Neural ranking models (NRMs) have shown great success in information retrieval (IR). But their predictions can easily be manipulated using adversarial examples, which are crafted by adding imperceptible perturbations to legitimate documents. This vulnerability raises significant concerns about their reliability and hinders the widespread deployment of NRMs. By incorporating adversarial examples into training data, adversarial training has become the de facto defense approach to adversarial attacks against NRMs. However, this defense mechanism is subject to a trade-off between effectiveness and adversarial robustness. In this study, we establish theoretical guarantees regarding the effectiveness-robustness trade-off in NRMs. We decompose the robust ranking error into two components, i.e., a natural ranking error for effectiveness evaluation and a boundary ranking error for assessing adversarial robustness. Then, we define the perturbation invariance of a ranking model and prove it to be a differentiable upper bound on the boundary ranking error for attainable computation. Informed by our theoretical analysis, we design a novel \emph{perturbation-invariant adversarial training} (PIAT) method for ranking models to achieve a better effectiveness-robustness trade-off. We design a regularized surrogate loss, in which one term encourages the effectiveness to be maximized while the regularization term encourages the output to be smooth, so as to improve adversarial robustness. Experimental results on several ranking models demonstrate the superiority of PITA compared to existing adversarial defenses.

翻译：神经排序模型（NRMs）在信息检索（IR）领域取得了显著成功。然而，其预测结果容易受到对抗样本的操控——这类样本通过在合法文档中添加人眼不可察觉的扰动生成。这一脆弱性引发了对其可靠性的严重担忧，并阻碍了NRMs的广泛部署。通过将对抗样本纳入训练数据，对抗训练已成为应对NRMs对抗攻击的事实标准防御方法。然而，这种防御机制在有效性与对抗鲁棒性之间存在权衡。本研究为NRMs中有效性与鲁棒性的权衡建立了理论保证。我们将鲁棒排序误差分解为两个组成部分：用于有效性评估的自然排序误差和用于评估对抗鲁棒性的边界排序误差。随后，我们定义了排序模型的扰动不变性，并证明其可作为边界排序误差的可微上界以实现可计算性。基于理论分析，我们设计了一种新颖的针对排序模型的扰动不变对抗训练（PIAT）方法，以实现更优的有效性-鲁棒性权衡。我们设计了正则化代理损失函数，其中一项用于最大化有效性，正则化项则通过促进输出平滑性来提升对抗鲁棒性。在多个排序模型上的实验结果证明了PIAT相较于现有对抗防御方法的优越性。