Adversarial Sample Generation Method for Chinese Text Based on Word Reproduction

With the accumulation of massive amounts of data and continuous improvements in computing power, Deep Neural Networks (DNN) have been widely used in various tasks such as image recognition and text classification. However, studies have shown that DNN-based text classification models are often subjected to adversarial sample attacks that are maliciously constructed by attackers. Attackers can alter the classification results of a model by deleting or modifying the original text, inserting obfuscated statements, or adding punctuation marks. Most existing adversarial sample generation methods sacrifice concealment and adopt a hybrid approach involving a variety of replacement pools to improve attack accuracy, which cannot balance the attack success rate and the concealment of adversarial samples. To solve this problem, this study proposes a Chinese adversarial sample generation method called WordReproduction, which is designed to conceal adversarial samples. The saliency score of the Chinese characters is calculated by combining the parts-of-speech of the characters themselves with the word level dimension. In the keyword replacement module, three glyph replacement methods are used to replace keywords and words: near-word vector space, glyph splitting candidate pool, and word inversion. Based on the morphological characteristics of Chinese characters, the study also designs a glyph similarity evaluation algorithm to better quantify the similarity between adversarial samples and the original text. Experimental results show that the adversarial samples generated by WordReproduction are superior to those generated by the baseline method in terms of the attack success rate and glyph similarity. When using the Transformer model for sentiment classification, compared with the WordHandling method, the attack success rate and glyph similarity score of WordReproduction increase by 51.64 percentage points and 0.53, respectively. The generated adversarial samples not only mislead the classification results of the model but also have high concealment, making them difficult for human readers to detect.