Adversarial GLUE: A Multi-Task Benchmark for Robustness Evaluation of Language Models (2111.02840v2)

Abstract: Large-scale pre-trained LLMs have achieved tremendous success across a wide range of natural language understanding (NLU) tasks, even surpassing human performance. However, recent studies reveal that the robustness of these models can be challenged by carefully crafted textual adversarial examples. While several individual datasets have been proposed to evaluate model robustness, a principled and comprehensive benchmark is still missing. In this paper, we present Adversarial GLUE (AdvGLUE), a new multi-task benchmark to quantitatively and thoroughly explore and evaluate the vulnerabilities of modern large-scale LLMs under various types of adversarial attacks. In particular, we systematically apply 14 textual adversarial attack methods to GLUE tasks to construct AdvGLUE, which is further validated by humans for reliable annotations. Our findings are summarized as follows. (i) Most existing adversarial attack algorithms are prone to generating invalid or ambiguous adversarial examples, with around 90% of them either changing the original semantic meanings or misleading human annotators as well. Therefore, we perform a careful filtering process to curate a high-quality benchmark. (ii) All the LLMs and robust training methods we tested perform poorly on AdvGLUE, with scores lagging far behind the benign accuracy. We hope our work will motivate the development of new adversarial attacks that are more stealthy and semantic-preserving, as well as new robust LLMs against sophisticated adversarial attacks. AdvGLUE is available at https://adversarialglue.github.io.

An Overview of Adversarial GLUE: A Multi-Task Benchmark for Robust LLM Evaluation

The development of Adversarial GLUE (AdvGLUE) represents a significant advancement in the evaluation of the robustness of large-scale LLMs. Despite the exceptional performance of these models on standard natural language understanding (NLU) tasks, significant concerns remain regarding their vulnerability to adversarial examples. These examples, although subtle to human perception, can lead models to incorrect predictions, undermining system reliability and raising security concerns. This paper introduces AdvGLUE, a comprehensive and methodologically rigorous benchmark designed to evaluate LLM robustness across various adversarial attack scenarios.

Key Contributions and Findings

AdvGLUE is constructed by applying diverse adversarial attack mechanisms to existing GLUE tasks, followed by human validation to ensure the reliability of annotations. The benchmark serves several pivotal functions:

1. Comprehensive Coverage: AdvGLUE investigates adversarial robustness from multiple angles, utilizing 14 different textual adversarial attack methods. This varied approach includes word-level transformations such as typos and synonym substitutions, sentence-level manipulations like syntactic and distraction-based attacks, and high-quality human-crafted examples derived from existing datasets like ANLI and AdvSQuAD.
2. Validity and Quality Assurance: The robustness evaluation in AdvGLUE is backed by systematic annotations and human validation. This approach addresses a common challenge in adversarial research—the generation of adversarial examples that often alter the original semantic meaning or confuse human annotators. AdvGLUE mitigates this by ensuring high-quality adversarial examples where a substantial percentage receive consensus from multiple human annotators.
3. Significant Findings on Model Vulnerability: The results demonstrated by various state-of-the-art LLMs on AdvGLUE reveal substantial susceptibility to adversarial examples. The benchmark exposes a significant gap between the models' performance on GLUE's standard test sets and the adversarial test sets. For instance, ELECTRA (Large) shows an average GLUE score drop from 93.16% to 41.69% on AdvGLUE, highlighting profound challenges in achieving robustness.
4. Diagnostic Insight into Attack Types: AdvGLUE’s evaluation framework provides critical insights into the types of adversarial attacks that pose the greatest difficulty for current LLMs. Human-crafted examples, especially those requiring intricate linguistic reasoning, notably challenge model robustness, as do distraction-based sentence-level perturbations and typo-induced word-level attacks.

Implications for Future Research

The outcomes from AdvGLUE suggest several implications for future research in the field of AI and language processing:

• Development of Advanced Robust Models: The findings from AdvGLUE should incentivize research into more sophisticated adversarial attack strategies that are semantically conservative while being more challenging for current models. Concurrently, this should also drive efforts to devise robust training methodologies capable of mitigating diverse adversarial threats comprehensively.
• Enhanced Evaluation Frameworks: AdvGLUE points to the necessity of integrating such robustness evaluation benchmarks into the standard pipeline of LLM development. Current pre-trained models might consistently achieve high scores on conventional benchmarks, yet AdvGLUE reveals latent vulnerabilities that could be crucial for real-world applications.
• Broader Application of Human-in-the-Loop Systems: The human validation aspect underscores the importance of combining machine learning outputs with human judgment, especially in tasks involving refined semantic interpretations. This hybrid approach might serve as a template for designing future models with enhanced interpretability and reliability.

In conclusion, AdvGLUE is an essential tool for the NLU community, offering a decisive step toward more resilient language processing systems. It provides a thorough diagnostic of existing LLMs while setting a high standard for subsequent research in adversarial robustness. By addressing vulnerabilities and fostering advancements in both model training and evaluation, AdvGLUE significantly contributes to the continuous improvement of NLU technologies.