Pre-trained programming language (PL) models (such as CodeT5, CodeBERT, GraphCodeBERT, etc.,) have the potential to automate software engineering tasks involving code understanding and code generation. However, these models operate in the natural channel of code, i.e., they are primarily concerned with the human understanding of the code. They are not robust to changes in the input and thus, are potentially susceptible to adversarial attacks in the natural channel. We propose, CodeAttack, a simple yet effective black-box attack model that uses code structure to generate effective, efficient, and imperceptible adversarial code samples and demonstrates the vulnerabilities of the state-of-the-art PL models to code-specific adversarial attacks. We evaluate the transferability of CodeAttack on several code-code (translation and repair) and code-NL (summarization) tasks across different programming languages. CodeAttack outperforms state-of-the-art adversarial NLP attack models to achieve the best overall drop in performance while being more efficient, imperceptible, consistent, and fluent. The code can be found at https://github.com/reddy-lab-code-research/CodeAttack.

Robustness evaluation against adversarial examples has become increasingly important to unveil the trustworthiness of the prevailing deep models in natural language processing (NLP). However, in contrast to the computer vision domain where the first-order projected gradient descent (PGD) is used as the benchmark approach to generate adversarial examples for robustness evaluation, there lacks a principled first-order gradient-based robustness evaluation framework in NLP. The emerging optimization challenges lie in 1) the discrete nature of textual inputs together with the strong coupling between the perturbation location and the actual content, and 2) the additional constraint that the perturbed text should be fluent and achieve a low perplexity under a language model. These challenges make the development of PGD-like NLP attacks difficult. To bridge the gap, we propose TextGrad, a new attack generator using gradient-driven optimization, supporting high-accuracy and high-quality assessment of adversarial robustness in NLP. Specifically, we address the aforementioned challenges in a unified optimization framework. And we develop an effective convex relaxation method to co-optimize the continuously-relaxed site selection and perturbation variables and leverage an effective sampling method to establish an accurate mapping from the continuous optimization variables to the discrete textual perturbations. Moreover, as a first-order attack generation method, TextGrad can be baked into adversarial training to further improve the robustness of NLP models. Extensive experiments are provided to demonstrate the effectiveness of TextGrad not only in attack generation for robustness evaluation but also in adversarial defense.

尽管在许多机器学习任务方面取得了巨大成功，但深度神经网络仍然易于对抗对抗样本。虽然基于梯度的对抗攻击方法在计算机视野领域探索，但由于文本的离散性质，直接应用于自然语言处理中，这是不切实际的。为了弥合这一差距，我们提出了一般框架，以适应现有的基于梯度的方法来制作文本对抗性样本。在该框架中，将基于梯度的连续扰动添加到嵌入层中，并在前向传播过程中被放大。然后用掩模语言模型头解码最终的扰动潜在表示以获得潜在的对抗性样本。在本文中，我们将我们的框架与\ textbf {t} Extual \ TextBF {P} ROJECTED \ TextBF {G} Radient \ TextBF {D} excent（\ TextBF {TPGD}）进行ronject \ textbf {p}。我们通过在三个基准数据集上执行转移黑匣子攻击来评估我们的框架来评估我们的框架。实验结果表明，与强基线方法相比，我们的方法达到了更好的性能，并产生更精细和语法的对抗性样本。所有代码和数据都将公开。

基于预先训练的语言模型（PRLMS）在源代码理解任务中取得的巨大成功，当前的文献研究要么进一步改善PRLM的性能（概括）或对对抗性攻击的鲁棒性。但是，他们必须在这两个方面之间的权衡方面妥协，而且它们都没有考虑以有效和实用的方式改善双方。为了填补这一空白，我们建议使用语义保护对抗代码嵌入（空间），以找到最坏的传播语义保留攻击，同时迫使模型在这些最坏情况下预测正确的标签。实验和分析表明，在提高PRLMS代码的性能的同时，空间可以保持强大的防御性攻击。

