ebook img

Bc. Petr Bělohlávek Using Adversarial Examples in Natural Language Processing PDF

97 Pages·2017·0.87 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Bc. Petr Bělohlávek Using Adversarial Examples in Natural Language Processing

MASTER THESIS Bc. Petr Bělohlávek Using Adversarial Examples in Natural Language Processing Institute of Formal and Applied Linguistics Supervisor of the master thesis: doc. Ing. Zdeněk Žabokrtský, Ph.D. Study programme: Computer Science Study branch: Artificial Intelligence Prague 2017 I declare that I carried out this master thesis independently, and only with the cited sources, literature and other professional sources. I understand that my work relates to the rights and obligations under the Act No. 121/2000 Sb., the Copyright Act, as amended, in particular the fact that the Charles University has the right to conclude a license agreement on the use of this work as a school work pursuant to Section 60 subsection 1 of the Copyright Act. In ........ date ............ signature of the author i Title: Using Adversarial Examples in Natural Language Processing Author: Bc. Petr Bělohlávek Institute: Institute of Formal and Applied Linguistics Supervisor: doc. Ing. ZdeněkŽabokrtský, Ph.D., InstituteofFormalandApplied Linguistics Abstract: Machine learning has been paid a lot of attention in recent years. One of the studied fields is employment of adversarial examples. These are ar- tificially constructed examples which evince two main features. They resemble the real training data and they deceive already trained model. The adversarial examples have been comprehensively investigated in the context of deep convolu- tional neural networks which process images. Nevertheless, their properties have been rarely examined in connection with NLP-processing networks. This thesis evaluates the effect of using the adversarial examples during the training of the recurrent neural networks. More specifically, the main focus is put on the recur- rent networks whose text input is in the form of a sequence of word/character embeddings, which have not been pretrained in advance. The effects of the ad- versarial training are studied by evaluating multiple NLP datasets with various characteristics. Keywords: Neural networks, Adversarial examples, Natural language processing, Regularization, Evaluation ii Firstandforemost,IwouldliketoexpressmysinceregratitudetoZdeněkŽabokrt- ský, the supervisor of this thesis, and Ondřej Plátek, the thesis consultant, for their time spent on discussing the thesis, the overwhelming amount of provided feedback and for their overall support during the last year. Furthermore,IwouldliketothankMilanStrakaforhisinterestinmyresearch, for consulting various topics with me and, above all, for organizing Deep Learning Seminar which was the source of following invaluable discussions. In addition, I would like to thank Kateřina Veselovská for providing me with precious tips that were consequently applied. Finally, I am proud to state that none of this thesis would be possible without the incredible support and infinite patience of my loving family. My final thanks are dedicated to Patricie, my loved one, whose everlasting optimism, love and care helped me the most. iii Contents 1 Introduction 1 1.1 Aim of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Thesis Organization . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 Neural Networks Background 4 2.1 Perceptron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Feed-forward Neural Networks . . . . . . . . . . . . . . . . . . . . 6 2.2.1 Multi-layer Perceptron . . . . . . . . . . . . . . . . . . . . 7 2.2.2 Gradient-based Optimizations . . . . . . . . . . . . . . . . 8 2.2.3 Stochastic Gradient Descent . . . . . . . . . . . . . . . . . 10 2.2.4 Back-Propagation . . . . . . . . . . . . . . . . . . . . . . 11 2.3 Recurrent Neural Network . . . . . . . . . . . . . . . . . . . . . . 12 2.3.1 Back-propagation Through Time . . . . . . . . . . . . . . 14 2.4 Regularization Techniques . . . . . . . . . . . . . . . . . . . . . . 14 2.4.1 Shrinkage Methods . . . . . . . . . . . . . . . . . . . . . . 15 2.4.2 Dropout . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.4.3 Batch Normalization . . . . . . . . . . . . . . . . . . . . . 16 2.4.4 Layer Normalization . . . . . . . . . . . . . . . . . . . . . 17 2.5 Dataset Augmentation . . . . . . . . . . . . . . . . . . . . . . . . 18 2.6 Neural Networks in NLP . . . . . . . . . . . . . . . . . . . . . . . 19 2.7 Adversarial Examples . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.7.1 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.7.2 Perturbation Derivation . . . . . . . . . . . . . . . . . . . 22 2.7.3 Training Using Adversarial Examples . . . . . . . . . . . . 22 3 Related Work 24 3.1 Deep Neural Network Regularization . . . . . . . . . . . . . . . . 24 3.2 Image Adversarial Examples . . . . . . . . . . . . . . . . . . . . . 25 3.3 Text Adversarial Examples . . . . . . . . . . . . . . . . . . . . . . 27 3.4 Generative Adversarial Networks . . . . . . . . . . . . . . . . . . 28 4 Datasets 30 4.1 Dataset Characteristics . . . . . . . . . . . . . . . . . . . . . . . . 30 4.2 Facebook bAbI Datasets . . . . . . . . . . . . . . . . . . . . . . . 31 4.2.1 bAbI #1 - Single Supporting Fact . . . . . . . . . . . . . 32 4.2.2 bAbI #2 - Two Supporting Facts . . . . . . . . . . . . . . 32 4.2.3 bAbI #6 - Yes-No Questions . . . . . . . . . . . . . . . . 33 4.3 Movie Review Data - Subjectivity Detection . . . . . . . . . . . . 33 iv 4.4 Sentiment Analysis in Czech . . . . . . . . . . . . . . . . . . . . . 36 4.4.1 Social Media Dataset . . . . . . . . . . . . . . . . . . . . . 36 4.4.2 Movie Review Dataset . . . . . . . . . . . . . . . . . . . . 37 4.4.3 Product Review Dataset . . . . . . . . . . . . . . . . . . . 38 4.5 Discriminating between Similar Languages . . . . . . . . . . . . . 40 4.6 Dataset Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 5 Framework 43 5.1 Backend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 5.2 cxflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.2.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . 44 6 Evaluation 48 6.1 Evaluation Methodology . . . . . . . . . . . . . . . . . . . . . . . 48 6.2 Model Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . 50 6.3 bAbI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 6.3.1 bAbI #6. . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 6.3.2 bAbI #1. . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 6.3.3 bAbI #2. . