AdvExpander: Generating Natural Language Adversarial Examples by Expanding Text

Abstract

Adversarial examples are vital to expose vulnerability of machine learning models. Despite the success of the most popular word-level substitution-based attacks which substitute some words in the original examples, only substitution is insufficient to uncover all robustness issues of models. In this paper, we focus on perturbations beyond word-level substitution, and present <bold xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">AdvExpander</b> , a method that crafts new adversarial examples by expanding text. We first utilize linguistic rules to determine which constituents to expand and what types of modifiers to expand with. We then expand each constituent by inserting an adversarial modifier searched from a pre-trained CVAE-based generative model. To ensure that our adversarial examples are label-preserving for text matching, we also constrain the modifications with a heuristic rule. Experiments on three classification tasks verify the effectiveness of AdvExpander and the validity of our adversarial examples. AdvExpander is significantly more effective than sentence-level attack baselines and is complementary to previous word substitution-based attacks, thus promising to reveal new robustness issues.