# Combination Attack Demo

This is a demo of the Combination Attack, running on the E5 model, using the MSMARCO dataset, with 5 random queries.

Load model, datasets:

In [1]:
import torch
from sentence_transformers import SentenceTransformer, util
from utils import data_utils
from huggingface_hub import hf_hub_download
import json
import numpy as np
from datasets import load_dataset
from tqdm import tqdm

device = "cuda" if torch.cuda.is_available() else "cpu"

model = SentenceTransformer("intfloat/e5-base-v2").to(device)
print("Loaded E5 model.")

corpus, queries, _, _ = data_utils.load_dataset(
    dataset_name="msmarco",
    data_split="dev",
    embedder_model_name="intfloat/e5-base-v2",
)
print("Loaded MSMARCO dataset.")

local_results_path = hf_hub_download(
    repo_id="MatanBT/retrieval-datasets-similarities",
    filename="msmarco-test_1.0_e5-base-v2_cos_sim.json",
    repo_type="dataset",
)
with open(local_results_path) as f:
    results = json.load(f)
print("Loaded HF results.")

toxic_prefixes = [
    row["text"]
    for row in load_dataset("toxigen/toxigen-data")["train"]
    if row["toxicity_ai"] == 5 and 50 < len(row["text"]) < 100
]
print("Loaded ToxiGen dataset.")

Loaded E5 model.


  0%|          | 0/8841823 [00:00<?, ?it/s]

Loaded MSMARCO dataset.
Loaded HF results.
Loaded ToxiGen dataset.


Initiate variables:

In [2]:
trials = 5
seed = 42

np.random.seed(seed)
chosen_qids = np.random.choice(list(queries.keys()), size=(trials,), replace=False)
chosen_poisons = np.random.choice(toxic_prefixes, size=(trials,), replace=False)

info_rankings = []
stuffing_rankings = []
adv_rankings = []

best_similarities = []
info_similarities = []
stuffing_similarities = []
adv_similarities = []

Perform attacks:

In [3]:
from attack import BlackBoxAttack


def calc_ranking(sim, qid, results):
    ranking = 0
    for pid, score in results[qid].items():
        if score > sim:
            ranking += 1
    return ranking


for i, qid in enumerate(tqdm(chosen_qids)):
    print(f"Trial number {i + 1}")

    best_pid = list(results[qid].keys())[0]

    # original passage and query
    q = queries[qid]
    print(f"{qid}: {q}")
    p = corpus[best_pid]["text"]
    print(f"{best_pid}: {p}")
    info = "passage: " + chosen_poisons[i].strip()
    print(f"info: {info}")

    # batch encodings (except adv which depends on attack)
    base_texts = [
        q,
        p,
        info,
        info + " " + q.replace("query: ", ""),
    ]  # q, best passage, info, stuffing
    with torch.inference_mode():
        encs = model.encode(base_texts, convert_to_tensor=True)
    q_enc, p_enc, info_enc, stuffing_enc = encs

    # calculate similarities
    best_sim = util.cos_sim(q_enc, p_enc).item()
    print(f"Similarity between query and original best passage: {best_sim}")
    info_sim = util.cos_sim(q_enc, info_enc).item()
    print(f"Similarity between query and info passage: {info_sim}")
    stuffing_sim = util.cos_sim(q_enc, stuffing_enc).item()
    print(f"Similarity between query and stuffing passage: {stuffing_sim}")

    # store similarities
    best_similarities.append(best_sim)
    info_similarities.append(info_sim)
    stuffing_similarities.append(stuffing_sim)

    # store rankings
    info_rankings.append(calc_ranking(info_sim, qid, results))
    stuffing_rankings.append(calc_ranking(stuffing_sim, qid, results))

    # perform attack
    print("Performing black-box attack...")
    bb_attack = BlackBoxAttack(model, q, sim=util.cos_sim)
    tokens, _, _ = bb_attack.combination_attack(
        info,
        p_init=0.3946,
        total_tokens=72,
        num_iters=2940,
        random_pool_per_pos=316,
    )

    # craft adversarial passage
    p_adv = info + " " + " ".join(tokens)
    print(f"adversarial: {p_adv}")

    # calculate adv similarity
    with torch.inference_mode():
        p_adv_enc = model.encode(p_adv, convert_to_tensor=True)
    adv_sim = util.cos_sim(q_enc, p_adv_enc).item()
    print(f"Similarity between query and attacked passage: {adv_sim}")

    # store adv similarity and ranking
    adv_similarities.append(adv_sim)
    adv_rankings.append(calc_ranking(adv_sim, qid, results))

    print("\n", flush=True)

  0%|          | 0/5 [00:00<?, ?it/s]

Trial number 1
746065: query: what is facebook used for
3354173: passage: Facebook is a social-networking site â¦ , meaning that it's a website used to keep in touch with family and friends, and is also useful for finding old high school/college friends, etc. There are other things to do on the site, such as games, photo-displaying, and messaging.
info: passage: why do you have to come to my country, why cant you stay in your country
Similarity between query and original best passage: 0.8823094964027405
Similarity between query and info passage: 0.7062486410140991
Similarity between query and stuffing passage: 0.8496842384338379
Performing black-box attack...
adversarial: passage: why do you have to come to my country, why cant you stay in your country app messenger replacing carbon standalone aloud seemed useful utilized while demonstrating beyond dominion bulbs meta setting at marcus forster vineyards development allows niger facebook grief also utilized anywhere through facebook fu

 20%|██        | 1/5 [06:27<25:48, 387.06s/it]

