research-article

Open access

Topic-oriented Adversarial Attacks against Black-box Neural Ranking Models

Authors:

Maarten de Rijke,

Xueqi ChengAuthors Info & Claims

SIGIR '23: Proceedings of the 46th International ACM SIGIR Conference on Research and Development in Information Retrieval

Pages 1700 - 1709

https://doi.org/10.1145/3539618.3591777

Published: 18 July 2023 Publication History

Abstract

Neural ranking models (NRMs) have attracted considerable attention in information retrieval. Unfortunately, NRMs may inherit the adversarial vulnerabilities of general neural networks, which might be leveraged by black-hat search engine optimization practitioners. Recently, adversarial attacks against NRMs have been explored in the paired attack setting, generating an adversarial perturbation to a target document for a specific query. In this paper, we focus on a more general type of perturbation and introduce the topic-oriented adversarial ranking attack task against NRMs, which aims to find an imperceptible perturbation that can promote a target document in ranking for a group of queries with the same topic. We define both static and dynamic settings for the task and focus on decision-based black-box attacks. We propose a novel framework to improve topic-oriented attack performance based on a surrogate ranking model. The attack problem is formalized as a Markov decision process (MDP) and addressed using reinforcement learning. Specifically, a topic-oriented reward function guides the policy to find a successful adversarial example that can be promoted in rankings to as many queries as possible in a group. Experimental results demonstrate that the proposed framework can significantly outperform existing attack strategies, and we conclude by re-iterating that there exist potential risks for applying NRMs in the real world.

Supplemental Material

MP4 File

Presentation video of SIGIR 2023 full paper (Submission ID 6223) Topic-oriented Adversarial Attacks against Black-box Neural Ranking Models

Download
45.67 MB

References

[1]

Issa Annamoradnejad. 2020. ColBERT: Using BERT Sentence Embedding for Humor Detection. arXiv: Computation and Language (2020).

[2]

Kai Arulkumaran, Marc Peter Deisenroth, Miles Brundage, and Anil Anthony Bharath. 2017. Deep Reinforcement Learning: A Brief Survey. IEEE Signal Processing Magazine, Vol. 34, 6 (2017), 26--38.

[3]

Juan C. Caicedo and Svetlana Lazebnik. 2015. Active Object Localization with Deep Reinforcement Learning. In ICCV.

[4]

Carlos Castillo and Brian D. Davison. 2011. Adversarial Web Search. Foundations and Trends in Information Retrieval, Vol. 4, 5 (2011), 377--486.

Digital Library

[5]

Daniel Cer, Yinfei Yang, Sheng-yi Kong, Nan Hua, Nicole Limtiaco, Rhomni St John, Noah Constant, Mario Guajardo-Cespedes, Steve Yuan, Chris Tar, et al. 2018. Universal Sentence Encoder. arXiv preprint arXiv:1803.11175 (2018).

[6]

Chegg Writing. 2023. Grammar Checker. https://writing.chegg.com/.

[7]

Mingyang Chen, Junda Lu, Yi Wang, Jianbin Qin, and Wei Wang. 2021. DAIR: A Query-Efficient Decision-based Attack on Image Retrieval Systems. SIGIR.

[8]

Charles L Clarke, Nick Craswell, and Ian Soboroff. 2009. Overview of the TREC 2009 Web Track. Technical Report. Waterloo University.

[9]

Charles L Clarke, Nick Craswell, and Ellen M Voorhees. 2012. Overview of the TREC 2012 Web Track. Technical Report. NIST Gaithersburg MD.

[10]

Nick Craswell, Daniel Campos, Bhaskar Mitra, Emine Yilmaz, and Bodo Billerbeck. 2020. ORCAS: 20 Million Clicked Query-document Pairs for Analyzing Search. In CIKM.

[11]

Giuseppe Cuccu, Julian Togelius, and Philippe Cudré-Mauroux. 2019. Playing Atari with Six Neurons. In AAMAS.

[12]

Zhuyun Dai and Jamie Callan. 2019. Deeper Text Understanding for IR with Contextual Neural Language Modeling. In SIGIR.

