Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Exploiting Class Probabilities for Black-box Sentence-level Attacks

Raha Moraffah, Huan Liu

TL;DR

The paper tackles the vulnerability of text classifiers to black-box sentence-level adversarial attacks by leveraging classifier class probabilities, a rich feedback signal often available in practice. It introduces S2B2-Attack, a score-based framework that models a continuous search space of adversarial sentences via a Variational Autoencoder (OPTIMUS) and optimizes distribution parameters with Natural Evolution Strategies, while enforcing semantic similarity through a BERTScore-based constraint. Empirical results across AG News, IMDB, and Yelp datasets with BERT, RoBERTa, and XLNet show that S2B2-Attack significantly outperforms blind, decision-based, and existing score-based baselines in attack success rate and semantic fidelity, with comparable query budgets to strong word-level attacks. The work demonstrates the practical threat posed by score-based sentence-level attacks and lays groundwork for defenses, albeit with limitations including computational cost and applicability mainly to discriminative classifiers.

Abstract

Sentence-level attacks craft adversarial sentences that are synonymous with correctly-classified sentences but are misclassified by the text classifiers. Under the black-box setting, classifiers are only accessible through their feedback to queried inputs, which is predominately available in the form of class probabilities. Even though utilizing class probabilities results in stronger attacks, due to the challenges of using them for sentence-level attacks, existing attacks use either no feedback or only the class labels. Overcoming the challenges, we develop a novel algorithm that uses class probabilities for black-box sentence-level attacks, investigate the effectiveness of using class probabilities on the attack's success, and examine the question if it is worthy or practical to use class probabilities by black-box sentence-level attacks. We conduct extensive evaluations of our attack comparing with the baselines across various classifiers and benchmark datasets.

Exploiting Class Probabilities for Black-box Sentence-level Attacks

TL;DR

The paper tackles the vulnerability of text classifiers to black-box sentence-level adversarial attacks by leveraging classifier class probabilities, a rich feedback signal often available in practice. It introduces S2B2-Attack, a score-based framework that models a continuous search space of adversarial sentences via a Variational Autoencoder (OPTIMUS) and optimizes distribution parameters with Natural Evolution Strategies, while enforcing semantic similarity through a BERTScore-based constraint. Empirical results across AG News, IMDB, and Yelp datasets with BERT, RoBERTa, and XLNet show that S2B2-Attack significantly outperforms blind, decision-based, and existing score-based baselines in attack success rate and semantic fidelity, with comparable query budgets to strong word-level attacks. The work demonstrates the practical threat posed by score-based sentence-level attacks and lays groundwork for defenses, albeit with limitations including computational cost and applicability mainly to discriminative classifiers.

Abstract

Sentence-level attacks craft adversarial sentences that are synonymous with correctly-classified sentences but are misclassified by the text classifiers. Under the black-box setting, classifiers are only accessible through their feedback to queried inputs, which is predominately available in the form of class probabilities. Even though utilizing class probabilities results in stronger attacks, due to the challenges of using them for sentence-level attacks, existing attacks use either no feedback or only the class labels. Overcoming the challenges, we develop a novel algorithm that uses class probabilities for black-box sentence-level attacks, investigate the effectiveness of using class probabilities on the attack's success, and examine the question if it is worthy or practical to use class probabilities by black-box sentence-level attacks. We conduct extensive evaluations of our attack comparing with the baselines across various classifiers and benchmark datasets.
Paper Structure (28 sections, 7 equations, 2 figures, 5 tables, 1 algorithm)

This paper contains 28 sections, 7 equations, 2 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Problem Statement
  5. Proposed Framework
  6. Distribution-based Search Space
  7. Natural Evolution Strategies Search Method
  8. Semantic Similarity Constraint
  9. Optimization
  10. Experiments
  11. Experimental Setting
  12. Datasets and classifier Models
  13. Compared Methods
  14. Evaluation Metrics
  15. Evaluation Results
  16. ...and 13 more sections

Figures (2)

  • Figure 1: An overview of the S2B2-Attack. S2B2-Attack perturbs the original latent variable distributions to model the search space of candidate distributions of adversarial examples using VAE and learns the parameters of the actual adversarial distribution using the NES search based on the classifier's class probabilities.
  • Figure 2: Effect of the semantic similarity constraint on S2B2-Attack's performance. The classifier is Roberta.