Bad Characters: Imperceptible NLP Attacks

Nicholas Boucher; Ilia Shumailov; Ross Anderson; Nicolas Papernot

doi:DOI: 10.1109/SP46214.2022.9833641

Bad Characters: Imperceptible NLP Attacks

Nicholas Boucher, Ilia Shumailov, Ross Anderson, Nicolas Papernot

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Several years of research have shown that machine-learning systems are vulnerable to adversarial examples, both in theory and in practice. Until now, such attacks have primarily targeted visual models, exploiting the gap between human and machine perception. Although text-based models have also been attacked with adversarial examples, such attacks struggled to preserve semantic meaning and indistinguishability. In this paper, we explore a large class of adversarial examples that can be used to attack text-based models in a black-box setting without making any human-perceptible visual modification to inputs. We use encoding-specific perturbations that are imperceptible to the human eye to manipulate the outputs of a wide range of Natural Language Processing (NLP) systems from neural machine-translation pipelines to web search engines. We find that with a single imperceptible encoding injection – representing one invisible character, homoglyph, reordering, or deletion – an attacker can significantly reduce the performance of vulnerable models, and with three injections most models can be functionally broken. Our attacks work against currently-deployed commercial systems, including those produced by Microsoft and Google, in addition to open source models published by Facebook, IBM, and HuggingFace. This novel series of attacks presents a significant threat to many language processing systems: an attacker can affect systems in a targeted manner without any assumptions about the underlying model. We conclude that text-based NLP systems require careful input sanitization, just like conventional applications, and that given such systems are now being deployed rapidly at scale, the urgent attention of architects and operators is required.

Original language	English
Title of host publication	Proceedings of the 43rd IEEE Symposium on Security and Privacy, SP 2022
Publisher	IEEE
Pages	1987-2004
Number of pages	16
ISBN (Electronic)	978-1-6654-1316-9
ISBN (Print)	978-1-6654-1317-6
DOIs	https://doi.org/DOI: 10.1109/SP46214.2022.9833641
Publication status	Published - 27 Jul 2022
Event	43rd IEEE Symposium on Security and Privacy - San Francisco, United States Duration: 23 May 2022 → 26 May 2022 https://www.ieee-security.org/TC/SP2022/index.html

Publication series

Name	2022 IEEE Symposium on Security and Privacy (SP)
Publisher	IEEE
ISSN (Print)	1081-6011
ISSN (Electronic)	2375-1207

Conference

Conference	43rd IEEE Symposium on Security and Privacy
Abbreviated title	SP 2022
Country/Territory	United States
City	San Francisco
Period	23/05/22 → 26/05/22
Internet address	https://www.ieee-security.org/TC/SP2022/index.html

Keywords

adversarial machine learning
NLP
text-based models
text encodings
search engines

Access to Document

DOI: 10.1109/SP46214.2022.9833641Licence: All Rights Reserved

Bad Characters_BOUCHER_DOA01052022_AFVAccepted author manuscript, 1.81 MBLicence: Creative Commons: Attribution (CC-BY)

https://ieeexplore.ieee.org/document/9833641Licence: All Rights Reserved

Cite this

@inproceedings{eae2499e4a7443b58926c855c9eb0be2,

title = "Bad Characters: Imperceptible NLP Attacks",

abstract = "Several years of research have shown that machine-learning systems are vulnerable to adversarial examples, both in theory and in practice. Until now, such attacks have primarily targeted visual models, exploiting the gap between human and machine perception. Although text-based models have also been attacked with adversarial examples, such attacks struggled to preserve semantic meaning and indistinguishability. In this paper, we explore a large class of adversarial examples that can be used to attack text-based models in a black-box setting without making any human-perceptible visual modification to inputs. We use encoding-specific perturbations that are imperceptible to the human eye to manipulate the outputs of a wide range of Natural Language Processing (NLP) systems from neural machine-translation pipelines to web search engines. We find that with a single imperceptible encoding injection – representing one invisible character, homoglyph, reordering, or deletion – an attacker can significantly reduce the performance of vulnerable models, and with three injections most models can be functionally broken. Our attacks work against currently-deployed commercial systems, including those produced by Microsoft and Google, in addition to open source models published by Facebook, IBM, and HuggingFace. This novel series of attacks presents a significant threat to many language processing systems: an attacker can affect systems in a targeted manner without any assumptions about the underlying model. We conclude that text-based NLP systems require careful input sanitization, just like conventional applications, and that given such systems are now being deployed rapidly at scale, the urgent attention of architects and operators is required.",

keywords = "adversarial machine learning, NLP, text-based models, text encodings, search engines",

author = "Nicholas Boucher and Ilia Shumailov and Ross Anderson and Nicolas Papernot",

note = "Funding Information: This work was supported by DARPA (through the GARD program), CIFAR (through a Canada CIFAR AI Chair), by NSERC (under the Discovery Program, and COHESA strategic research network), and by a gift from Intel. We also thank the Vector Institute{\textquoteright}s sponsors. Ilia Shumailov was supported with funds from Bosch-Forschungsstiftung im Stifterverband. We would also like to thank Adelin Travers for help with natural language annotation, Markus Kuhn and Zakhar Shu-maylov for help with Unicode magic, and Darija Halatova for help with visualizations. Publisher Copyright: {\textcopyright} 2022 IEEE.; 43rd IEEE Symposium on Security and Privacy, SP 2022 ; Conference date: 23-05-2022 Through 26-05-2022",

