Adversarial examples reading comprehension system
MasaKato1
55 views
17 slides
Jan 09, 2020
Slide 1 of 17
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
About This Presentation
自然言語処理における敵対的サンプル
Slide Content
Adversarial Examples for Evaluating Reading Comprehension Systems Robin Jia and Percy Liang, EMNP 2017 Masahiro Kato Dec. 2th, 2019 1
About this Paper Development in reading comprehension systems improved a standard accuracy metric. However, it is unclear whether the system truly understand language. To investigate the language understanding abilities, authors proposed using adversarial examples for the Stanford Question Answering Dataset ( SQuAD ). In this paper, adversarial examples mean that perturbations in feature variables such that - People can put the true labels, - But it leads the system to misclassify the label. 2
Summary Although, in computer vision, we focus on the model’s oversensitivity to data, we focus on the model’s overstability in evaluation of reading comprehension system. Because we use sentences with paragraph-question-answer and attack on paragraph, adversarial examples should maintain the original answer under adversarial examples. Authors proposed four methods to generate adversarial examples with maintain the original answer. Authors showed their experimental results 3
Example of SQuAD Dataset 4
Evaluations Standard evaluation Standard accuracy: Given a model that takes in paragraph-question pairs and outputs an answer , the standard accuracy over a test is where is F1 score between the true answer and the predicted answer . Proposed evaluation We define an adversary to be a function that takes in an example , optionally with a model , and returns a new example . The adversarial accuracy with respect to is 5
Semantics-preserving Adversaries In image classification, adversarial examples are commonly generated by adding an imperceptible amount of noise to the input ( Szegedy et al., 2014; Goodfellow et al., 2015). These perturbations do not change the semantics of the image, but they can change the predictions of models that are oversensitive to semantics-preserving changes. For language, the direct analogue would be to paraphrase the input ( Madnani and Dorr, 2010). However, high-precision paraphrase generation is challenging, as most edits to a sentence do actually change its meaning. 6
Concatenative Adversaries Concatenative adversaries: Generate examples of the form for a sentence , i.e., add a new sentence to the end of the paragraph, and leave the question and answer unchanged. Valid adversarial examples are precisely those for which s does not contradict the correct answer; we refer to such sentences as being compatible with . Existing models suffer not from oversensitivity but from overstability to semantics-altering edits. 7
8
ADDSENT ADDSENT : Uses a four-step procedure to generate sentences that look similar to the question, but do not actually contradict the correct answer. Apply semantics- altering perturbations to the question. Create a fake answer that has the same ‘type’ as the original answer. Combine the altered question and fake answer into declarative form. i.e., Make a sentence that is compatible to the adversarial question and fake answer. Fix grammatical errors in generated sentences via crowd-sourcing. 9
A Model-independent Adversary ADDSENT requires a small number of queries to the model under evaluation. To explore the possibility of an adversary that is completely model-independent, authors also introduced ADDONESENT , which adds a random human-approved sentence. ADDONESENT does not require any access to the model or to any training data: 10
ADDANY ADDANY : Choose any sequence of words, regardless of grammaticality. We use local search to adversarially choose a distracting sentence . The following figure shows an example of ADDANY with words; in our experiments, we use . Update a word to be another word that minimizes the expected value of the F1 score over the model’s output distribution. ADDCOMMON : Exactly like ADDANY except it only adds common words. 11
12
Setup of Experiments Authors focused on evaluations of the following two published models BiDAF ( Seo et al., 2016) Match-LSTM (Wang and Jiang, 2016) Deep learning architectures that predict a probability distribution over the correct answer. For all experiments, authors measured adversarial F1 score ( Rajpurkar et al., 2016) across 1000 randomly sampled examples from the SQuAD development set. Downsampling was helpful because ADDANY and ADDCOMMON can issue thousands of model queries per example, making them very slow. As the effect sizes we measure are large, this downsampling does not hurt statistical significance. 13
Main Experiments The following table shows the performance of the MatchLSTM and BiDAF models against all four adversaries. Each model incurred a significant accuracy drop under every form of adversarial evaluation. ADDSENT made average F1 score across the four models fall from 75.7% to 31.3%. 14
Main Experiments: Adversary’s Ability Using other models, authors investigated how adversarial examples work. 15
Categorizing ADDSENT Sentences In computer vision, adversarial examples that fool one model also tend to fool other models ( Szegedy et al., 2014; Moosavi-Dezfooli et al., 2017). Authors investigated whether the same pattern holds for them. 16
Training on Adversarial Examples Authors trained models on adversarial examples, to see if existing models can learn to become more robust. Authors used simplified ADDSENT (everything except crowdsourcing) to generate a raw adversarial sentence for each training example. Then trained the BiDAF model from scratch on the union of these examples and the original training data. 17
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 55
- Slides 17
- Age 2154 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
31 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views