<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Adversarial Attacks on Tables with Entity Swap</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Aneta Koleva</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Martin Ringsquandl</string-name>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Volker Tresp</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>Ludwig Maximilian University of Munich</institution>
        </aff>
      </contrib-group>
      <abstract>
        <p>The capabilities of large language models (LLMs) have been successfully applied in the context of table representation learning. The recently proposed tabular language models (TaLMs) have reported state-of-the-art results across various tasks for table interpretation. However, a closer look into the datasets commonly used for evaluation reveals an entity leakage from the train set into the test set. Motivated by this observation, we explore adversarial attacks that represent a more realistic inference setup. Adversarial attacks on text have been shown to greatly afect the performance of LLMs, but currently, there are no attacks targeting TaLMs. In this paper, we propose an evasive entity-swap attack for the column type annotation (CTA) task. Our CTA attack is the first black-box attack on tables, where we employ a similarity-based sampling strategy to generate adversarial examples. The experimental results show that the proposed attack generates up to a 70% drop in performance.</p>
      </abstract>
      <kwd-group>
        <kwd>eol&gt;Column Type Annotation</kwd>
        <kwd>Adversarial Attack</kwd>
        <kwd>Table Representation Learning</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>-</title>
      <p>1. Introduction
type
people.person
location.location
sports.pro_athlete
organization.organization
sports.sports_team
total
47852
34073
17588
9904
8207
overlap
29215
21327
10948
7122
6640
%
61.0
62.6
62.2
71.9
80.9
Following the advancements of large language models
(LLMs) in NLP, tabular language models (TaLMs) have
emerged as state-of-the-art approaches to solve table
interpretation (TI) tasks, such as table-to-class annotation
[1], entity linking [2], and column type annotation (CTA) Table 1
[3, 4, 5]. Similar to other deep neural networks, LLMs are Overlap of entities per type in the WikiTables dataset.
sensitive to small input perturbation, which as
adversarial examples can further be optimized to be imperceptible
to humans [6]. Several works have studied adversarial tities between the train and test set in the WikiTables
attacks on LLMs, and it is becoming an increasingly im- dataset for the top 5 classes. The last 15 types in this
portant topic as LLMs are vastly being integrated into dataset have 100 overlap among entities.
applications [7]. For the table modality, so far, sensitivity In Figure 1, both of the first two tables have a column
to perturbations has not been investigated in TaLMs for named Player which contains the exact same set of
enTI tasks. Hence, it is unclear which perturbation oper- tities, and is annotated with the same semantic types
ations should be considered when attacking tables and Athlete and Person. The third table shows an example of
how to make them imperceptible. an adversarial table with an entity swap. In this table,</p>
      <p>Using CTA as an example task, we phrase the novel the entities of the column Player are swapped with new,
problem of generating adversarial examples in entity unseen entities of the same semantic type.
tables. The existing models already report very high In the evaluation, we gradually increase the percentage
F1 scores on this task, and it is hard to judge by the of entities that we swap in the targeted columns, ranging
performance of the model, how well it can generalize from 20 % up to 100 % percent of the number of entities
to unseen novel entities. In this direction, we design in the column. For choosing the adversarial entities, we
an evasive entity-swap attack that is motivated by a propose a similarity-based strategy and compare it to
problem we observed. Namely, in two datasets commonly sampling at random. Our evaluation demonstrates that
