Semantically Improved Adversarial Attack Based on Masked Language Model via Context Preservation

Hao Tian; Hao-tian Wu; Yiu-ming Cheung; Junhui He; Zhihong Tian

doi:10.1109/DSN64029.2025.00029

Semantically Improved Adversarial Attack Based on Masked Language Model via Context Preservation

Hao Tian, Hao-tian Wu^*, Yiu-ming Cheung, Junhui He, Zhihong Tian

^*Corresponding author for this work

Department of Computer Science

Research output: Chapter in book/report/conference proceeding › Conference proceeding › peer-review

Abstract

In masked language model (MLM) based attacks, candidate adversarial examples are flexibly generated according to the context, but how to balance imperceptibility and success rate of attacks remains a challenge. To pursue imperceptibility, external semantic constraints are imposed on candidate word generation, whereby the search space is restricted and the success rate of attacks drops. To address this issue, a semantically improved adversarial attack denoted by SAM-CP is proposed by generating high-quality candidate words satisfying the semantic constraints. In particular, linguistic constraints are adopted so that high-quality semantic candidates can be generated as fine-tuning labels instead of manual annotation. Extensive experimental results on three open-source datasets demonstrate that SAM-CP significantly improves the semantic consistency of generated adversarial samples by adopting different MLMs, respectively. Without compromising text quality, the ability to use SAM-CP to deceive state-of-the-art text classifiers is evaluated. Visit https://github.com/HugoTianX/SAM-CP for details and codes.

Original language	English
Title of host publication	Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2025
Editors	Marcello Cinque, Domenico Cotroneo, Luigi De Simone, Matthias Eckhart, Patrick P. C. Lee, Saman Zonouz
Publisher	IEEE
Pages	171-182
Number of pages	12
ISBN (Electronic)	9798331512019
ISBN (Print)	9798331512026
DOIs	https://doi.org/10.1109/DSN64029.2025.00029
Publication status	Published - 23 Jun 2025
Event	The 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2025 - Naples, Italy Duration: 23 Jun 2025 → 26 Jun 2025 https://dsn2025.github.io/cpaccepted.html

Publication series

Name	International Conference on Dependable Systems and Networks (DSN)

Conference

Conference	The 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2025
Abbreviated title	DSN 2025
Country/Territory	Italy
City	Naples
Period	23/06/25 → 26/06/25
Internet address	https://dsn2025.github.io/cpaccepted.html

User-Defined Keywords

Adversarial example
context preservation
masked language model
semantic constraint
text quality

Access to Document

10.1109/DSN64029.2025.00029

Cite this

Tian, H., Wu, H., Cheung, Y., He, J., & Tian, Z. (2025). Semantically Improved Adversarial Attack Based on Masked Language Model via Context Preservation. In M. Cinque, D. Cotroneo, L. De Simone, M. Eckhart, P. P. C. Lee, & S. Zonouz (Eds.), Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2025 (pp. 171-182). (International Conference on Dependable Systems and Networks (DSN)). IEEE. https://doi.org/10.1109/DSN64029.2025.00029

Tian, Hao ; Wu, Hao-tian ; Cheung, Yiu-ming et al. / Semantically Improved Adversarial Attack Based on Masked Language Model via Context Preservation. Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2025. editor / Marcello Cinque ; Domenico Cotroneo ; Luigi De Simone ; Matthias Eckhart ; Patrick P. C. Lee ; Saman Zonouz. IEEE, 2025. pp. 171-182 (International Conference on Dependable Systems and Networks (DSN)).

@inproceedings{cb1e50d3e3b94e439ba1a2d13d7cfa45,

title = "Semantically Improved Adversarial Attack Based on Masked Language Model via Context Preservation",

abstract = "In masked language model (MLM) based attacks, candidate adversarial examples are flexibly generated according to the context, but how to balance imperceptibility and success rate of attacks remains a challenge. To pursue imperceptibility, external semantic constraints are imposed on candidate word generation, whereby the search space is restricted and the success rate of attacks drops. To address this issue, a semantically improved adversarial attack denoted by SAM-CP is proposed by generating high-quality candidate words satisfying the semantic constraints. In particular, linguistic constraints are adopted so that high-quality semantic candidates can be generated as fine-tuning labels instead of manual annotation. Extensive experimental results on three open-source datasets demonstrate that SAM-CP significantly improves the semantic consistency of generated adversarial samples by adopting different MLMs, respectively. Without compromising text quality, the ability to use SAM-CP to deceive state-of-the-art text classifiers is evaluated. Visit https://github.com/HugoTianX/SAM-CP for details and codes.",

keywords = "Adversarial example, context preservation, masked language model, semantic constraint, text quality",

author = "Hao Tian and Hao-tian Wu and Yiu-ming Cheung and Junhui He and Zhihong Tian",

note = "This work was supported in part by the Natural Science Foundation of China (Grants 62472112, U2436208 and 62372129), and in part by Guangdong ST Program (Grant 2024B0101010002) and the Project of Guangdong Key Laboratory of Industrial Control System Security (Grant 2024B1212020010). Publisher Copyright: {\textcopyright} 2025 IEEE.; The 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2025, DSN 2025 ; Conference date: 23-06-2025 Through 26-06-2025",