[13]

Javid Ebrahimi, Anyi Rao, Daniel Lowd, and Dejing Dou. 2017. HotFlip: White-Box Adversarial Examples for Text Classification. ACL.

[14]

Yixing Fan, Xiaohui Xie, Yinqiong Cai, Jia Chen, Xinyu Ma, Xiangsheng Li, Ruqing Zhang, and Jiafeng Guo. 2022. Pre-training Methods in Information Retrieval. Foundations and Trends in Information Retrieval, Vol. 16, 3 (2022), 178--317.

Digital Library

[15]

Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and Harnessing Adversarial Examples. In ICLR.

[16]

Gregory Goren, Oren Kurland, Moshe Tennenholtz, and Fiana Raiber. 2020. Ranking-Incentivized Quality Preserving Content Modification. In SIGIR.

[17]

Grammarly. 2023. Writing Assistance. https://app.grammarly.com/.

[18]

Jiafeng Guo, Yixing Fan, Qingyao Ai, and W Bruce Croft. 2016. A deep relevance matching model for ad-hoc retrieval. In CIKM. 55--64.

[19]

Zoltan Gyongyi and Hector Garcia-Molina. 2005. Web Spam Taxonomy. In AIRWeb.

[20]

Jin Huang, Harrie Oosterhuis, Bunyamin Cetinkaya, Thijs Rood, and Maarten de Rijke. 2022. State Encoders in Reinforcement Learning for Recommendation: A Reproducibility Study. In SIGIR. 2018--2023.

[21]

Di Jin, Zhijing Jin, Joey Tianyi Zhou, and Peter Szolovits. 2020. Is BERT Really Robust? A Strong Baseline for Natural Language Attack on Text Classification and Entailment. In AAAI.

[22]

Jacob Devlin Ming-Wei Chang Kenton and Lee Kristina Toutanova. 2019. BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding. In NAACL-HLT.

[23]

Levente Kocsis and Csaba Szepesvári. 2006. Bandit Based Monte-Carlo Planning. In ECML.

[24]

Oren Kurland and Moshe Tennenholtz. 2022. Competitive Search. In SIGIR.

[25]

Yann LeCun, Yoshua Bengio, and Geoffrey Hinton. 2015. Deep Learning. Nature, Vol. 521, 7553 (2015), 436--444.

[26]

Hang Li. 2014. Learning to Rank for Information Retrieval and Natural Language Processing. Synthesis Lectures on Human Language Technologies, Vol. 7, 3 (2014), 1--121.

Digital Library

[27]

Xiaodan Li, Jinfeng Li, Yuefeng Chen, Shaokai Ye, Yuan He, Shuhui Wang, Hang Su, and Hui Xue. 2021. Qair: Practical Query-efficient Black-box Attacks for Image Retrieval. In CVPR.

[28]

Jiawei Liu, Yangyang Kang, Di Tang, Kaisong Song, Changlong Sun, Xiaofeng Wang, Wei Lu, and Xiaozhong Liu. 2022. Order-Disorder: Imitation Adversarial Attacks for Black-box Neural Ranking Models. In CCS. 2025--2039.

[29]

Tie-Yan Liu. 2009. Learning to Rank for Information Retrieval. Foundations and Trends in Information Retrieval, Vol. 3, 3 (2009), 225--331.

Digital Library

[30]

Xinyu Ma, Jiafeng Guo, Ruqing Zhang, Yixing Fan, Xiang Ji, and Xueqi Cheng. 2021b. PROP: Pre-training with Representative Words Prediction for Ad-hoc Retrieval. In WSDM.

[31]

Zhengyi Ma, Zhicheng Dou, Wei Xu, Xinyu Zhang, Hao Jiang, Zhao Cao, and Ji-Rong Wen. 2021a. Pre-training for Ad-hoc Retrieval: Hyperlink Is Also You Need. In CIKM.

[32]

Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. ICLR.

[33]

Gallil Maimon and Lior Rokach. 2022. A Universal Adversarial Policy for Text Classifiers. Neural Networks, Vol. 153 (2022), 282--291.

Digital Library

[34]

Bhaskar Mitra, Fernando Diaz, and Nick Craswell. 2017. Learning to Match Using Local and Distributed Representations of Text for Web Search. In WWW.