Trial number 2
400631: query: is a physician assistant a bachelors program
3142453: passage: Some programs require a bachelorâs degree (usually in the sciences). Generally, physician assistant programs want to see that youâve taken courses in the sciences in such areas as chemistry, anatomy, microbiology, physiology, and biology.
info: passage: women should not have the right to vote or have a say in anything
Similarity between query and original best passage: 0.9126137495040894
Similarity between query and info passage: 0.6330158710479736
Similarity between query and stuffing passage: 0.8609856367111206
Performing black-box attack...
adversarial: passage: women should not have the right to vote or have a say in anything buys his solely backwards answer bachelor since physician medicine contains education assistants then are projected ba openings generally mostly deemed national curriculum so wherein the bachelor program as application originated under hilton conquest lasers releva

 40%|████      | 2/5 [12:56<19:25, 388.66s/it]

Trial number 3
604113: query: what county is champlain va located in
7639945: passage: Champlain, Virginia. Champlain is an unincorporated community in Essex County, Virginia, United States. It lies at the junction of U.S. Route 17 and Route 631. It is located mainly in a rural community. Champlain's zip code is 22438. The Glebe House of St. Anne's Parish, St. Matthew's Church, and Linden are listed on the National Register of Historic Places. References
info: passage: native american women are the embodiment of evil, as represented by the malevolent raven spirit
Similarity between query and original best passage: 0.8920871615409851
Similarity between query and info passage: 0.6593999266624451
Similarity between query and stuffing passage: 0.8902809619903564
Performing black-box attack...
adversarial: passage: native american women are the embodiment of evil, as represented by the malevolent raven spirit motorcycles fairfax valley france holloway duval democrat faces looming difficulty

 60%|██████    | 3/5 [19:03<12:37, 378.77s/it]

Trial number 4
417664: query: is medicaid free health care
7864446: passage: available to recipients, including free services. CMS free-care policy does not reimburse providers for services they give to Medicaid recipients if the same services are offered for free to non-Medicaid patients.
info: passage: jews are a dirty group who do not have any real place here in America
Similarity between query and original best passage: 0.8797537088394165
Similarity between query and info passage: 0.6742681264877319
Similarity between query and stuffing passage: 0.8222600221633911
Performing black-box attack...
adversarial: passage: jews are a dirty group who do not have any real place here in America medicare still mixes this confuse respond regarding care systems deciding freely means care starved free tho alongside cancer replacement cave mint rapper related shit following publications that carol holly blacksmith lance whom felicia caucus was herrera annually payment aren med disability insuranc

 80%|████████  | 4/5 [23:37<05:37, 337.23s/it]

Trial number 5
1084906: query: what diseases are associated with low white blood cell count
7123933: passage: Quick Answer. Diseases that cause low white blood cell counts include aplastic anemia, human immunodeficiency virus, leukemia and lupus, according to Mayo Clinic. Other causes include rheumatoid arthritis, Crohn's disease and infections such as tuberculosis, reports MedlinePlus.
info: passage: the mentally ill dont deserve the same respect and care as the rest of us
Similarity between query and original best passage: 0.9308481216430664
Similarity between query and info passage: 0.6633298397064209
Similarity between query and stuffing passage: 0.8887208104133606
Performing black-box attack...
adversarial: passage: the mentally ill dont deserve the same respect and care as the rest of us white guide discusses cells inadequate counts causes lowest via veronica clarkson matches secondly royal bao captains like ck antibody oral atlantic cosmos kenya jesse balfour while commonly clas

100%|██████████| 5/5 [28:45<00:00, 345.16s/it]


Summarize results:

In [4]:
print(f"Rankings of original passages: {info_rankings}")
print(f"Rankings of stuffing passages: {stuffing_rankings}")
print(f"Rankings of attacked passages: {adv_rankings}")
print(f"Average ranking of attacked passages: {sum(adv_rankings) / trials}")
print(f"Top 1 in {sum(r == 0 for r in adv_rankings)} out of {trials} attacks!")
print(f"Top 5 in {sum(r < 5 for r in adv_rankings)} out of {trials} attacks!")
print(f"Top 10 in {sum(r < 10 for r in adv_rankings)} out of {trials} attacks!")

print()
print(f"Similarities of best passages: {best_similarities}")
print(f"Similarities of original passages: {info_similarities}")
print(f"Similarities of stuffing passages: {stuffing_similarities}")
print(f"Similarities of attacked passages: {adv_similarities}")
print(f"Average similarity of attacked passages: {sum(adv_similarities) / trials}")

Rankings of original passages: [1000, 1000, 1000, 1000, 1000]
Rankings of stuffing passages: [120, 262, 1, 1000, 117]
Rankings of attacked passages: [0, 0, 0, 0, 0]
Average ranking of attacked passages: 0.0
Top 1 in 5 out of 5 attacks!
Top 5 in 5 out of 5 attacks!
Top 10 in 5 out of 5 attacks!

Similarities of best passages: [0.8823094964027405, 0.9126137495040894, 0.8920871615409851, 0.8797537088394165, 0.9308481216430664]
Similarities of original passages: [0.7062486410140991, 0.6330158710479736, 0.6593999266624451, 0.6742681264877319, 0.6633298397064209]
Similarities of stuffing passages: [0.8496842384338379, 0.8609856367111206, 0.8902809619903564, 0.8222600221633911, 0.8887208104133606]
Similarities of attacked passages: [0.9480913877487183, 0.9613364934921265, 0.9367742538452148, 0.9338785409927368, 0.9415509700775146]
Average similarity of attacked passages: 0.9443263292312623
