Black-box Adversarial Attacks against Dense Retrieval Models: A Multi-view Contrastive Learning Method

Neural ranking models (NRMs) and dense retrieval (DR) models have given rise to substantial improvements in overall retrieval performance. In addition to their effectiveness, and motivated by the proven lack of robustness of deep learning-based approaches in other areas, there is growing interest in the robustness of deep learning-based approaches to the core retrieval problem. Adversarial attack methods that have so far been developed mainly focus on attacking NRMs, with very little attention being paid to the robustness of DR models. In this paper, we introduce the adversarial retrieval attack (AREA) task. The AREA task is meant to trick DR models into retrieving a target document that is outside the initial set of candidate documents retrieved by the DR model in response to a query. We consider the decision-based black-box adversarial setting, which is realistic in real-world search engines. To address the AREA task, we first employ existing adversarial attack methods designed for NRMs. We find that the promising results that have previously been reported on attacking NRMs, do not generalize to DR models: these methods underperform a simple term spamming method. We attribute the observed lack of generalizability to the interaction-focused architecture of NRMs, which emphasizes fine-grained relevance matching. DR models follow a different representation-focused architecture that prioritizes coarse-grained representations. We propose to formalize attacks on DR models as a contrastive learning problem in a multi-view representation space. The core idea is to encourage the consistency between each view representation of the target document and its corresponding viewer via view-wise supervision signals. Experimental results demonstrate that the proposed method can significantly outperform existing attack strategies in misleading the DR model with small indiscernible text perturbations.

[1]  Yue Liu,et al.  Learn from Relational Correlations and Periodic Events for Temporal Knowledge Graph Reasoning , 2023, SIGIR.

[2]  Yue Liu,et al.  Structure Guided Multi-modal Pre-trained Transformer for Knowledge Graph Reasoning , 2023, ArXiv.

[3]  J. Guo,et al.  On the Robustness of Generative Retrieval Models: An Out-of-Distribution Perspective , 2023, ArXiv.

[4]  Le Sun,et al.  Towards Imperceptible Document Manipulations against Neural Ranking Models , 2023, ACL.

[5]  M. de Rijke,et al.  Topic-oriented Adversarial Attacks against Black-box Neural Ranking Models , 2023, SIGIR.

[6]  Wayne Xin Zhao,et al.  Dense Text Retrieval Based on Pretrained Language Models: A Survey , 2022, ACM Trans. Inf. Syst..

[7]  Wei Lu,et al.  Order-Disorder: Imitation Adversarial Attacks for Black-box Neural Ranking Models , 2022, CCS.

[8]  J. Guo,et al.  A Contrastive Pre-training Approach to Discriminative Autoencoder for Dense Retrieval , 2022, CIKM.

[9]  N. Tonellotto Lecture Notes on Neural Information Retrieval , 2022, ArXiv.

[10]  Le Sun,et al.  Towards Robust Dense Retrieval via Local Ranking Alignment , 2022, IJCAI.

[11]  Avishek Anand,et al.  BERT Rankers are Brittle: A Study using Adversarial Document Perturbations , 2022, ICTIR.

[12]  P. Piantanida,et al.  Learning Disentangled Textual Representations via Statistical Measures of Similarity , 2022, ACL.

[13]  J. Guo,et al.  Pre-train a Discriminative Text Encoder for Dense Retrieval via Contrastive Span Prediction , 2022, SIGIR.

[14]  M. de Rijke,et al.  PRADA: Practical Black-box Adversarial Attacks against Neural Ranking Models , 2022, ACM Trans. Inf. Syst..

[15]  Nan Duan,et al.  Multi-View Document Representation Learning for Open-Domain Dense Retrieval , 2022, ACL.

[16]  Yixing Fan,et al.  Pre-training Methods in Information Retrieval , 2021, ArXiv.

[17]  C. Hauff,et al.  Evaluating the Robustness of Retrieval Pipelines with Query Variation Generators , 2021, ECIR.

[18]  Jimmy J. Lin,et al.  A proposed conceptual framework for a representational approach to information retrieval , 2021, SIGIR Forum.

[19]  Luyu Gao,et al.  Unsupervised Corpus Aware Language Model Pre-training for Dense Passage Retrieval , 2021, ACL.

[20]  Xueqi Cheng,et al.  Are Neural Ranking Models Robust? , 2021, ACM Trans. Inf. Syst..

[21]  Iryna Gurevych,et al.  BEIR: A Heterogenous Benchmark for Zero-shot Evaluation of Information Retrieval Models , 2021, NeurIPS Datasets and Benchmarks.

[22]  Jiafeng Guo,et al.  Optimizing Dense Retrieval Model Training with Hard Negatives , 2021, SIGIR.

[23]  Jiafeng Guo,et al.  Semantic Models for the First-Stage Retrieval: A Comprehensive Review , 2021, ACM Trans. Inf. Syst..

