Ensemble transfer attack targeting text classification systems

Abstract

Deep neural networks provide good performance for image recognition, speech recognition, text recognition, and pattern recognition. However, such networks are vulnerable to attack by adversarial examples. Adversarial examples are created by adding a small amount of noise to an original sample in such a way that no problem is perceptible to humans yet the sample will be incorrectly classified by a classification model. Adversarial examples have been studied mainly in the context of images, but research has expanded to include the text domain. In the textual context, an adversarial example is a sample of text in which certain important words have been changed so that the sample will be misclassified by a model even though to humans it is the same as the original text in terms of meaning and grammar. However, studies of black box attacks using text adversarial examples are sparse. In this paper, we propose the ensemble transfer textfooler method. This method performs a black box attack on an unknown model after generating an ensemble adversarial example that simultaneously deceives several models. Experiments were conducted using a movie review dataset and with TensorFlow as the machine learning library. The experimental results show that the proposed method has an attack success rate of 71.64%, in contrast to the 19.01%, 24.29%, and 44.96% attack success rate for the conventional transfer attacks using an adversarial example generated to deceive a WordCNN, WordLSTM, and BERT model. (c) 2022 Published by Elsevier Ltd.