Machine learning algorithms are often vulnerable to adversarial examples that have imperceptible alterations from the original counterparts but can fool the state-of-the-art models. It is helpful to evaluate or even improve the robustness of these models by exposing the maliciously crafted adversarial examples. In this paper, we present TEXTFOOLER, a simple but strong baseline to generate adversarial text. By applying it to two fundamental natural language tasks, text classification and textual entailment, we successfully attacked three target models, including the powerful pre-trained BERT, and the widely used convolutional and recurrent neural networks. We demonstrate three advantages of this framework:(1) effective-it outperforms previous attacks by success rate and perturbation rate, (2) utility-preserving-it preserves semantic content, grammaticality, and correct types classified by humans, and (3) efficient-it generates adversarial text with computational complexity linear to the text length. 1

文本对抗攻击暴露了文本分类器的漏洞，可用于改善其稳健性。现有的上下文感知方法仅考虑黄金标签的概率，并在搜索攻击路径时使用贪婪的搜索，通常会限制攻击效率。为了解决这些问题，我们提出了PDB，这是一种使用概率差的引导光束搜索的上下文感知的文本对抗攻击模型。概率差异是所有类标签概率的总体考虑，PDB使用它来指导攻击路径的选择。此外，PDBS使用Beam搜索找到成功的攻击路径，从而避免搜索空间有限。广泛的实验和人类评估表明，PDB在一系列评估指标中的表现优于以前的最佳模型，尤其是提高 +19.5％的攻击成功率。消融研究和定性分析进一步证实了PDB的效率。

We present CodeBERT, a bimodal pre-trained model for programming language (PL) and natural language (NL). CodeBERT learns general-purpose representations that support downstream NL-PL applications such as natural language code search, code documentation generation, etc. We develop Code-BERT with Transformer-based neural architecture, and train it with a hybrid objective function that incorporates the pre-training task of replaced token detection, which is to detect plausible alternatives sampled from generators. This enables us to utilize both "bimodal" data of NL-PL pairs and "unimodal" data, where the former provides input tokens for model training while the latter helps to learn better generators. We evaluate CodeBERT on two NL-PL applications by fine-tuning model parameters. Results show that CodeBERT achieves state-of-the-art performance on both natural language code search and code documentation generation. Furthermore, to investigate what type of knowledge is learned in CodeBERT, we construct a dataset for NL-PL probing, and evaluate in a zero-shot setting where parameters of pre-trained models are fixed. Results show that CodeBERT performs better than previous pre-trained models on NL-PL probing. 1

最近的研究表明，预训练的语言模型（LMS）容易受到文本对抗性攻击的影响。但是，现有的攻击方法要么遭受低攻击成功率，要么无法在指数级的扰动空间中有效搜索。我们提出了一个有效有效的框架Semattack，以通过构建不同的语义扰动函数来生成自然的对抗文本。特别是，Semattack优化了对通用语义空间约束的生成的扰动，包括错字空间，知识空间（例如WordNet），上下文化的语义空间（例如，BERT群集的嵌入空间）或这些空间的组合。因此，生成的对抗文本在语义上更接近原始输入。广泛的实验表明，最新的（SOTA）大规模LMS（例如Deberta-V2）和国防策略（例如Freelb）仍然容易受到Semattack的影响。我们进一步证明，Semattack是一般的，并且能够为具有较高攻击成功率的不同语言（例如英语和中文）生成自然的对抗文本。人类评估还证实，我们产生的对抗文本是自然的，几乎不会影响人类的表现。我们的代码可在https://github.com/ai-secure/semattack上公开获取。

关于NLP模型的最先进攻击缺乏对成功攻击的共享定义。我们将思考从过去的工作蒸馏成统一的框架：一个成功的自然语言对抗性示例是欺骗模型并遵循一些语言限制的扰动。然后，我们分析了两个最先进的同义词替换攻击的产出。我们发现他们的扰动通常不会保留语义，38％引入语法错误。人类调查显示，为了成功保留语义，我们需要大大增加交换词语的嵌入和原始和扰动句子的句子编码之间的最小余弦相似之处。与更好的保留语义和语法性，攻击成功率下降超过70个百分点。

