Black-Box Universal Adversarial Attack on Text Classifiers

Abstract

Adversarial examples reveal the fragility of deep learning models. Recent studies have shown that deep learning models are also vulnerable to universal adversarial perturbations. When the input-agnostic sequence of words concatenated to any input instance in the data set, it fools the model to produce a specific prediction in [9] and [10]. Despite being highly successful, they often need to obtain the gradient information of the target model. However, under more realistic black box conditions, we can only manipulate the input and output of the target model, which brings great difficulties to the search for universal adversarial disturbances. Therefore, to explore whether universal adversarial attacks can be realized under black-box conditions, we study a universal adversarial perturbation search method based on optimization. We conducted exhaustive experiments to prove the effectiveness of our attack model by attacking the Bi-LSTM and BERT models on sentiment classification tasks.