Text adversarial sample generation method and system, computer equipment and storage medium

Abstract

The invention discloses a text adversarial sample generation method and system, computer equipment and a storage medium. The method comprises the following steps: performing tf-idf score calculation on words in an obtained data set to obtain a part-of-speech dictionary of the data set and attack word sets corresponding to different tags; selecting an attack word set corresponding to the tag of the original sample from the data set, and selecting a word with the highest attack score from the attack word set as an attack word; according to a preset sentence template, selecting syntactic rules corresponding to the part-of-speech of the attack word, and selecting the words corresponding to the rules from the part-of-speech dictionary, so that the words and the attack word jointly form sentences conforming to the syntactic rules; according to a preset adding condition, adding the sentence into the original sample to obtain a new sample; and performing multiple rounds of iterative calculation on the new sample according to a preset iterative condition to obtain an adversarial sample. The method can avoid spelling and grammar errors, has low modification rate and high aggressiveness, and improves the attack efficiency.

Description

technical field [0001] The present invention relates to the technical field of adversarial sample generation, in particular to a text adversarial sample generation method, system, computer equipment and storage medium based on attack words to guide sentence generation. Background technique [0002] Currently, deep learning models are widely used in many fields, such as computer vision, natural language processing, and speech recognition. At the same time, the security of deep learning models has also been greatly challenged. Academic research on text adversarial attacks has developed rapidly in recent years, and there are many research results. Currently, representative text generation technologies with cutting-edge development and good attack effects include using gradient information to filter out words that have a great impact on model classification results, and pass Methods for generating textual adversarial examples by making typos corrupt these words and methods for ...

AI Technical Summary

Problems solved by technology

[0003] However, both methods have certain limitations

Among them, the first method uses spelling mistakes to generate perturbations, successfully generates adversarial samples at a low modification rate, and does not affect human understanding of the text, but this method is vulnerable to spell checking mechanisms. Adversarial examples are easily filtered

The second method is to optimize the approximation by continuously optimizing the randomly generated adversarial samples to generate a strong attack sample, which can achieve effective attacks in short texts, but it is difficult to achieve ideal results in long texts with high modification rates.

In addition, this method replaces important words with synonyms, and grammatical errors are still difficult to avoid

[0004] As far as the current adversarial sample generation technology is concerned, it is difficult to guarantee the correctness of words, grammatical correctness, and semantic integrity of the original text, and most of the existing research focuses on short texts, and the effectiveness of attack methods cannot be guaranteed in long texts.

Images