[35]

Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, and Pascal Frossard. 2017. Universal adversarial perturbations. In CVPR.

[36]

Nikola Mrkvs ić, Diarmuid Ó Séaghdha, Blaise Thomson, Milica Gasic, Lina Maria Rojas-Barahona, Pei-Hao Su, David Vandyke, Tsung-Hsien Wen, and Steve Young. 2016. Counter-fitting Word Vectors to Linguistic Constraints. In NAACL.

[37]

Tri Nguyen, Mir Rosenberg, Xia Song, Jianfeng Gao, Saurabh Tiwary, Rangan Majumder, and Li Deng. 2016. MS MARCO: A Human Generated Machine Reading Comprehension Dataset. In CoCo@NIPS.

[38]

Rodrigo Nogueira and Kyunghyun Cho. 2019. Passage Re-ranking with BERT. arXiv preprint arXiv:1901.04085 (2019).

[39]

Kezban Dilek Onal, Ye Zhang, Ismail Sengor Altingovde, Md. Mustafizur Rahman, Pinar Karagoz, Alexander Braylan, Brandon Dang, Heng-Lu Chang, Henna Kim, Quinten McNamara, Aaron Angert, Edward Banner, Vivek Khetan, Tyler McDonnell, An Thanh Nguyen, Dan Xu, Byron C. Wallace, Maarten de Rijke, and Matthew Lease. 2018. Neural Information Retrieval: At the End of the Early Years. Information Retrieval, Vol. 21, 2--3 (2018), 111--182.

Digital Library

[40]

Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z Berkay Celik, and Ananthram Swami. 2017. Practical Black-box Attacks Against Machine Learning. In CCS.

[41]

Jay Ponte and W. Bruce Croft. 1998. A Language Modeling Approach to Information Retrieval. SIGIR.

[42]

Nisarg Raval and Manisha Verma. 2020. One Word at a Time: Adversarial Attacks on Retrieval Models. arXiv preprint arXiv:2008.02197 (2020).

[43]

Nils Reimers and Iryna Gurevych. 2019. Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks. In EMNLP.

[44]

Stephen Robertson and S. Walker. 1994. Some Simple Effective Approximations to the 2-Poisson Model for Probabilistic Weighted Retrieval. SIGIR.

[45]

David E Rumelhart, Geoffrey E Hinton, and Ronald J Williams. 1985. Learning Internal Representations by Error Propagation. Technical Report. California Univ San Diego La Jolla Inst for Cognitive Science.

[46]

Gerard Salton, A. Wong, and C. S. Yang. 1975. A Vector Space Model for Automatic Indexing. Commun. ACM, Vol. 18, 11 (1975), 613--620.

Digital Library

[47]

David Silver, Aja Huang, Chris J Maddison, Arthur Guez, Laurent Sifre, George Van Den Driessche, Julian Schrittwieser, Ioannis Antonoglou, Veda Panneershelvam, Marc Lanctot, Sander Dieleman, Dominik Grewe, John Nham, Nal Kalchbrenner, Ilya Sutskever, Timothy Lillicrap, Madeleine Leach, Koray Kavukcuoglu, Thore Graepel, and Demis Hassabis. 2016. Mastering the Game of Go with Deep Neural Networks and Tree Search. Nature, Vol. 529, 7587 (2016), 484--489.

[48]

Congzheng Song, Alexander M. Rush, and Vitaly Shmatikov. 2020. Adversarial Semantic Collisions. EMNLP.

[49]

Liwei Song, Xinwei Yu, Hsuan-Tung Peng, and Karthik Narasimhan. 2021. Universal Adversarial Attacks with Natural Triggers for Text Classification. NAACL.

[50]

Richard S. Sutton and Andrew G. Barto. 2018. Reinforcement Learning: An Introduction. MIT Press.

Digital Library

[51]

Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing Properties of Neural Networks. In ICLR.

[52]

Prashanth Vijayaraghavan and Deb Roy. 2019. Generating Black-box Adversarial Examples for Text Classifiers Using a Deep Reinforced Model. In ECML PKDD.