used for evaluation of the CTA task, WikiTables [3] and swapping entities with the most dissimilar entity of the
VizNet [4], there is a data leakage from entities from the same type results in a substantial drop in performance
training set into the test set. (6% drop when replacing 20% of the entities per column</p>
      <p>In Table 1 we show the percentage of overlapped en- up to 70% drop when replacing all of the entities).</p>
    </sec>
    <sec id="sec-2">
      <title>With the growing popularity of LLMs, the concern over their vulnerability to adversarial attacks also increased.</title>
      <p>A survey by Zhang et al. [8] presents a comprehensive ℎ ∶  ×  →−  ( ) , i.e., given a table  ∈  and a
overview of attacks against text, highlighting the chal- column index  ∈  the CTA task is to assign a subset
lenges that arise when attacking discrete data such as of classes from the power set of  to the corresponding
text, compared to continuous data such as images. BERT- column  [∶,] .</p>
      <p>Attack [6] proposes an adversarial attack against the
BERT model [9] using the model itself to generate the CTA Attack Given classification model ℎ, the goal of
adversarial samples. A recent gradient-based text attack a CTA attack is to transform a (correctly classified) test
[10] presents a white-box attack which uses a parameter- input ( , ) ∈  ×  into an (untargeted) adversarial
samized adversarial distribution for sampling the adversarial ple ( ′, ) such that ℎ( , ) ⋂ ℎ( ′, ) = ∅ . In addition
samples. However, despite the popularity of adversarial to fooling the classification model, the transformation
attacks on text, the field of tabular data remains unex- from  to  ′ should also be imperceptible for a human
plored for potential vulnerabilities to such attacks. observer. In the CTA setting we define the
impercepti</p>
      <p>The few works that have been proposed so far, [11, bly condition to be met if all entities in column  [′∶,] are
12, 13], focus on white-box attacks and target traditional of the same class as the unmodified column. Formally,
machine learning models trained on tabular data. The ∀ ′ ∈  [′∶,] ∀ ∈  [∶,] ∶ ( ′) = () , where  ∈ 
repremain goal of these attacks is when generating adversarial sents the most specific class assigned to the column  [∶,] .
examples to preserve the distributional consistency of
the features of the data. In these works, the datasets used
for evaluation usually contain many numerical values, 3.1. Entity Swap Attack
such as financial data or healthcare analytics data. In principle, a CTA attack can apply transformations to</p>
      <p>The goal of our work is to define table attacks against the full table  ; however, most importantly, it should
TaLMs which are used for TI tasks. To the best of our focus on  [∶,] . Our attack, called entity-swap, follows
knowledge, we present the first work on adversarial at- a two-step approach inspired by adversarial attacks on
tacks targeting these models. Our research diferentiates LLMs [6, 14]. First, it picks a set of key entities {  ∈
from the prior work w.r.t (1) the model observed, (2) the  [∶,] }. The number of key entities can be controlled as
technique employed for generating adversarial samples, a percentage  of the entities in the original column.
and (3) the evaluation task. In a second step, every key entity   is swapped with
an adversarial entity   =  ′ that most likely changes
3. CTA Adversarial Attack the predicted class from the ground truth. The proposed
attack is a black-box attack, meaning we only have access
to the predictions scores of the classifier.</p>
      <p>We define a table as a tuple  = (,  ) , where  =
{ 1,1,  1,2, … ,  , , … ,  , } is the set of table body entities
for  rows and  columns. The table header  =
{ℎ1, ℎ2, … , ℎ } is the set of corresponding  column
header cells. We use  [,∶] to refer to the  -th row, e.g.,
 =  [0,∶] and  [∶,] = {ℎ ,  1, , … ,  , } to refer to the 
th column of  .</p>
    </sec>
    <sec id="sec-3">
      <title>CTA Model Let  be the input space of tables and let</title>
      <p>be the space of all possible column indices, i.e.,  ⊆ ℕ .
