中国科学院自动化研究所机构知识库

Transformer models have been widely used in the filed of natural language processing due to their powerful learning ability. Nevertheless, recent studies have shown that transformer models are vulnerable to the maliciously crafted adversarial examples. In the challenging black box setting, main stream textual adversarial attacks typically consist of two steps: Word Importance Ranking (WIR) and word transformation. The attack performance is highly dependent on the ranking of words. Existing WIR methods are designed with heuristic rules, which lack theoretical guarantee and require a large amount of queries. To address this issue, we design a textual coalitional game and propose PWSHAP, which is a plug-and-in WIR method employing Shapley value to determine the significance of each word based on its impact on the classification. Through extensive experiments on three benchmark datasets and model architectures, we illustrate that the proposed PWSHAP achieve the-state-of-the-art attack success rate with significant fewer queries to the classification model. Meanwhile, the generated adversarial examples are more natural and coherent compared to the strong baselines.