[53]

Eric Wallace, Shi Feng, Nikhil Kandpal, Matt Gardner, and Sameer Singh. 2019. Universal Adversarial Triggers for Attacking and Analyzing NLP. EMNLP.

[54]

Yumeng Wang, Lijun Lyu, and Avishek Anand. 2022. BERT Rankers are Brittle: A Study using Adversarial Document Perturbations. In ICTIR.

[55]

Chen Wu, Ruqing Zhang, Jiafeng Guo, Maarten de Rijke, Yixing Fan, and Xueqi Cheng. 2023 a. PRADA: Practical Black-Box Adversarial Attacks against Neural Ranking Models. ACM Transactions on Information Systems, Vol. 41, 4 (2023), Article 89.

Digital Library

[56]

Chen Wu, Ruqing Zhang, Jiafeng Guo, Yixing Fan, and Xueqi Cheng. 2023 b. Are Neural Ranking Models Robust? ACM Transactions on Information Systems, Vol. 41, 2 (2023), Article 29.

Digital Library

[57]

Jingjing Xu, Liang Zhao, Hanqi Yan, Qi Zeng, Yun Liang, and Xu Sun. 2019. LexicalAT: Lexical-based Adversarial Reinforcement Training for Robust Sentiment Classification. In EMNLP-IJCNLP.

[58]

Peilin Yang, Hui Fang, and Jimmy Lin. 2018. Anserini: Reproducible Ranking Baselines Using Lucene. Journal of Data and Information Quality, Vol. 10, 4 (2018), Article 16.

Digital Library

[59]

Lantao Yu, Weinan Zhang, Jun Wang, and Yong Yu. 2017. SeqGAN: Sequence Generative Adversarial Nets with Policy Gradient. In AAAI.

[60]

Wei Emma Zhang, Quan Z Sheng, Ahoud Alhazmi, and Chenliang Li. 2020. Adversarial Attacks on Deep-learning Models in Natural Language Processing: A Survey. ACM Transactions on Intelligent Systems and Technology, Vol. 11, 3 (2020), Article 24.

Digital Library

[61]

Bin Zhou and Jian Pei. 2009. OSD: An Online Web Spam Detection System. In KDD, Vol. 9.

[62]

Wei Zou, Shujian Huang, Jun Xie, Xinyu Dai, and Jiajun Chen. 2020. A Reinforced Generation of Adversarial Examples for Neural Machine Translation. In ACL.

Cited By

Nachimovsky HTennenholtz MRaiber FKurland OOosterhuis HBast HXiong C(2024)Ranking-Incentivized Document Manipulations for Multiple QueriesProceedings of the 2024 ACM SIGIR International Conference on Theory of Information Retrieval10.1145/3664190.3672516(61-70)Online publication date: 2-Aug-2024
https://dl.acm.org/doi/10.1145/3664190.3672516
Liu YZhang RGuo Jde Rijke MHui Yang GWang HHan SHauff CZuccon GZhang Y(2024)Robust Information RetrievalProceedings of the 47th International ACM SIGIR Conference on Research and Development in Information Retrieval10.1145/3626772.3661380(3009-3012)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3626772.3661380
Liu YZhang RGuo Jde Rijke MFan YCheng XHui Yang GWang HHan SHauff CZuccon GZhang Y(2024)Multi-granular Adversarial Attacks against Black-box Neural Ranking ModelsProceedings of the 47th International ACM SIGIR Conference on Research and Development in Information Retrieval10.1145/3626772.3657704(1391-1400)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3626772.3657704
Show More Cited By

Index Terms

Topic-oriented Adversarial Attacks against Black-box Neural Ranking Models
1. Information systems
  1. Information retrieval
    1. Retrieval models and ranking
    2. Search engine architectures and scalability
      1. Adversarial retrieval

Recommendations

PRADA: Practical Black-box Adversarial Attacks against Neural Ranking Models
Neural ranking models (NRMs) have shown remarkable success in recent years, especially with pre-trained language models. However, deep neural models are notorious for their vulnerability to adversarial examples. Adversarial attacks may become a new type ...
Multi-granular Adversarial Attacks against Black-box Neural Ranking Models
SIGIR '24: Proceedings of the 47th International ACM SIGIR Conference on Research and Development in Information Retrieval