Let  be the output space, denoting the set of semantic
types. A CTA model is a multilabel classification function</p>
      <sec id="sec-3-1">
        <title>3.2. Key Entities</title>
      </sec>
    </sec>
    <sec id="sec-4">
      <title>Finding which are the key entities to swap can increase</title>
      <p>the rate of success of the attack. In the case of the CTA
task, the most informative entities are those which, when
replaced, the model will misclassify the column. To find
those entities, we calculate an importance score for every
entity in the attacked column.</p>
      <p>The output from the classification model ℎ for a column
 [∶,] is the logit vector oh( , ) ∈ ℝ  , where  is the
number of ground-truth classes assigned to ( , ) . We
calculate the importance score for entity   ∈  [∶,] as the</p>
      <p>Therefore, we propose two diferent sampling sets for
adversarial entities. The first, is the set of entities per
class from the WikiTables test dataset [3]; we refer to
this set as test set. The second set contains only novel
entities, i.e., entities that also appear in the training set,
are removed from the test set. We refer to this set as the
 (
 ) = (
oh − oh\ei)
(1) filtered set .</p>
      <sec id="sec-4-1">
        <title>3.3. Adversarial Entities</title>
      </sec>
    </sec>
    <sec id="sec-5">
      <title>After identifying the key entities, the next step involves</title>
      <p>sampling adversarial entities for swapping. In order to
adhere to the perceptibility assumption, we constrain the
search space to include only entities belonging to the
same class as the attacked column. Subsequently, we use</p>
      <p>Let   ∈  [∶,] be the key entity from the attacked
column, and let  ∈</p>
      <p>be the most specific class of this
column. We use an embedding model to generate a
contextualized representation for both the original entity,
such that (  ) = ( ′</p>
      <p>) where  ′ ∈   . Next, we
calculate the cosine similarity between the original entity and
entity  ′.
ple, we take the most dissimilar entity from the original
entity, such that  ′ = argmax ′CosineSimilarity(ei, e′k).

We then swap the original entity   with the adversarial
Metadata Attack In addition to the proposed attack
method for column values, we also introduce an attack
specifically targeting column headers, considering that
they often indicate the class of a column. However, in this
case, we use an independent embedding model to identify
similar entities instead of swapping with column names
from the same class. For the generation of adversarial
samples in the column headers, we first generate
embeddings for the original column names and then substitute
the column names with their synonyms. The library
TextAttack [14] was used to generate the embeddings, and
based on the embeddings to retrieve the synonyms for
the column names.</p>
      <sec id="sec-5-1">
        <title>4. Evaluation</title>
        <p>Model</p>
      </sec>
    </sec>
    <sec id="sec-6">
      <title>We evaluate the performance of the CTA attack</title>
      <p>on the TURL model [3], which has been fine-tuned for
the WikiTables dataset for evaluation. We follow their
evaluation procedure and report the achieved F1 score,
precision, and recall.</p>
    </sec>
    <sec id="sec-7">
      <title>To evaluate the influence of the proposed strategy for sampling of adversarial entities. Similarly, to evaluate the influence of the importance scores, we compare with</title>
      <sec id="sec-7-1">
        <title>4.1. Results</title>
        <p>Table 2 shows the results of the CTA attack when
swapping entities by their importance scores and sampling
a similarity-based strategy to sample adversarial entities. the CTA task and uses only entity mentions. We use
ei, and all entities of the same class   = {e′1, e′2, … , e′k}, sampling adversarial samples, we compare it to a random
each entity from the set   . As an adversarial exam- random sampling when choosing which entities to swap.
adversarial entities using the similarity-based strategy
from the filtered set. We notice that as we increase the
percentage of swapped entities, the performance of the
model drops, even though the perturbed entities are of
the same semantic type as the original entities. Another
observation is that the drop in the F1 score is attributed
to the sharp decline of the recall.</p>
        <p>Efect of the importance score Figure 3 shows the
benefit of using the importance scores. We notice that
the drop in F1 score is around 3% higher when using the
importance scores. This is consistent, regardless if we are
substituting 20% or 80% of the entities, which suggests
that the importance scores consistently identify entities
that have a greater influence on the model’s performance.</p>
        <p>Efect of perturbing the table metadata To
evaluate the relevance of the column header for the CTA task,
we also propose an adversarial attack specific to the TURL
model [3], which uses only the table metadata. Table 3
shows the efect of perturbing the table metadata. We
observe similar results here, as we increase the percentage
of perturbed column names, all the evaluation metrics
decline. This indicates that the model’s reliance on specific
column names, afects its ability to accurately classify
and predict the correct class.</p>
        <sec id="sec-7-1-1">
          <title>5. Conclusion</title>
          <p>Efect of the sampling strategy Figure 4 shows the In this paper, we introduce the formalization of an
adverdiference in F1 score drop when sampling adversarial en- sarial attack targeting TaLMs. Additionally, we identify
tities from the test set versus the filtered set. The original and highlight an issue concerning the evaluation of the
F1 score is represented by the red line. Additionally, here CTA task. The evaluation showed that TaLMs are
suswe illustrate the advantages of using the similarity-based ceptible to adversarial attacks. Even subtle modifications
strategy over a random-based sampling of adversarial to the entities, guided by similarity, can lead to
signifiexamples. For both cases, when sampling adversarial cant changes in the model’s predictions and subsequently
entities from the test and filtered set, the similarity-based afect the F1 score. In future, we will extend our
evaluastrategy for sampling induces sharper drop of the F1 score. tion with more sophisticated attacks, targeting also other
This suggests that this approach is successful in selecting models used for table interpretation tasks.
