Multi-Granularity Tibetan Textual Adversarial Attack Method Based on Masked Language Model
Xi Cao, Nuo Qun, Quzong Gesang, Yulei Zhu, Trashi Nyima
TL;DR
This paper addresses the robustness of Tibetan NLP models to textual adversarial attacks, focusing on Tibetan minority languages where prior work is scarce. It introduces TSTricker, a multi-granularity attack framework based on masked language models that generates substitution candidates for syllables and words and orders them using a saliency-driven scoring to maximize misclassification. The approach is demonstrated on Tibetan-BERT and CINO-based models across TNCC-title and TU_SA tasks, achieving substantial attack effectiveness (average accuracy drop > $28.70\%$ and adversarial success on over $90.60\%$ of samples) and revealing vulnerabilities in both monolingual and multilingual Tibetan PLMs. The work provides public resources (models and code) and advocates for active defense and broader security considerations for Chinese minority language NLP, offering a foundation for adversarial training and robustness assessment in Tibetan and related languages.
Abstract
In social media, neural network models have been applied to hate speech detection, sentiment analysis, etc., but neural network models are susceptible to adversarial attacks. For instance, in a text classification task, the attacker elaborately introduces perturbations to the original texts that hardly alter the original semantics in order to trick the model into making different predictions. By studying textual adversarial attack methods, the robustness of language models can be evaluated and then improved. Currently, most of the research in this field focuses on English, and there is also a certain amount of research on Chinese. However, there is little research targeting Chinese minority languages. With the rapid development of artificial intelligence technology and the emergence of Chinese minority language models, textual adversarial attacks become a new challenge for the information processing of Chinese minority languages. In response to this situation, we propose a multi-granularity Tibetan textual adversarial attack method based on masked language models called TSTricker. We utilize the masked language models to generate candidate substitution syllables or words, adopt the scoring mechanism to determine the substitution order, and then conduct the attack method on several fine-tuned victim models. The experimental results show that TSTricker reduces the accuracy of the classification models by more than 28.70% and makes the classification models change the predictions of more than 90.60% of the samples, which has an evidently higher attack effect than the baseline method.