attacks with high query efficiency. However, such performance is often accompanied by compromises in attack imperceptibility, hindering the practical use of these approaches. In this paper, we propose to restrict the perturbations to a small salient region to generate adversarial examples that can hardly be perceived. This approach is readily compatible with many existing black-box attacks and can significantly improve their imperceptibility with little degradation in attack success rate. Further, we propose the Saliency Attack, a new black-box attack aiming to refine the perturbations in the salient region to achieve even better imperceptibility. Extensive experiments show that compared to the state-of-the-art black-box attacks, our approach achieves much better imperceptibility scores, including most apparent distortion (MAD), 𝐿 0 and 𝐿 2 distances, and also obtains significantly higher success rates judged by a human-like threshold on MAD. Importantly, the perturbations generated by our approach are interpretable to some extent. Finally, it is also demonstrated to be robust to different detection-based defenses.

show abstract

HydraText: Multi-objective Optimization for Adversarial Textual Attack

Cited by 2 publications

References 41 publications

Pareto Optimization for Active Learning under Out-of-Distribution Data Scenarios

Pareto Optimization for Active Learning under Out-of-Distribution Data Scenarios

Saliency Attack: Towards Imperceptible Black-box Adversarial Attack

Contact Info

Product

Resources

About