entities that are more likely to cause misclassifications
sarial attacks on deep-learning models in natural
language processing: A survey, ACM Trans.
In[1] A. Koleva, M. Ringsquandl, M. Joblin, V. Tresp, tell. Syst. Technol. 11 (2020) 24:1–24:41. URL: https:
Generating table vector representations, in: Pro- //doi.org/10.1145/3374217. doi:1 0 . 1 1 4 5 / 3 3 7 4 2 1 7 .
ceedings of the Workshop on Deep Learning for [9] J. Devlin, M. Chang, K. Lee, K. Toutanova, BERT:
Knowledge Graphs (DL4KG 2021) co-located with pre-training of deep bidirectional transformers for
the 20th International Semantic Web Conference language understanding, in: Proceedings of the
(ISWC 2021), Virtual Conference, online, October 2019 Conference of the North American
Chap25, 2021, volume 3034 of CEUR Workshop Proceed- ter of the Association for Computational
Linguisings, CEUR-WS.org, 2021. URL: https://ceur-ws.org/ tics: Human Language Technologies, NAACL-HLT
Vol-3034/paper7.pdf. 2019, Minneapolis, MN, USA, June 2-7, 2019,
Vol[2] V. Huynh, Y. Chabot, T. Labbé, J. Liu, R. Troncy, ume 1 (Long and Short Papers), Association for
From heuristics to language models: A journey Computational Linguistics, 2019, pp. 4171–4186.
through the universe of semantic table interpre- URL: https://doi.org/10.18653/v1/n19-1423. doi:1 0 .
tation with DAGOBAH, in: Proceedings of the 1 8 6 5 3 / v 1 / n 1 9 - 1 4 2 3 .</p>
          <p>Semantic Web Challenge on Tabular Data to Knowl- [10] C. Guo, A. Sablayrolles, H. Jégou, D. Kiela,
Gradientedge Graph Matching, SemTab 2021, co-located based adversarial attacks against text transformers,
with the 21st International Semantic Web Confer- in: Proceedings of the 2021 Conference on
Emence, ISWC 2022, Virtual conference, October 23- pirical Methods in Natural Language Processing,
27, 2022, volume 3320 of CEUR Workshop Proceed- EMNLP 2021, Virtual Event / Punta Cana,
Dominiings, CEUR-WS.org, 2022, pp. 45–58. URL: https: can Republic, 7-11 November, 2021, Association
//ceur-ws.org/Vol-3320/paper6.pdf. for Computational Linguistics, 2021, pp. 5747–5757.
[3] X. Deng, H. Sun, A. Lees, Y. Wu, C. Yu, Turl: Ta- URL: https://doi.org/10.18653/v1/2021.emnlp-main.
ble understanding through representation learning, 464. doi:1 0 . 1 8 6 5 3 / v 1 / 2 0 2 1 . e m n l p - m a i n . 4 6 4 .</p>
          <p>Proc. VLDB Endow. 14 (2020) 307–319. [11] V. Ballet, X. Renard, J. Aigrain, T. Laugel, P. Frossard,
[4] M. Hulsebos, K. Z. Hu, M. A. Bakker, E. Zgraggen, M. Detyniecki, Imperceptible adversarial attacks
A. Satyanarayan, T. Kraska, Ç. Demiralp, C. A. Hi- on tabular data, CoRR abs/1911.03274 (2019). URL:
dalgo, Sherlock: A deep learning approach to se- http://arxiv.org/abs/1911.03274. a r X i v : 1 9 1 1 . 0 3 2 7 4 .
mantic data type detection, in: Proceedings of [12] F. Cartella, O. Anunciação, Y. Funabiki, D.