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 6.4 Subjectivity Detection . . . . . . . . . . . . . . . . . . . . . . . . 60 6.5 Sentiment Analysis in Czech . . . . . . . . . . . . . . . . . . . . . 61 6.5.1 Facebook CZ . . . . . . . . . . . . . . . . . . . . . . . . . 63 6.5.2 CSFD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.5.3 Mall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 6.6 Discriminating between Similar Language . . . . . . . . . . . . . 67 6.7 Evaluation Summary . . . . . . . . . . . . . . . . . . . . . . . . . 71 7 Conclusion 74 8 Future Work 75 Acknowledgment 76 Bibliography 77 List of Figures 85 List of Tables 86 List of Abbreviations 87 Attachments 88 Appendices 89 v A DSL 10k Embedding Dendrograms 90 vi 1. Introduction As the amount of generated and consequently collected data increases and new datasets are developed or made accessible, data-driven methods are emphasized and widely employed. Furthermore, they provide competitive results to other hand-crafted rule-based systems across many applications which process natu- ral language, recognize various patterns or make automated decisions. In many fields, machine learning methods have already successfully outperformed other approaches requiring human assistance. Lately, especially deep neural networks have been paid close attention. One of the important facts which contributed to the widespread of deep learning is that the graphics processing units (GPUs) have been developed in order to feature greater memory and high number of computational units. Another important aspect is the development of network-specific regularization techniques which have enabled training of highly complex models. The actual outburst of deep neural network research began in the second decade of the 21st century even though the first “shallow” neural network [1] and model of the neuron itself [2] were published almost 60 years earlier. One of the state-of-the-art setting deep learning model was AlexNet [3] which was developed for image classification task1. In recent years, deep learning has outperformed many of other machine learning models in various tasks of natural language pro- cessing, such as automatic speech recognition (ASR) [4], speech synthesis [5], question answering [6] and standard linguistic tasks [7]. Many of these models werecompletelytrainedinend-to-endmannerwithoutanyneedforhand-crafting. Training of more complicated network architectures requires various tech- niques which enable the model to perform well. One of these techniques is called adversarial learning which was introduced especially in the field of image classi- fication. [8, 9] Adversarial examples are generated examples that are intentionally construc- ted in such a way that the model performs as incorrectly as possible during their processing. Interestingly, some adversarial examples are indistinguishable by humans from the actual training examples. They might appear extremely similar, e.g. in the case of image processing there might be a single pixel change that causes the model to predict an incorrect answer whilst people do not even notice the minor change in the image. Already constructed adversarial examples might be used as additional training examples which leads to the regularization effect on the training and overall performance improvement. [8] In addition, the adversarial examples may represent a potential threat to real-world use of the trained models [10]. 1AlexNet was trained for ImageNet LSVRC-2010 competition 1 A promising technique that generates adversarial examples was introduced by Szegedyetal.[8]. Theprincipleofthemethodisexploitingtheprocessoftraining a neural network itself and exploring such examples that shall be misclassified. In the context of image processing, Szegedy et al. [8] demonstrated that new images, which are completely indistinguishable by humans, could completely fool the network. In addition, the authors have shown that constructing these images in an online manner (during the training) and consequently using them as a gradient modification works as a regularization. 1.1 Aim of the Thesis The aims of the thesis are twofold2. At first, the objective is to implement online gradient modification by using the adversarial examples. [8, 9] Additionally, the goal is to support recurrent neural networks which process natural language. [11] Secondly, we intend to evaluate the effects of employing the adversarial ex- amples during the training. For this reason, a set of both NLP tasks and their corresponding datasets will be selected. The studied method will be evaluated on these datasets which will feature various characteristics. The interpretation of this evaluation is intended to lead to a conclusion whether the method is suitable for general application for NLP tasks in which the input text sequence is represented by appropriate word or character embeddings. Such evaluation shall extend the work of Miyato et al. [11] who have already selected some datasets. We contemplate to focus mainly on end-to-end architectures as much as pos- sible, following the trend of eliminating hand-crafted preprocessing techniques. 1.2 Thesis Organization The thesis is organized as follows. In Chapter 2, the neural network background is presented. We encourage readers with a general overview of neural networks to skip this chapter. Nevertheless, we advise to focus on Section 2.7 as it is crucial for the following chapters. Chapter 3 provides an overview of related work in which the related literature known to the authors is presented. In Chapter 4, the NLP datasets which will be used for the evaluation of the adversarial examples are presented and analyzed in detail. Chapter 5 introduces an open-source tool for simple neural network training and management, which was developed in order to maintain a high number of experiment results. 2ThefollowingparagraphsemployafewnotionsthatwillbeexplainedindetailinChapter2. 2 In Chapter 6, the evaluation of using the adversarial examples as a regu- larization technique is presented. The evaluation is carried out on the datasets presented in Chapter 4. Finally, Chapters 7 and 8 summarize this thesis and provide the intentions on the following research, respectively. 3

Description:
Abstract: Machine learning has been paid a lot of attention in recent years. One of the studied fields is employment of adversarial examples. These are ar- tificially constructed examples which evince two main features. They resemble the real training data and they deceive already trained model.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.