[24]  Alexander Rush,et al.  Adversarial Semantic Collisions , 2020, EMNLP.

[25]  Xueqi Cheng,et al.  PROP: Pre-training with Representative Words Prediction for Ad-hoc Retrieval , 2020, WSDM.

[26]  Hua Wu,et al.  RocketQA: An Optimized Training Approach to Dense Passage Retrieval for Open-Domain Question Answering , 2020, NAACL.

[27]  Jimmy J. Lin,et al.  Pretrained Transformers for Text Ranking: BERT and Beyond , 2020, NAACL.

[28]  Paul N. Bennett,et al.  Approximate Nearest Neighbor Negative Contrastive Learning for Dense Text Retrieval , 2020, ICLR.

[29]  Gary D Bader,et al.  DeCLUTR: Deep Contrastive Learning for Unsupervised Textual Representations , 2020, ACL.

[30]  Lawrence Carin,et al.  Improving Disentangled Text Representation Learning with Information-Theoretic Guidance , 2020, ACL.

[31]  M. Zaharia,et al.  ColBERT: Efficient and Effective Passage Search via Contextualized Late Interaction over BERT , 2020, SIGIR.

[32]  Ce Liu,et al.  Supervised Contrastive Learning , 2020, NeurIPS.

[33]  Danqi Chen,et al.  Dense Passage Retrieval for Open-Domain Question Answering , 2020, EMNLP.

[34]  Xipeng Qiu,et al.  BERT-ATTACK: Adversarial Attack against BERT Using BERT , 2020, EMNLP.

[35]  Ross B. Girshick,et al.  Momentum Contrast for Unsupervised Visual Representation Learning , 2019, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[36]  Jamie Callan,et al.  Deeper Text Understanding for IR with Contextual Neural Language Modeling , 2019, SIGIR.

[37]  J. Weston,et al.  Poly-encoders: Architectures and Pre-training Strategies for Fast and Accurate Multi-sentence Scoring , 2019, ICLR.

[38]  W. Bruce Croft,et al.  A Deep Look into Neural Ranking Models for Information Retrieval , 2019, Inf. Process. Manag..

[39]  Zhiyuan Liu,et al.  DeepChannel: Salience Estimation by Contrastive Learning for Extractive Document Summarization , 2018, AAAI.

[40]  Zhiyuan Liu,et al.  End-to-End Neural Ad-hoc Ranking with Kernel Pooling , 2017, SIGIR.

[41]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[42]  W. Bruce Croft,et al.  Neural Ranking Models with Weak Supervision , 2017, SIGIR.

[43]  Tri Minh Nguyen,et al.  MS MARCO: A Human Generated MAchine Reading COmprehension Dataset , 2016 .

[44]  Jianfeng Gao,et al.  MS MARCO: A Human Generated MAchine Reading COmprehension Dataset , 2016, CoCo@NIPS.

[45]  Patrick D. McDaniel,et al.  Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples , 2016, ArXiv.

[46]  David Vandyke,et al.  Counter-fitting Word Vectors to Linguistic Constraints , 2016, NAACL.

[47]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[48]  Brian D. Davison,et al.  Adversarial Web Search , 2011, Found. Trends Inf. Retr..

[49]  D. Sculley,et al.  Web-scale k-means clustering , 2010, WWW '10.

[50]  Yann LeCun,et al.  Dimensionality Reduction by Learning an Invariant Mapping , 2006, 2006 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR'06).

[51]  Hector Garcia-Molina,et al.  Web Spam Taxonomy , 2005, AIRWeb.

[52]  Stephen E. Robertson,et al.  Some simple effective approximations to the 2-Poisson model for probabilistic weighted retrieval , 1994, SIGIR '94.

[53]  Liqiang Nie,et al.  Micro-Influencer Recommendation by Multi-Perspective Account Representation Learning , 2023, IEEE Transactions on Multimedia.

[54]  Tian Gan,et al.  Discover Micro-Influencers for Brands via Better Understanding , 2022, IEEE Transactions on Multimedia.

[55]  Chao Zhang,et al.  COCO-DR: Combating Distribution Shift in Zero-Shot Dense Retrieval with Contrastive and Distributionally Robust Learning , 2022, Proceedings of the 2022 Conference on Empirical Methods in Natural Language Processing.

[56]  Paul N. Bennett,et al.  Less is More: Pre-training a Strong Siamese Encoder Using a Weak Decoder , 2021, ArXiv.

[57]  Ming-Wei Chang,et al.  BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding , 2019, NAACL.

[58]  Ilya Sutskever,et al.  Language Models are Unsupervised Multitask Learners , 2019 .

[59]  Jian Pei,et al.  OSD: An Online Web Spam Detection System , 2009 .