Yamthe 25th ACM SIGKDD International Conference aguchi, T. Akishita, O. Elshocht, Adversarial
aton Knowledge Discovery &amp; Data Mining, KDD tacks for tabular data: Application to fraud
de2019, Anchorage, AK, USA, August 4-8, 2019, ACM, tection and imbalanced data, in: Proceedings of
2019, pp. 1500–1508. URL: https://doi.org/10.1145/ the Workshop on Artificial Intelligence Safety 2021
3292500.3330993. doi:1 0 . 1 1 4 5 / 3 2 9 2 5 0 0 . 3 3 3 0 9 9 3 . (SafeAI 2021) co-located with the Thirty-Fifth AAAI
[5] Y. Suhara, J. Li, Y. Li, D. Zhang, Ç. Demiralp, Conference on Artificial Intelligence (AAAI 2021),
C. Chen, W. Tan, Annotating columns with pre- Virtual, February 8, 2021, volume 2808 of CEUR
trained language models, in: SIGMOD ’22: In- Workshop Proceedings, CEUR-WS.org, 2021. URL:
ternational Conference on Management of Data, https://ceur-ws.org/Vol-2808/Paper_4.pdf.
Philadelphia, PA, USA, June 12 - 17, 2022, ACM, [13] Y. Mathov, E. Levy, Z. Katzir, A. Shabtai, Y. Elovici,
2022, pp. 1493–1503. URL: https://doi.org/10.1145/ Not all datasets are born equal: On
hetero3514221.3517906. doi:1 0 . 1 1 4 5 / 3 5 1 4 2 2 1 . 3 5 1 7 9 0 6 . geneous tabular data and adversarial examples,
[6] L. Li, R. Ma, Q. Guo, X. Xue, X. Qiu, BERT-ATTACK: Knowl. Based Syst. 242 (2022) 108377. URL: https://
adversarial attack against BERT using BERT, in: doi.org/10.1016/j.knosys.2022.108377. doi:1 0 . 1 0 1 6 /
Proceedings of the 2020 Conference on Empirical j . k n o s y s . 2 0 2 2 . 1 0 8 3 7 7 .</p>
          <p>Methods in Natural Language Processing, EMNLP [14] J. X. Morris, E. Lifland, J. Y. Yoo, J. Grigsby, D. Jin,
2020, Online, November 16-20, 2020, Association Y. Qi, Textattack: A framework for adversarial
atfor Computational Linguistics, 2020, pp. 6193–6202. tacks, data augmentation, and adversarial training
URL: https://doi.org/10.18653/v1/2020.emnlp-main. in NLP, in: Proceedings of the 2020 Conference on
500. doi:1 0 . 1 8 6 5 3 / v 1 / 2 0 2 0 . e m n l p - m a i n . 5 0 0 . Empirical Methods in Natural Language Processing:
[7] K. Greshake, S. Abdelnabi, S. Mishra, C. Endres, System Demonstrations, EMNLP 2020 - Demos,
OnT. Holz, M. Fritz, Not what you’ve signed up line, November 16-20, 2020, Association for
Compufor: Compromising real-world llm-integrated ap- tational Linguistics, 2020, pp. 119–126. URL: https:
plications with indirect prompt injection, 2023. //doi.org/10.18653/v1/2020.emnlp-demos.16. doi:1 0 .
a r X i v : 2 3 0 2 . 1 2 1 7 3 . 1 8 6 5 3 / v 1 / 2 0 2 0 . e m n l p - d e m o s . 1 6 .
[8] W. E. Zhang, Q. Z. Sheng, A. Alhazmi, C. Li,
Adver</p>
        </sec>
      </sec>
    </sec>
  </body>
  <back>
    <ref-list />
  </back>
</article>