Papers
Topics
Authors
Recent
2000 character limit reached

SemRoDe: Macro Adversarial Training to Learn Representations That are Robust to Word-Level Attacks

Published 27 Mar 2024 in cs.CL and cs.LG | (2403.18423v1)

Abstract: LLMs (LMs) are indispensable tools for natural language processing tasks, but their vulnerability to adversarial attacks remains a concern. While current research has explored adversarial training techniques, their improvements to defend against word-level attacks have been limited. In this work, we propose a novel approach called Semantic Robust Defence (SemRoDe), a Macro Adversarial Training strategy to enhance the robustness of LMs. Drawing inspiration from recent studies in the image domain, we investigate and later confirm that in a discrete data setting such as language, adversarial samples generated via word substitutions do indeed belong to an adversarial domain exhibiting a high Wasserstein distance from the base domain. Our method learns a robust representation that bridges these two domains. We hypothesize that if samples were not projected into an adversarial domain, but instead to a domain with minimal shift, it would improve attack robustness. We align the domains by incorporating a new distance-based objective. With this, our model is able to learn more generalized representations by aligning the model's high-level output features and therefore better handling unseen adversarial samples. This method can be generalized across word embeddings, even when they share minimal overlap at both vocabulary and word-substitution levels. To evaluate the effectiveness of our approach, we conduct experiments on BERT and RoBERTa models on three datasets. The results demonstrate promising state-of-the-art robustness.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (66)
  1. Generating natural language adversarial examples. arXiv preprint arXiv:1804.07998.
  2. Defending pre-trained language models from adversarial word substitutions without performance sacrifice.
  3. Samuel Barham and Soheil Feizi. 2019. Interpretable adversarial training for text.
  4. Optimal transport as a defense against adversarial attacks. In 2020 25th International Conference on Pattern Recognition (ICPR). IEEE.
  5. Universal sentence encoder. arXiv preprint arXiv:1803.11175.
  6. Adversarial attacks and defences: A survey.
  7. Marco Cuturi. 2013. Sinkhorn distances: Lightspeed computation of optimal transportation distances.
  8. Bert: Pre-training of deep bidirectional transformers for language understanding.
  9. Mma training: Direct input space margin maximization through adversarial training.
  10. Towards robustness against natural language word substitutions.
  11. HotFlip: White-box adversarial examples for text classification. In Proceedings of the 56th Annual Meeting of the Association for Computational Linguistics (Volume 2: Short Papers), pages 31–36, Melbourne, Australia. Association for Computational Linguistics.
  12. Steffen Eger and Yannik Benz. 2020. From hero to z’eroe: A benchmark of low-level adversarial attacks. In Proceedings of the 1st Conference of the Asia-Pacific Chapter of the Association for Computational Linguistics and the 10th International Joint Conference on Natural Language Processing, pages 786–803, Suzhou, China. Association for Computational Linguistics.
  13. Text processing like humans do: Visually attacking and shielding NLP systems.
  14. Jean Feydy. 2020. Geometric data analysis, beyond convolutions.
  15. Interpolating between optimal transport and mmd using sinkhorn divergences.
  16. Using punctuation as an adversarial attack on deep learning-based NLP systems: An empirical study. In Findings of the Association for Computational Linguistics: EACL 2023, pages 1–34, Dubrovnik, Croatia. Association for Computational Linguistics.
  17. Special symbol attacks on nlp systems. In 2021 International Joint Conference on Neural Networks (IJCNN), pages 1–8.
  18. Black-box generation of adversarial text sequences to evade deep learning classifiers.
  19. DSRM: Boost textual adversarial training with distribution shift risk minimization. In Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pages 12177–12189, Toronto, Canada. Association for Computational Linguistics.
  20. Explaining and harnessing adversarial examples.
  21. A kernel method for the two-sample problem.
  22. Certified robustness to adversarial word substitutions. In Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP), pages 4129–4142, Hong Kong, China. Association for Computational Linguistics.
  23. Is bert really robust? a strong baseline for natural language attack on text classification and entailment.
  24. Adversarial logit pairing.
  25. TextBugger: Generating adversarial text against real-world applications. In Proceedings 2019 Network and Distributed System Security Symposium. Internet Society.