Recently it has been shown that state-of-the-art NLP models are vulnerable to adversarial attacks, where the predictions of a model can be drastically altered by slight modifications to the input (such as synonym substitutions). While several defense techniques have been proposed, and adapted, to the discrete nature of text adversarial attacks, the benefits of general-purpose regularization methods such as label smoothing for language models, have not been studied. In this paper, we study the adversarial robustness provided by various label smoothing strategies in foundational models for diverse NLP tasks in both in-domain and out-of-domain settings. Our experiments show that label smoothing significantly improves adversarial robustness in pre-trained models like BERT, against various popular attacks. We also analyze the relationship between prediction confidence and robustness, showing that label smoothing reduces over-confident errors on adversarial examples.

神经文本排名模型已经见证了显着的进步，并越来越多地在实践中部署。不幸的是，它们还继承了一般神经模型的对抗性脆弱性，这些神经模型已被检测到，但仍未被先前的研究所忽视。此外，Blackhat SEO可能会利用继承的对抗性漏洞来击败受保护的搜索引擎。在这项研究中，我们提出了对黑盒神经通道排名模型的模仿对抗攻击。我们首先表明，可以通过列举关键查询/候选者，然后训练排名模仿模型来透明和模仿目标段落排名模型。利用排名模仿模型，我们可以精心操纵排名结果并将操纵攻击转移到目标排名模型。为此，我们提出了一种由成对目标函数授权的基于创新的基于梯度的攻击方法，以产生对抗性触发器，该触发器会导致有预谋的混乱，而具有很少的令牌。为了配备触发器的伪装，我们将下一个句子预测损失和语言模型流利度限制添加到目标函数中。对通过排名的实验结果证明了对各种SOTA神经排名模型的排名模仿攻击模型和对抗触发器的有效性。此外，各种缓解分析和人类评估表明，在面对潜在的缓解方法时，伪装的有效性。为了激励其他学者进一步研究这一新颖和重要的问题，我们将实验数据和代码公开可用。

离散对手攻击是对保留输出标签的语言输入的象征性扰动，但导致预测误差。虽然这种攻击已经广泛探索了评估模型稳健性的目的，但他们的改善稳健性的效用仅限于离线增强。具体地，给定训练有素的模型，攻击用于产生扰动（对抗性）示例，并且模型重新培训一次。在这项工作中，我们解决了这个差距并利用了在线增强的离散攻击，在每个训练步骤中产生了对抗的例子，适应模型的变化性质。我们提出（i）基于最佳搜索的新的离散攻击，以及（ii）与现有工作不同的随机采样攻击不是基于昂贵的搜索过程。令人惊讶的是，我们发现随机抽样导致鲁棒性的令人印象深刻，优于普通使用的离线增强，同时导致训练时间〜10x的加速。此外，在线增强基于搜索的攻击证明了更高的培训成本，显着提高了三个数据集的鲁棒性。最后，我们表明我们的新攻击与先前的方法相比，我们的新攻击显着提高了鲁棒性。

现在，错误和虚假信息已成为我们安全和安全的全球威胁。为了应对在线错误信息的规模，一个可行的解决方案是通过检索和验证相关证据来自动对索赔进行事实检查。尽管在推动自动事实验证方面取得了最新进展，但仍缺乏对可能针对此类系统的攻击向量的全面评估。特别是，自动化事实验证过程可能容易受到其试图打击的确切虚假信息。在这项工作中，我们假设一个对手可以自动使用在线证据擦洗，以通过伪装相关证据或种植误导性的证据来破坏事实检查模型。我们首先提出了探索性分类法，该分类法涵盖了这两个目标和不同的威胁模型维度。在此指导下，我们设计并提出了几种潜在的攻击方法。我们表明，除了产生多样化和索赔一致的证据之外，还可以在证据中巧妙地修改索赔空位段。结果，我们在分类法的许多不同排列中高度降低了事实检查的表现。这些攻击也对索赔后的事后修改也很强大。我们的分析进一步暗示了在面对矛盾的证据时，模型推断的潜在局限性。我们强调，这些攻击可能会对此类模型的可检查和人类使用情况产生有害的影响，我们通过讨论未来防御的挑战和方向来得出结论。

