Skip to main content
SpringerLink
Log in
Book cover

European Conference on Information Retrieval

ECIR 2023: Advances in Information Retrieval pp 484–492Cite as

A Study on FGSM Adversarial Training for Neural Retrieval

  • Conference paper
  • First Online:

  • 1437 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13981))

Abstract

Neural retrieval models have acquired significant effectiveness gains over the last few years compared to term-based methods. Nevertheless, those models may be brittle when faced to typos, distribution shifts or vulnerable to malicious attacks. For instance, several recent papers demonstrated that such variations severely impacted models performances, and then tried to train more resilient models. Usual approaches include synonyms replacements or typos injections – as data-augmentation – and the use of more robust tokenizers (characterBERT, BPE-dropout). To further complement the literature, we investigate in this paper adversarial training as another possible solution to this robustness issue. Our comparison includes the two main families of BERT-based neural retrievers, i.e. dense and sparse, with and without distillation techniques. We then demonstrate that one of the most simple adversarial training techniques – the Fast Gradient Sign Method (FGSM) – can improve first stage rankers robustness and effectiveness. In particular, FGSM increases models performances on both in-domain and out-of-domain distributions, and also on queries with typos, for multiple neural retrievers.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Note that FGSM-AT can be applied on any loss, and thus generalizes to the margin-MSE loss for the case of distillation [7].

  2. 2.

    https://huggingface.co/datasets/sentence-transformers/msmarco-hard-negatives.

  3. 3.

    Having FLOPS values around 1.0 is a common practice with SPLADE to have a good efficiency-effectiveness trade-off.

References

  1. Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples (2018). https://doi.org/10.48550/ARXIV.1802.00420. https://arxiv.org/abs/1802.00420

  2. Bajaj, P., et al.: MS MARCO: a human generated machine reading comprehension dataset (2018)

    Google Scholar 

  3. Carlini, N., Terzis, A.: Poisoning and backdooring contrastive learning (2021). https://doi.org/10.48550/ARXIV.2106.09667. https://arxiv.org/abs/2106.09667

  4. Formal, T., Lassance, C., Piwowarski, B., Clinchant, S.: SPLADE v2: sparse lexical and expansion model for information retrieval (2021). https://doi.org/10.48550/ARXIV.2109.10086. https://arxiv.org/abs/2109.10086

  5. Formal, T., Lassance, C., Piwowarski, B., Clinchant, S.: From distillation to hard negative sampling: making sparse neural IR models more effective (2022). https://doi.org/10.48550/ARXIV.2205.04733. https://arxiv.org/abs/2205.04733

  6. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples (2015)

    Google Scholar 

  7. Hofstätter, S., Althammer, S., Schröder, M., Sertkan, M., Hanbury, A.: Improving efficient neural ranking models with cross-architecture knowledge distillation (2020). https://doi.org/10.48550/ARXIV.2010.02666. https://arxiv.org/abs/2010.02666

  8. Karpukhin, V., et al.: Dense passage retrieval for open-domain question answering (2020)

    Google Scholar 

  9. Li, L., Ma, R., Guo, Q., Xue, X., Qiu, X.: BERT-ATTACK: adversarial attack against BERT using BERT (2020). https://doi.org/10.48550/ARXIV.2004.09984. https://arxiv.org/abs/2004.09984

  10. Liu, J., et al.: Order-Disorder: imitation adversarial attacks for black-box neural ranking models (2022). https://doi.org/10.48550/ARXIV.2209.06506. https://arxiv.org/abs/2209.06506

  11. Ma, X., Nogueira dos Santos, C., Arnold, A.O.: Contrastive fine-tuning improves robustness for neural rankers (2021). https://doi.org/10.48550/ARXIV.2105.12932. https://arxiv.org/abs/2105.12932

  12. Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks (2017). https://doi.org/10.48550/ARXIV.1706.06083. https://arxiv.org/abs/1706.06083

  13. van den Oord, A., Li, Y., Vinyals, O.: Representation learning with contrastive predictive coding (2018). https://doi.org/10.48550/ARXIV.1807.03748. https://arxiv.org/abs/1807.03748

  14. Orvieto, A., Kersting, H., Proske, F., Bach, F., Lucchi, A.: Anticorrelated noise injection for improved generalization (2022). https://doi.org/10.48550/ARXIV.2202.02831. https://arxiv.org/abs/2202.02831