  26. Bert-attack: Adversarial attack against bert using bert.
  27. Searching for an effective defender: Benchmarking defense against adversarial word substitution.
  28. Flooding-X: Improving BERT’s resistance to adversarial attacks via loss-restricted fine-tuning. In Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pages 5634–5644, Dublin, Ireland. Association for Computational Linguistics.
  29. Roberta: A robustly optimized bert pretraining approach.
  30. Towards deep learning models resistant to adversarial attacks.
  31. Generating natural language attacks in a hard label black box setting. In AAAI Conference on Artificial Intelligence.
  32. George A. Miller. 1995. Wordnet: A lexical database for english. Commun. ACM, 38(11):39–41.
  33. Adversarial training methods for semi-supervised text classification.
  34. A unifying view on dataset shift in classification. Pattern Recognition, 45(1):521–530.
  35. Textattack: A framework for adversarial attacks, data augmentation, and adversarial training in nlp.
  36. “that is a suspicious reaction!”: Interpreting logits variation to detect NLP adversarial attacks. In Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). Association for Computational Linguistics.
  37. Counter-fitting word vectors to linguistic constraints.
  38. Dang Minh Nguyen and Luu Anh Tuan. 2022. Textual manifold-based defense against natural language adversarial examples.
  39. Improving mini-batch optimal transport via partial transportation. In Proceedings of the 39th International Conference on Machine Learning, volume 162 of Proceedings of Machine Learning Research, page 16656–16690. PMLR.
  40. Thong Nguyen and Luu Anh Tuan. 2021. Improving neural cross-lingual summarization via employing optimal transport distance for knowledge distillation.
  41. Domain adaptation via transfer component analysis.
  42. GloVe: Global vectors for word representation. In Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP), pages 1532–1543, Doha, Qatar. Association for Computational Linguistics.
  43. Nils Reimers and Iryna Gurevych. 2019. Sentence-bert: Sentence embeddings using siamese bert-networks.
  44. Generating natural language adversarial examples through probability weighted word saliency. In Proceedings of the 57th Annual Meeting of the Association for Computational Linguistics, pages 1085–1097, Florence, Italy. Association for Computational Linguistics.
  45. Interpretable adversarial perturbation in input embedding space for text.
  46. Textshield: Beyond successfully detecting adversarial sentences in text classification.
  47. Improving the generalization of adversarial training with domain adaptation.
  48. Return of frustratingly easy domain adaptation.
  49. It’s morphin’ time! combating linguistic discrimination with inflectional perturbations. Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics.
  50. On adaptive attacks to adversarial example defenses. In Advances in Neural Information Processing Systems, volume 33, pages 1633–1645. Curran Associates, Inc.
  51. Infobert: Improving robustness of language models from an information theoretic perspective.
  52. On the robustness of chatgpt: An adversarial and out-of-distribution perspective.
  53. Adversarial demonstration attacks on large language models.
  54. Natural language adversarial defense through synonym encoding. In Conference on Uncertainty in Artificial Intelligence.
  55. Adversarial training with fast gradient projection method against synonym substitution based text attacks.
  56. Robustness-aware word embedding improves certified robustness to adversarial word substitutions. In Findings of the Association for Computational Linguistics: ACL 2023, pages 673–687, Toronto, Canada. Association for Computational Linguistics.
  57. Improving adversarial robustness requires revisiting misclassified examples. In International Conference on Learning Representations.
  58. Toward adversarial training on contextualized language representation.
  59. SAFER: A structure-free approach for certified robustness to adversarial word substitutions. In Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics, pages 3465–3475, Online. Association for Computational Linguistics.
  60. Jin Yong Yoo and Yanjun Qi. 2021. Towards improving adversarial training of nlp models.
  61. Word-level textual adversarial attacking as combinatorial optimization. Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics.
  62. Theoretically principled trade-off between robustness and accuracy.
  63. Alignment attention by matching key and query distributions.
  64. Certified robustness against natural language attacks by causal intervention.
  65. Freelb: Enhanced adversarial training for natural language understanding.
  66. Promptbench: Towards evaluating the robustness of large language models on adversarial prompts.
Citations (4)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up