深度变压器神经网络模型在生物医学域中提高了智能文本处理系统的预测精度。他们在各种各样的生物医学和临床自然语言处理（NLP）基准上获得了最先进的性能分数。然而，到目前为止，这些模型的稳健性和可靠性较小。神经NLP模型可以很容易地被对抗动物样本所欺骗，即输入的次要变化，以保留文本的含义和可理解性，而是强制NLP系统做出错误的决策。这提出了对生物医学NLP系统的安全和信任的严重担忧，特别是当他们旨在部署在现实世界用例中时。我们调查了多种变压器神经语言模型的强大，即Biobert，Scibert，Biomed-Roberta和Bio-Clinicalbert，在各种生物医学和临床文本处理任务中。我们实施了各种对抗的攻击方法来测试不同攻击方案中的NLP系统。实验结果表明，生物医学NLP模型对对抗性样品敏感;它们的性能平均分别平均下降21％和18.9个字符级和字级对抗噪声的绝对百分比。进行广泛的对抗训练实验，我们在清洁样品和对抗性投入的混合物上进行了微调NLP模型。结果表明，对抗性训练是对抗对抗噪声的有效防御机制;模型的稳健性平均提高11.3绝对百分比。此外，清洁数据的模型性能平均增加2.4个绝对存在，表明对抗性训练可以提高生物医学NLP系统的概括能力。

现在，基于BERT的上下文排名模型已在各种段落和文档排名任务中已建立。但是，在对抗输入下基于BERT的排名模型的鲁棒性不足。在本文中，我们认为，伯特级居民对针对检索文件的对抗性攻击并不免疫。首先，我们提出了使用基于梯度的优化方法对高度相关和非相关文档的对抗扰动算法。我们的算法的目的是将少量令牌添加到高度相关或非相关的文档中，以引起大量降级或晋升。我们的实验表明，少数令牌已经可以导致文档等级发生很大变化。此外，我们发现伯特级速率在很大程度上依靠文档开始/头来进行相关性预测，从而使文档的初始部分更容易受到对抗攻击的影响。更有趣的是，我们发现一小部分反复出现的对抗性词，将这些单词添加到文档中后，这些单词分别导致任何相关/非相关/非相关文件的成功级别降级/促进。最后，我们的对抗令牌还显示了数据集内部和跨数据集内的特定主题偏好，从而暴露了BERT预训练或下游数据集中的潜在偏见。

We integrate contrastive learning (CL) with adversarial learning to co-optimize the robustness and accuracy of code models. Different from existing works, we show that code obfuscation, a standard code transformation operation, provides novel means to generate complementary `views' of a code that enable us to achieve both robust and accurate code models. To the best of our knowledge, this is the first systematic study to explore and exploit the robustness and accuracy benefits of (multi-view) code obfuscations in code models. Specifically, we first adopt adversarial codes as robustness-promoting views in CL at the self-supervised pre-training phase. This yields improved robustness and transferability for downstream tasks. Next, at the supervised fine-tuning stage, we show that adversarial training with a proper temporally-staggered schedule of adversarial code generation can further improve robustness and accuracy of the pre-trained code model. Built on the above two modules, we develop CLAWSAT, a novel self-supervised learning (SSL) framework for code by integrating $\underline{\textrm{CL}}$ with $\underline{\textrm{a}}$dversarial vie$\underline{\textrm{w}}$s (CLAW) with $\underline{\textrm{s}}$taggered $\underline{\textrm{a}}$dversarial $\underline{\textrm{t}}$raining (SAT). On evaluating three downstream tasks across Python and Java, we show that CLAWSAT consistently yields the best robustness and accuracy ($\textit{e.g.}$ 11$\%$ in robustness and 6$\%$ in accuracy on the code summarization task in Python). We additionally demonstrate the effectiveness of adversarial learning in CLAW by analyzing the characteristics of the loss landscape and interpretability of the pre-trained models.

