This repo contains implementation for EMNLP 2020 paper:
Adversarial Semantic Collisions.
The code is tested on Python 3 with torch==1.4.0 and transformers==2.8.0.
Other requirements can be found in requirements.txt.
We considered four tasks in this paper. The data and models can be downloaded from here (the decompressed file can take upto 18GB of disk space).
Please extract the data and models into COLLISION_DIR defined in constant.py.
- For paraphrase identification task, the models are trained with HuggingFace example scripts.
- For response suggestions task, the models are collected from ParlAI.
- For document retrieval task, the models are collected from Birch.
- For extractive summarization task, the models are collected from PreSumm.
For generating natural collisions (see Section 4.2.2 in our paper), we need to train language models (LMs) with the same
vocabulary as the target models we are attacking.
We provide pre-trained LMs in the download link above and their training scripts in scipts/ folder.
LMs are fine-tuned from BERT or Poly-encoder on WikiText-103.
Now we can run collision attacks on the test set for the four tasks. We provide example scripts for as following, where (A), (R), (N) denotes aggressive, regularized and natural collisions respectively. The provided attack arguments are the same for all test examples and a dedicated hyper-parameter search for each single example could yield better attack performance.
Add --verbose flag if you want to check the intermediate procedure of generating collisions.
Remove --fp16 flag if you did not install apex for mixed precision training.
Set --gpu=i to use the i'th GPU.
(A) python3 collision_paraphrase.py --topk=30 --perturb_iter=30 --max_iter=10 --stemp=1.0 --lr=1e-3 --seq_len=20 --fp16
(R) python3 collision_paraphrase.py --topk=15 --perturb_iter=30 --max_iter=10 --stemp=1.0 --lr=1e-3 --seq_len=30 --regularize --beta=0.8 --fp16
(N) python3 collision_paraphrase.py --topk=128 --perturb_iter=5 --stemp=0.1 --lr=1e-3 --seq_len=25 --nature --beta=0.05 --fp16
(A) python3 collision_polyencoder.py --topk=30 --perturb_iter=30 --stemp=1.0 --lr=1e-3 --seq_len=20 --poly --num_filters=1000 --fp16
(R) python3 collision_polyencoder.py --topk=20 --perturb_iter=30 --stemp=1.0 --lr=1e-3 --seq_len=25 --regularize --beta=0.8 --poly --num_filters=1000 --fp16
(N) python3 collision_polyencoder.py --topk=128 --perturb_iter=5 --stemp=0.1 --lr=1e-3 --seq_len=20 --nature --beta=0.15 --poly --num_filters=1000 --fp16
Remove --poly flag if you want to attack the Bi-encoder model.
(A) python3 collision_retrieval.py --num_beams=5 --topk=50 --perturb_iter=30 --stemp=1.0 --lr=1e-3 --seq_len=30 --num_filters=1000 --fp16
(R) python3 collision_retrieval.py --num_beams=5 --topk=40 --perturb_iter=30 --stemp=1.0 --lr=1e-3 --seq_len=60 --num_filters=1000 --regularize --beta=0.85 --fp16
(N) python3 collision_retrieval.py --num_beams=10 --topk=150 --perturb_iter=5 --stemp=0.1 --lr=1e-3 --seq_len=35 --num_filters=1000 --nature --beta=0.02 --fp16
The default dataset is Core17, change --data_name=core18 flag if you want to generate collisions for Core18.
Add --verbose flag to see how the document ranks change after inserting collisions.
(A) python3 collision_ext_sum.py --num_beams=5 --topk=10 --perturb_iter=30 --stemp=1.0 --lr=1e-3 --seq_len=15 --fp16
(R) python3 collision_ext_sum.py --num_beams=5 --topk=10 --perturb_iter=30 --stemp=1.0 --lr=1e-3 --seq_len=30 --beta=0.8 --regularize --fp16
(N) python3 collision_ext_sum.py --num_beams=5 --topk=64 --perturb_iter=5 --stemp=1.0 --lr=1e-3 --seq_len=20 --beta=0.02 --nature --fp16
@inproceedings{song2020adversarial,
title={Adversarial Semantic Collisions},
author={Song, Congzheng and Rush, Alexander M and Shmatikov, Vitaly},
booktitle={Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing (EMNLP)},
pages={4198--4210},
year={2020}
}