Local Post-hoc Explainable Methods for Adversarial Text Attacks

Deep learning models have significantly advanced various natural language processing tasks. However, they are strikingly vulnerable to adversarial text attacks, even in the black-box setting where no model knowledge is accessible to hackers. Such attacks are conducted with a two-phase framework: 1) a sensitivity estimation phase to evaluate each element’s sensitivity to the target model’s prediction, and 2) a perturbation execution phase to craft the adversarial examples based on estimated element sensitivity. This study explored the connections between the local post-hoc explainable methods for deep learning and black-box adversarial text attacks and proposed a novel eXplanation-based method for crafting Adversarial Text Attacks (XATA). XATA leverages local post-hoc explainable methods (e.g., LIME or SHAP) to measure input elements’ sensitivity and adopts the word replacement perturbation strategy to craft adversarial examples. We evaluated the attack performance of the proposed XATA on three commonly used text-based datasets: IMDB Movie Review, Yelp Reviews-Polarity, and Amazon Reviews-Polarity. The proposed XATA outperformed existing baselines in various target models, including LSTM, GRU, CNN, and BERT. Moreover, we found that improved local post-hoc explainable methods (e.g., SHAP) lead to more effective adversarial attacks. These findings showed that when researchers constantly advance the explainability of deep learning models with local post-hoc methods, they also provide hackers with weapons to craft more targeted and dangerous adversarial attacks.

Local Post-hoc Explainable Methods for Adversarial Text Attacks

Deep learning models have significantly advanced various natural language processing tasks. However, they are strikingly vulnerable to adversarial text attacks, even in the black-box setting where no model knowledge is accessible to hackers. Such attacks are conducted with a two-phase framework: 1) a sensitivity estimation phase to evaluate each element’s sensitivity to the target model’s prediction, and 2) a perturbation execution phase to craft the adversarial examples based on estimated element sensitivity. This study explored the connections between the local post-hoc explainable methods for deep learning and black-box adversarial text attacks and proposed a novel eXplanation-based method for crafting Adversarial Text Attacks (XATA). XATA leverages local post-hoc explainable methods (e.g., LIME or SHAP) to measure input elements’ sensitivity and adopts the word replacement perturbation strategy to craft adversarial examples. We evaluated the attack performance of the proposed XATA on three commonly used text-based datasets: IMDB Movie Review, Yelp Reviews-Polarity, and Amazon Reviews-Polarity. The proposed XATA outperformed existing baselines in various target models, including LSTM, GRU, CNN, and BERT. Moreover, we found that improved local post-hoc explainable methods (e.g., SHAP) lead to more effective adversarial attacks. These findings showed that when researchers constantly advance the explainability of deep learning models with local post-hoc methods, they also provide hackers with weapons to craft more targeted and dangerous adversarial attacks.

JOM-4S Overhauser Magnetometer and Sensitivity Estimation

The Overhauser magnetometer is a scalar quantum magnetometer based on the dynamic nuclear polarization (DNP) effect in the Earth’s magnetic field. Sensitivity is a key technical specification reflecting the ability of instruments to sense small variations of the Earth’s magnetic field and is closely related to the signal-to-noise ratio (SNR) of the free induction decay (FID) signal. In this study, deuterated 15N TEMPONE radical is used in our sensor to obtain high DNP enhancement. The measured SNR of the FID signal is approximately 63/1, and the transverse relaxation time T2 is 2.68 s. The direct measurement method with a single instrument and the synchronous measurement method with two instruments are discussed for sensitivity estimation in time and frequency domains under different electromagnetic interference (EMI) environments and different time periods. For the first time, the correlation coefficient of the magnetic field measured by the two instruments is used to judge the degree of the influence of the environmental noise on the sensitivity estimation. The sensitivity evaluation in the field environment is successfully realized without electrical and magnetic shields. The direct measurement method is susceptible to EMI and cannot work in general electromagnetic environments, except it is sufficiently quiet. The synchronous measurement method has an excellent ability to remove most natural and artificial EMIs and can be used under noisy environments. Direct and synchronous experimental results show that the estimated sensitivity of the JOM-4S magnetometer is approximately 0.01 nT in time domain and approximately 0.01 nT/ in frequency domain at a 3 s cycling time. This study provides a low-cost, simple, and effective sensitivity estimation method, which is especially suitable for developers and users to estimate the performance of the instrument.

The Effects of Additional Local-Mixing Compartments in the DISST Model-Based Assessment of Insulin Sensitivity

Background: The identification of insulin sensitivity in glycemic modelling can be heavily obstructed by the presence of outlying data or unmodelled effects. The effect of data indicative of local mixing is especially problematic with models assuming rapid mixing of compartments. Methods such as manual removal of data and outlier detection methods have been used to improve parameter ID in these cases, but modelling data with more compartments is another potential approach. Methods: This research compares a mixing model with local depot site compartments with an existing, clinically validated insulin sensitivity test model. The Levenberg-Marquardt (LM) parameter identification method was implemented alongside a modified version (aLM) capable of operator-independent omission of outlier data in accordance with the 3 standard deviation rule. Three cases were tested: LM where data points suspected to be affected by incomplete mixing at the depot site were removed, aLM, and LM with the more complex mixing model. Results: While insulin parameters identified in the mixing model differed greatly from those in the DISST model, there were strong Spearman correlations of approximately 0.93 for the insulin sensitivity values identified across all 3 methods. The 2 models also showed comparable identification stability in insulin sensitivity estimation through a Monte Carlo analysis. However, the mixing model required modifications to the identification process to improve convergence, and still failed to converge to feasible parameters on 5 of the 212 trials. Conclusions: The mixing compartment model effectively captured the dynamics of mixing behavior, but with no significant improvement in insulin sensitivity identification.