几年的研究表明，在理论和实践中，机器学习系统容易受到对抗的例子。到目前为止，这种攻击主要有针对性的视觉模型，利用人类和机器感知之间的差距。虽然基于文本的模型也被对抗例子遭到攻击，但这种攻击努力保持语义意义和无法区分。在本文中，我们探讨了大类的对抗示例，可用于在黑盒设置中攻击基于文本的模型，而不会对输入进行任何人类可知的视觉修改。我们使用对人眼不可察觉的编码特异性扰动来操纵从神经计算机翻译管道到网络搜索引擎的各种自然语言处理（NLP）系统的输出。我们发现，通过单一的难以察觉的编码注射 - 代表一个无形的字符，同型角色，重新排序或删除 - 攻击者可以显着降低易受伤害的模型的性能，并且三次注射大多数型号可以在功能上打破。除了由Facebook，IBM和HuggingFace发布的开源模型之外，我们攻击目前部署的商业系统这一新颖的一系列攻击对许多语言处理系统提供了重大威胁：攻击者可以以目标方式影响系统而没有任何关于底层模型的假设。我们得出结论，基于文本的NLP系统需要仔细的输入消毒，就像传统应用程序一样，并且考虑到这样的系统现在正在迅速地部署，需要建筑师和运营商的紧急注意。

Code generation models have achieved impressive performance. However, they tend to be brittle as slight edits to a prompt could lead to very different generations; these robustness properties, critical for user experience when deployed in real-life applications, are not well understood. Most existing works on robustness in text or code tasks have focused on classification, while robustness in generation tasks is an uncharted area and to date there is no comprehensive benchmark for robustness in code generation. In this paper, we propose ReCode, a comprehensive robustness evaluation benchmark for code generation models. We customize over 30 transformations specifically for code on docstrings, function and variable names, code syntax, and code format. They are carefully designed to be natural in real-life coding practice, preserve the original semantic meaning, and thus provide multifaceted assessments of a model's robustness performance. With human annotators, we verified that over 90% of the perturbed prompts do not alter the semantic meaning of the original prompt. In addition, we define robustness metrics for code generation models considering the worst-case behavior under each type of perturbation, taking advantage of the fact that executing the generated code can serve as objective evaluation. We demonstrate ReCode on SOTA models using HumanEval, MBPP, as well as function completion tasks derived from them. Interesting observations include: better robustness for CodeGen over InCoder and GPT-J; models are most sensitive to syntax perturbations; more challenging robustness evaluation on MBPP over HumanEval.

As the complexity of modern software continues to escalate, software engineering has become an increasingly daunting and error-prone endeavor. In recent years, the field of Neural Code Intelligence (NCI) has emerged as a promising solution, leveraging the power of deep learning techniques to tackle analytical tasks on source code with the goal of improving programming efficiency and minimizing human errors within the software industry. Pretrained language models have become a dominant force in NCI research, consistently delivering state-of-the-art results across a wide range of tasks, including code summarization, generation, and translation. In this paper, we present a comprehensive survey of the NCI domain, including a thorough review of pretraining techniques, tasks, datasets, and model architectures. We hope this paper will serve as a bridge between the natural language and programming language communities, offering insights for future research in this rapidly evolving field.

在过去几年中，已经提出了各种文字攻击方法来揭示自然语言处理中使用的深度神经网络的脆弱性。通常，这些方法涉及一个重要的优化步骤，以确定原始输入中的每个单词使用的替代。然而，从对问题理解和解决问题的角度来看，对这一步骤的目前的研究仍然是有限的。在本文中，我们通过揭示问题的理论属性并提出有效的本地搜索算法（LS）来解决这些问题来解决这些问题。我们建立了一个关于解决问题的第一个可提供的近似保证。涉及5个NLP任务，8个数据集和26个NLP模型的扩展实验表明，LS可能大大降低了Qualies数量，以实现高攻击成功率。进一步的实验表明，LS制造的对抗例通常具有更高的质量，表现出更好的可转移性，并且可以通过对抗培训为受害者模型带来更高的鲁棒性改善。