Adversarial ranking attacks have gained increasing attention due to their success in probing vulnerabilities, and, hence, enhancing the robustness, of neural ranking models. Conventional attack methods employ perturbations at a single granularity, e.g., ...
Black-box adversarial attacks on XSS attack detection model
Abstract
Cross-site scripting (XSS) has been extensively studied, although mitigating such attacks in web applications remains challenging. While there is an increasing number of XSS attack detection approaches designed based on machine ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGIR '23: Proceedings of the 46th International ACM SIGIR Conference on Research and Development in Information Retrieval

July 2023

3567 pages

ISBN:9781450394086

DOI:10.1145/3539618

General Chairs:
Hsin-Hsi Chen
National Taiwan University
,
Wei-Jou (Edward) Duh
National Taiwan University
,
Hen-Hsen Huang
Academia Sinica
,
Program Chairs:
Makoto P. Kato
Spotify
,
Josiane Mothe
Universite de Toulouse
,
Barbara Poblete
University of Chile and Amazon Visiting Academic

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGIR: ACM Special Interest Group on Information Retrieval

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 July 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Young Elite Scientist Sponsorship Program by CAST
CAS Project for Young Scientists in Basic Research
Innovation Project of ICT CAS
Hybrid Intelligence Center
National Natural Science Foundation of China (NSFC)
Lenovo-CAS Joint Lab Youth Scientist Project
China Scholarship Council
Youth Innovation Promotion Association CAS

Conference

SIGIR '23

Sponsor:

SIGIR

SIGIR '23: The 46th International ACM SIGIR Conference on Research and Development in Information Retrieval

July 23 - 27, 2023

Taipei, Taiwan

Acceptance Rates

Overall Acceptance Rate 792 of 3,983 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
273
Total Downloads

Downloads (Last 12 months)254
Downloads (Last 6 weeks)46

Reflects downloads up to 09 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Nachimovsky HTennenholtz MRaiber FKurland OOosterhuis HBast HXiong C(2024)Ranking-Incentivized Document Manipulations for Multiple QueriesProceedings of the 2024 ACM SIGIR International Conference on Theory of Information Retrieval10.1145/3664190.3672516(61-70)Online publication date: 2-Aug-2024
https://dl.acm.org/doi/10.1145/3664190.3672516
Liu YZhang RGuo Jde Rijke MHui Yang GWang HHan SHauff CZuccon GZhang Y(2024)Robust Information RetrievalProceedings of the 47th International ACM SIGIR Conference on Research and Development in Information Retrieval10.1145/3626772.3661380(3009-3012)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3626772.3661380
Liu YZhang RGuo Jde Rijke MFan YCheng XHui Yang GWang HHan SHauff CZuccon GZhang Y(2024)Multi-granular Adversarial Attacks against Black-box Neural Ranking ModelsProceedings of the 47th International ACM SIGIR Conference on Research and Development in Information Retrieval10.1145/3626772.3657704(1391-1400)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3626772.3657704
Parry AFröbe MMacAvaney SPotthast MHagen M(2024)Analyzing Adversarial Attacks on Sequence-to-Sequence Relevance ModelsAdvances in Information Retrieval10.1007/978-3-031-56060-6_19(286-302)Online publication date: 24-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56060-6_19
Ni SBi KGuo JCheng X(2023)A Comparative Study of Training Objectives for Clarification Facet GenerationProceedings of the Annual International ACM SIGIR Conference on Research and Development in Information Retrieval in the Asia Pacific Region10.1145/3624918.3625332(1-10)Online publication date: 26-Nov-2023
https://dl.acm.org/doi/10.1145/3624918.3625332
Liu YZhang RGuo Jde Rijke MChen WFan YCheng XFrommholz IHopfgartner FLee MOakes MLalmas MZhang MSantos R(2023)Black-box Adversarial Attacks against Dense Retrieval Models: A Multi-view Contrastive Learning MethodProceedings of the 32nd ACM International Conference on Information and Knowledge Management10.1145/3583780.3614793(1647-1656)Online publication date: 21-Oct-2023
https://dl.acm.org/doi/10.1145/3583780.3614793

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents