白盒结构分析预先训练好的语言模型代码进行有效攻击

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology Pub Date : 2025-03-26 DOI:10.1016/j.infsof.2025.107730

Chongyang Liu, Xiaoning Ren, Yinxing Xue

{"title":"白盒结构分析预先训练好的语言模型代码进行有效攻击","authors":"Chongyang Liu, Xiaoning Ren, Yinxing Xue","doi":"10.1016/j.infsof.2025.107730","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><div>Pre-trained language models of code (PLMs-C for short) have dramatically improved the state-of-the-art on various programming language processing tasks.</div></div><div><h3>Objective:</h3><div>Due to these well-performed models being easily disturbed by slight perturbations, several black-box approaches have been proposed for attacking them. However, these studies have presented two challenges: (1) black-box attacks lack interpretability in generating adversarial examples and are inefficient in attacking; (2) white-box analysis methods in natural language processing (NLP) have not yet been applied to PLMs-C, incurring a gap in this field.</div></div><div><h3>Methods:</h3><div>To address these challenges, we make the first attempt to perform a white-box structure analysis for PLMs-C, followed by a grey-box attack for PLMs-C named <span>MindAC</span> based on derived linguistic structures. Specifically, referring to the probing tasks for analyzing the linguistic property of text in NLP, we first design eight novel probing tasks for code to perform white-box structure analysis. We derive three types of linguistic structures from PLMs-C named <em>SurStruct</em>, <em>SyntStruct</em>, and <em>SemStrcut</em> which correspond to the surface, syntactic and semantic structures of code, respectively. Subsequently, <span>MindAC</span> perturbs the code snippets through variable replacement, variable redefinition, and equivalent transformation of loop statements. Besides, in linguistic structures, <span>MindAC</span> introduces the angular distance of hidden output (<em>ADHO</em>) and the Euclidean distance of attention output (<em>EDAO</em>) to guide the generation of adversarial examples.</div></div><div><h3>Results:</h3><div>Our experiments reveal that: (1) for the first time, it has been demonstrated that PLMs-C possess three linguistic structures; (2) <span>MindAc</span> outperforms the state-of-the-art baselines on attack success rate by 2.47% <span><math><mo>∼</mo></math></span> 25.45%, reduces the execution time by 25 m <span><math><mo>∼</mo></math></span> 36h16 m, and achieves a significantly lower number of queries. Furthermore, we perform adversarial fine-tuning on the training sets and recover the <em>Accuracy</em> and <em>F1</em> of the victim models by at least 57.76% and 60.13%, respectively.</div></div><div><h3>Conclusion:</h3><div>The results show that based on the derived linguistic structures, the proposed <span>MindAC</span> is more interpretable, effective, and efficient in attacking the PLMs-C compared with the state-of-the-art baselines. Besides, the generated adversarial examples can help to enhance the robustness of PLMs-C.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"183 ","pages":"Article 107730"},"PeriodicalIF":4.3000,"publicationDate":"2025-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"White-box structure analysis of pre-trained language models of code for effective attacking\",\"authors\":\"Chongyang Liu, Xiaoning Ren, Yinxing Xue\",\"doi\":\"10.1016/j.infsof.2025.107730\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><h3>Context:</h3><div>Pre-trained language models of code (PLMs-C for short) have dramatically improved the state-of-the-art on various programming language processing tasks.</div></div><div><h3>Objective:</h3><div>Due to these well-performed models being easily disturbed by slight perturbations, several black-box approaches have been proposed for attacking them. However, these studies have presented two challenges: (1) black-box attacks lack interpretability in generating adversarial examples and are inefficient in attacking; (2) white-box analysis methods in natural language processing (NLP) have not yet been applied to PLMs-C, incurring a gap in this field.</div></div><div><h3>Methods:</h3><div>To address these challenges, we make the first attempt to perform a white-box structure analysis for PLMs-C, followed by a grey-box attack for PLMs-C named <span>MindAC</span> based on derived linguistic structures. Specifically, referring to the probing tasks for analyzing the linguistic property of text in NLP, we first design eight novel probing tasks for code to perform white-box structure analysis. We derive three types of linguistic structures from PLMs-C named <em>SurStruct</em>, <em>SyntStruct</em>, and <em>SemStrcut</em> which correspond to the surface, syntactic and semantic structures of code, respectively. Subsequently, <span>MindAC</span> perturbs the code snippets through variable replacement, variable redefinition, and equivalent transformation of loop statements. Besides, in linguistic structures, <span>MindAC</span> introduces the angular distance of hidden output (<em>ADHO</em>) and the Euclidean distance of attention output (<em>EDAO</em>) to guide the generation of adversarial examples.</div></div><div><h3>Results:</h3><div>Our experiments reveal that: (1) for the first time, it has been demonstrated that PLMs-C possess three linguistic structures; (2) <span>MindAc</span> outperforms the state-of-the-art baselines on attack success rate by 2.47% <span><math><mo>∼</mo></math></span> 25.45%, reduces the execution time by 25 m <span><math><mo>∼</mo></math></span> 36h16 m, and achieves a significantly lower number of queries. Furthermore, we perform adversarial fine-tuning on the training sets and recover the <em>Accuracy</em> and <em>F1</em> of the victim models by at least 57.76% and 60.13%, respectively.</div></div><div><h3>Conclusion:</h3><div>The results show that based on the derived linguistic structures, the proposed <span>MindAC</span> is more interpretable, effective, and efficient in attacking the PLMs-C compared with the state-of-the-art baselines. Besides, the generated adversarial examples can help to enhance the robustness of PLMs-C.</div></div>\",\"PeriodicalId\":54983,\"journal\":{\"name\":\"Information and Software Technology\",\"volume\":\"183 \",\"pages\":\"Article 107730\"},\"PeriodicalIF\":4.3000,\"publicationDate\":\"2025-03-26\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Information and Software Technology\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0950584925000692\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584925000692","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