year = "2022",

month = jul,

day = "27",

doi = "DOI: 10.1109/SP46214.2022.9833641",

language = "English",

isbn = "978-1-6654-1317-6",

series = "2022 IEEE Symposium on Security and Privacy (SP)",

publisher = "IEEE",

pages = "1987--2004",

booktitle = "Proceedings of the 43rd IEEE Symposium on Security and Privacy, SP 2022",

url = "https://www.ieee-security.org/TC/SP2022/index.html",

}

Boucher, N, Shumailov, I, Anderson, R & Papernot, N 2022, Bad Characters: Imperceptible NLP Attacks. in Proceedings of the 43rd IEEE Symposium on Security and Privacy, SP 2022. 2022 IEEE Symposium on Security and Privacy (SP), IEEE, pp. 1987-2004, 43rd IEEE Symposium on Security and Privacy, San Francisco, California, United States, 23/05/22. https://doi.org/DOI: 10.1109/SP46214.2022.9833641

TY - GEN

T1 - Bad Characters: Imperceptible NLP Attacks

AU - Boucher, Nicholas

AU - Shumailov, Ilia

AU - Anderson, Ross

AU - Papernot, Nicolas

N1 - Funding Information: This work was supported by DARPA (through the GARD program), CIFAR (through a Canada CIFAR AI Chair), by NSERC (under the Discovery Program, and COHESA strategic research network), and by a gift from Intel. We also thank the Vector Institute’s sponsors. Ilia Shumailov was supported with funds from Bosch-Forschungsstiftung im Stifterverband. We would also like to thank Adelin Travers for help with natural language annotation, Markus Kuhn and Zakhar Shu-maylov for help with Unicode magic, and Darija Halatova for help with visualizations. Publisher Copyright: © 2022 IEEE.

PY - 2022/7/27

Y1 - 2022/7/27

N2 - Several years of research have shown that machine-learning systems are vulnerable to adversarial examples, both in theory and in practice. Until now, such attacks have primarily targeted visual models, exploiting the gap between human and machine perception. Although text-based models have also been attacked with adversarial examples, such attacks struggled to preserve semantic meaning and indistinguishability. In this paper, we explore a large class of adversarial examples that can be used to attack text-based models in a black-box setting without making any human-perceptible visual modification to inputs. We use encoding-specific perturbations that are imperceptible to the human eye to manipulate the outputs of a wide range of Natural Language Processing (NLP) systems from neural machine-translation pipelines to web search engines. We find that with a single imperceptible encoding injection – representing one invisible character, homoglyph, reordering, or deletion – an attacker can significantly reduce the performance of vulnerable models, and with three injections most models can be functionally broken. Our attacks work against currently-deployed commercial systems, including those produced by Microsoft and Google, in addition to open source models published by Facebook, IBM, and HuggingFace. This novel series of attacks presents a significant threat to many language processing systems: an attacker can affect systems in a targeted manner without any assumptions about the underlying model. We conclude that text-based NLP systems require careful input sanitization, just like conventional applications, and that given such systems are now being deployed rapidly at scale, the urgent attention of architects and operators is required.

AB - Several years of research have shown that machine-learning systems are vulnerable to adversarial examples, both in theory and in practice. Until now, such attacks have primarily targeted visual models, exploiting the gap between human and machine perception. Although text-based models have also been attacked with adversarial examples, such attacks struggled to preserve semantic meaning and indistinguishability. In this paper, we explore a large class of adversarial examples that can be used to attack text-based models in a black-box setting without making any human-perceptible visual modification to inputs. We use encoding-specific perturbations that are imperceptible to the human eye to manipulate the outputs of a wide range of Natural Language Processing (NLP) systems from neural machine-translation pipelines to web search engines. We find that with a single imperceptible encoding injection – representing one invisible character, homoglyph, reordering, or deletion – an attacker can significantly reduce the performance of vulnerable models, and with three injections most models can be functionally broken. Our attacks work against currently-deployed commercial systems, including those produced by Microsoft and Google, in addition to open source models published by Facebook, IBM, and HuggingFace. This novel series of attacks presents a significant threat to many language processing systems: an attacker can affect systems in a targeted manner without any assumptions about the underlying model. We conclude that text-based NLP systems require careful input sanitization, just like conventional applications, and that given such systems are now being deployed rapidly at scale, the urgent attention of architects and operators is required.

KW - adversarial machine learning

KW - NLP

KW - text-based models

KW - text encodings

KW - search engines

U2 - DOI: 10.1109/SP46214.2022.9833641

DO - DOI: 10.1109/SP46214.2022.9833641

M3 - Conference contribution

SN - 978-1-6654-1317-6

T3 - 2022 IEEE Symposium on Security and Privacy (SP)

SP - 1987

EP - 2004

BT - Proceedings of the 43rd IEEE Symposium on Security and Privacy, SP 2022

PB - IEEE

T2 - 43rd IEEE Symposium on Security and Privacy

Y2 - 23 May 2022 through 26 May 2022

ER -

Bad Characters: Imperceptible NLP Attacks

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this