year = "2025",

month = jun,

day = "23",

doi = "10.1109/DSN64029.2025.00029",

language = "English",

isbn = "9798331512026",

series = "International Conference on Dependable Systems and Networks (DSN)",

publisher = "IEEE",

pages = "171--182",

editor = "Marcello Cinque and Domenico Cotroneo and {De Simone}, Luigi and Matthias Eckhart and Lee, {Patrick P. C.} and Saman Zonouz",

booktitle = "Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2025",

address = "United States",

url = "https://dsn2025.github.io/cpaccepted.html",

}

Tian, H, Wu, H, Cheung, Y, He, J & Tian, Z 2025, Semantically Improved Adversarial Attack Based on Masked Language Model via Context Preservation. in M Cinque, D Cotroneo, L De Simone, M Eckhart, PPC Lee & S Zonouz (eds), Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2025. International Conference on Dependable Systems and Networks (DSN), IEEE, pp. 171-182, The 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2025, Naples, Italy, 23/06/25. https://doi.org/10.1109/DSN64029.2025.00029

Semantically Improved Adversarial Attack Based on Masked Language Model via Context Preservation. / Tian, Hao; Wu, Hao-tian; Cheung, Yiu-ming et al.
Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2025. ed. / Marcello Cinque; Domenico Cotroneo; Luigi De Simone; Matthias Eckhart; Patrick P. C. Lee; Saman Zonouz. IEEE, 2025. p. 171-182 (International Conference on Dependable Systems and Networks (DSN)).

Research output: Chapter in book/report/conference proceeding › Conference proceeding › peer-review

TY - GEN

T1 - Semantically Improved Adversarial Attack Based on Masked Language Model via Context Preservation

AU - Tian, Hao

AU - Wu, Hao-tian

AU - Cheung, Yiu-ming

AU - He, Junhui

AU - Tian, Zhihong

N1 - This work was supported in part by the Natural Science Foundation of China (Grants 62472112, U2436208 and 62372129), and in part by Guangdong ST Program (Grant 2024B0101010002) and the Project of Guangdong Key Laboratory of Industrial Control System Security (Grant 2024B1212020010). Publisher Copyright: © 2025 IEEE.

PY - 2025/6/23

Y1 - 2025/6/23

N2 - In masked language model (MLM) based attacks, candidate adversarial examples are flexibly generated according to the context, but how to balance imperceptibility and success rate of attacks remains a challenge. To pursue imperceptibility, external semantic constraints are imposed on candidate word generation, whereby the search space is restricted and the success rate of attacks drops. To address this issue, a semantically improved adversarial attack denoted by SAM-CP is proposed by generating high-quality candidate words satisfying the semantic constraints. In particular, linguistic constraints are adopted so that high-quality semantic candidates can be generated as fine-tuning labels instead of manual annotation. Extensive experimental results on three open-source datasets demonstrate that SAM-CP significantly improves the semantic consistency of generated adversarial samples by adopting different MLMs, respectively. Without compromising text quality, the ability to use SAM-CP to deceive state-of-the-art text classifiers is evaluated. Visit https://github.com/HugoTianX/SAM-CP for details and codes.

AB - In masked language model (MLM) based attacks, candidate adversarial examples are flexibly generated according to the context, but how to balance imperceptibility and success rate of attacks remains a challenge. To pursue imperceptibility, external semantic constraints are imposed on candidate word generation, whereby the search space is restricted and the success rate of attacks drops. To address this issue, a semantically improved adversarial attack denoted by SAM-CP is proposed by generating high-quality candidate words satisfying the semantic constraints. In particular, linguistic constraints are adopted so that high-quality semantic candidates can be generated as fine-tuning labels instead of manual annotation. Extensive experimental results on three open-source datasets demonstrate that SAM-CP significantly improves the semantic consistency of generated adversarial samples by adopting different MLMs, respectively. Without compromising text quality, the ability to use SAM-CP to deceive state-of-the-art text classifiers is evaluated. Visit https://github.com/HugoTianX/SAM-CP for details and codes.

KW - Adversarial example

KW - context preservation

KW - masked language model

KW - semantic constraint

KW - text quality

UR - http://www.scopus.com/inward/record.url?scp=105011819082&partnerID=8YFLogxK

U2 - 10.1109/DSN64029.2025.00029

DO - 10.1109/DSN64029.2025.00029

M3 - Conference proceeding

SN - 9798331512026

T3 - International Conference on Dependable Systems and Networks (DSN)

SP - 171

EP - 182

BT - Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2025

A2 - Cinque, Marcello

A2 - Cotroneo, Domenico

A2 - De Simone, Luigi

A2 - Eckhart, Matthias

A2 - Lee, Patrick P. C.

A2 - Zonouz, Saman

PB - IEEE

T2 - The 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2025

Y2 - 23 June 2025 through 26 June 2025

ER -

Tian H, Wu H, Cheung Y, He J, Tian Z. Semantically Improved Adversarial Attack Based on Masked Language Model via Context Preservation. In Cinque M, Cotroneo D, De Simone L, Eckhart M, Lee PPC, Zonouz S, editors, Proceedings - 2025 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2025. IEEE. 2025. p. 171-182. (International Conference on Dependable Systems and Networks (DSN)). doi: 10.1109/DSN64029.2025.00029

Semantically Improved Adversarial Attack Based on Masked Language Model via Context Preservation

Abstract

Publication series

Conference

User-Defined Keywords

Access to Document

Other files and links

Fingerprint

Cite this