背景：预训练的代码语言模型（简称PLMs-C）极大地提高了各种编程语言处理任务的水平。目的：由于这些性能良好的模型容易受到轻微扰动的干扰，人们提出了几种黑盒方法来攻击它们。然而，这些研究提出了两个挑战：(1)黑盒攻击在生成对抗示例时缺乏可解释性，攻击效率低下；(2)自然语言处理（NLP）中的白盒分析方法尚未应用于PLMs-C，在该领域存在空白。方法：为了解决这些挑战，我们首先尝试对PLMs-C进行白盒结构分析，然后基于派生语言结构对PLMs-C进行名为MindAC的灰盒攻击。具体而言，参考NLP中分析文本语言特性的探测任务，我们首先设计了8个新的探测任务，用于代码的白盒结构分析。我们从PLMs-C中导出了三种类型的语言结构：SurStruct、SyntStruct和SemStrcut，它们分别对应于代码的表面结构、句法结构和语义结构。随后，MindAC通过变量替换、变量重新定义和循环语句的等效转换来干扰代码片段。此外，在语言结构中，MindAC引入了隐藏输出的角距离（ADHO）和注意输出的欧氏距离（EDAO）来指导对抗性样例的生成。结果：我们的实验表明：(1)首次证明了PLMs-C具有三种语言结构；(2) MindAc在攻击成功率方面比最先进的基线高出2.47% ~ 25.45%，将执行时间减少了25 m ~ 36h16 m，并且实现了显着减少的查询数量。此外，我们对训练集进行了对抗性微调，受害者模型的准确率和F1分别恢复了至少57.76%和60.13%。结论：基于衍生语言结构的MindAC在攻击PLMs-C时比现有基线更具可解释性、有效性和效率。此外，生成的对抗样例有助于增强PLMs-C的鲁棒性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

White-box structure analysis of pre-trained language models of code for effective attacking

Context:

Pre-trained language models of code (PLMs-C for short) have dramatically improved the state-of-the-art on various programming language processing tasks.

Objective:

Due to these well-performed models being easily disturbed by slight perturbations, several black-box approaches have been proposed for attacking them. However, these studies have presented two challenges: (1) black-box attacks lack interpretability in generating adversarial examples and are inefficient in attacking; (2) white-box analysis methods in natural language processing (NLP) have not yet been applied to PLMs-C, incurring a gap in this field.

Methods:

To address these challenges, we make the first attempt to perform a white-box structure analysis for PLMs-C, followed by a grey-box attack for PLMs-C named MindAC based on derived linguistic structures. Specifically, referring to the probing tasks for analyzing the linguistic property of text in NLP, we first design eight novel probing tasks for code to perform white-box structure analysis. We derive three types of linguistic structures from PLMs-C named SurStruct, SyntStruct, and SemStrcut which correspond to the surface, syntactic and semantic structures of code, respectively. Subsequently, MindAC perturbs the code snippets through variable replacement, variable redefinition, and equivalent transformation of loop statements. Besides, in linguistic structures, MindAC introduces the angular distance of hidden output (ADHO) and the Euclidean distance of attention output (EDAO) to guide the generation of adversarial examples.

Results:

Our experiments reveal that: (1) for the first time, it has been demonstrated that PLMs-C possess three linguistic structures; (2) MindAc outperforms the state-of-the-art baselines on attack success rate by 2.47%

\sim

25.45%, reduces the execution time by 25 m

\sim

36h16 m, and achieves a significantly lower number of queries. Furthermore, we perform adversarial fine-tuning on the training sets and recover the Accuracy and F1 of the victim models by at least 57.76% and 60.13%, respectively.

Conclusion:

The results show that based on the derived linguistic structures, the proposed MindAC is more interpretable, effective, and efficient in attacking the PLMs-C compared with the state-of-the-art baselines. Besides, the generated adversarial examples can help to enhance the robustness of PLMs-C.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Information and Software Technology 工程技术-计算机：软件工程

CiteScore

9.10

自引率

7.70%

发文量

164

审稿时长

9.6 weeks

期刊介绍： Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.