  15. Penha, G., Câmara, A., Hauff, C.: Evaluating the robustness of retrieval pipelines with query variation generators (2021). https://doi.org/10.48550/ARXIV.2111.13057. https://arxiv.org/abs/2111.13057

  16. Reimers, N., Gurevych, I.: Sentence-BERT: sentence embeddings using Siamese BERT-networks (2019). https://doi.org/10.48550/ARXIV.1908.10084. https://arxiv.org/abs/1908.10084

  17. Robertson, S.: The probabilistic relevance framework: BM25 and beyond. Found. Trends® Inf. Retrieval 3(4), 333–389 (2009). http://scholar.google.de/scholar.bib?q=info:U4l9kCVIssAJ:scholar.google.com/ &output=citation &hl=de &as_sdt=2000 &as_vis=1 &ct=citation &cd=1

  18. Santhanam, K., Khattab, O., Saad-Falcon, J., Potts, C., Zaharia, M.: ColBERTv2: effective and efficient retrieval via lightweight late interaction (2021). https://doi.org/10.48550/ARXIV.2112.01488. https://arxiv.org/abs/2112.01488

  19. Sidiropoulos, G., Kanoulas, E.: Analysing the robustness of dual encoders for dense retrieval against misspellings. In: Proceedings of the 45th International ACM SIGIR Conference on Research and Development in Information Retrieval. ACM, July 2022. https://doi.org/10.1145/3477495.3531818

  20. Thakur, N., Reimers, N., Rücklé, A., Srivastava, A., Gurevych, I.: BEIR: a heterogenous benchmark for zero-shot evaluation of information retrieval models (2021). https://doi.org/10.48550/ARXIV.2104.08663. https://arxiv.org/abs/2104.08663

  21. Wang, Y., Lyu, L., Anand, A.: BERT rankers are brittle: a study using adversarial document perturbations (2022). https://doi.org/10.48550/ARXIV.2206.11724. https://arxiv.org/abs/2206.11724

  22. Wu, C., et al.: Certified robustness to word substitution ranking attack for neural ranking models (2022)

    Google Scholar 

  23. Wu, C., Zhang, R., Guo, J., de Rijke, M., Fan, Y., Cheng, X.: PRADA: practical black-box adversarial attacks against neural ranking models (2022). https://doi.org/10.48550/ARXIV.2204.01321. https://arxiv.org/abs/2204.01321

  24. Zhuang, S., Zuccon, G.: Dealing with typos for BERT-based passage retrieval and ranking (2021). https://doi.org/10.48550/ARXIV.2108.12139. https://arxiv.org/abs/2108.12139

  25. Zhuang, S., Zuccon, G.: CharacterBERT and self-teaching for improving the robustness of dense retrievers on queries with typos. In: Proceedings of the 45th International ACM SIGIR Conference on Research and Development in Information Retrieval. ACM, July 2022. https://doi.org/10.1145/3477495.3531951

Download references

Author information

Authors and Affiliations

  1. Naver Labs Europe, Meylan, France

    Simon Lupart & Stéphane Clinchant

Authors
  1. Simon Lupart
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stéphane Clinchant
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Simon Lupart .

Editor information

Editors and Affiliations

  1. University of Amsterdam, Amsterdam, The Netherlands

    Jaap Kamps

  2. Université Grenoble-Alpes, Saint-Martin-d’Hères, France

    Lorraine Goeuriot

  3. Università della Svizzera Italiana, Lugano, Switzerland

    Fabio Crestani

  4. University of Copenhagen, Copenhagen, Denmark

    Maria Maistro

  5. University of Tsukuba, Ibaraki, Japan

    Hideo Joho

  6. Dublin City University, Dublin, Ireland

    Brian Davis

  7. Dublin City University, Dublin, Ireland

    Cathal Gurrin

  8. Universität Regensburg, Regensburg, Germany

    Udo Kruschwitz

  9. Dublin City University, Dublin, Ireland

    Annalina Caputo

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lupart, S., Clinchant, S. (2023). A Study on FGSM Adversarial Training for Neural Retrieval. In: Kamps, J., et al. Advances in Information Retrieval. ECIR 2023. Lecture Notes in Computer Science, vol 13981. Springer, Cham. https://doi.org/10.1007/978-3-031-28238-6_39

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-28238-6_39

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-28237-9

  • Online ISBN: 978-3-031-28238-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation