Neural ranking models (NRMs) have attracted considerable attention in information retrieval. Unfortunately, NRMs may inherit the adversarial vulnerabilities of general neural networks, which might be leveraged by black-hat search engine optimization practitioners. Recently, adversarial attacks against NRMs have been explored in the paired attack setting, generating an adversarial perturbation to a target document for a specific query. In this paper, we focus on a more general type of perturbation and introduce the topic-oriented adversarial ranking attack task against NRMs, which aims to find an imperceptible perturbation that can promote a target document in ranking for a group of queries with the same topic. We define both static and dynamic settings for the task and focus on decision-based black-box attacks. We propose a novel framework to improve topic-oriented attack performance based on a surrogate ranking model. The attack problem is formalized as a Markov decision process (MDP) and addressed using reinforcement learning. Specifically, a topic-oriented reward function guides the policy to find a successful adversarial example that can be promoted in rankings to as many queries as possible in a group. Experimental results demonstrate that the proposed framework can significantly outperform existing attack strategies, and we conclude by re-iterating that there exist potential risks for applying NRMs in the real world.

翻译：神经排序模型（NRMs）在信息检索领域引起了广泛关注。然而，NRMs可能继承通用神经网络的对抗性脆弱性，这可能会被黑帽搜索引擎优化从业者利用。近年来，已有研究在配对攻击场景下探索针对NRMs的对抗攻击，即为特定查询生成针对目标文档的对抗扰动。本文聚焦于更通用的扰动类型，提出面向主题的排序对抗攻击任务，旨在寻找一种不可感知的扰动，使目标文档在具有相同主题的查询组中提升排序位置。我们为该任务定义了静态和动态两种设定，并专注于基于决策的黑盒攻击。我们提出了一种基于替代排序模型的新颖框架来提升主题导向攻击性能。该攻击问题被形式化为马尔可夫决策过程（MDP），并通过强化学习求解。具体而言，主题导向的奖励函数引导策略找到成功的对抗样本，使其能在组内尽可能多的查询中提升排序位置。实验结果表明，所提框架显著优于现有攻击策略，最后我们重申：在现实世界中应用NRMs存在潜在风险。