Word-level textual adversarial attacks have achieved striking performance in fooling natural language processing models. However, the fundamental questions of why these attacks are effective, and the intrinsic properties of the adversarial examples (AEs), are still not well understood. This work attempts to interpret textual attacks through the lens of $n$-gram frequency. Specifically, it is revealed that existing word-level attacks exhibit a strong tendency toward generation of examples with $n$-gram frequency descend ($n$-FD). Intuitively, this finding suggests a natural way to improve model robustness by training the model on the $n$-FD examples. To verify this idea, we devise a model-agnostic and gradient-free AE generation approach that relies solely on the $n$-gram frequency information, and further integrate it into the recently proposed convex hull framework for adversarial training. Surprisingly, the resultant method performs quite similarly to the original gradient-based method in terms of model robustness. These findings provide a human-understandable perspective for interpreting word-level textual adversarial attacks, and a new direction to improve model robustness.

翻译：词级文本对抗攻击在欺骗自然语言处理模型方面取得了显著成效。然而，这些攻击为何有效的基本问题，以及对抗样本的内在特性，目前仍未得到充分理解。本研究尝试通过n-gram频率的视角来解读文本攻击。具体而言，我们发现现有的词级攻击表现出强烈的倾向，即生成具有n-gram频率下降特性的样本。直观上，这一发现提供了一种自然的改进模型鲁棒性的方法：通过在n-gram频率下降样本上训练模型。为验证这一想法，我们设计了一种不依赖模型且无需梯度的对抗样本生成方法，该方法仅依赖于n-gram频率信息，并进一步将其整合到近期提出的凸包框架中进行对抗训练。令人惊讶的是，在模型鲁棒性方面，所得方法与原始的基于梯度的方法表现非常相似。这些发现为解读词级文本对抗攻击提供了人类可理解的视角，并为改进模型鲁棒性指明了新方向。