Defense of Word-level Adversarial Attacks via Random Substitution Encoding
This addresses a critical security issue for NLP models vulnerable to subtle adversarial attacks, representing an incremental improvement as it builds on existing defense gaps.
The paper tackles the problem of defending against word-level adversarial attacks in NLP by proposing a Random Substitution Encoding (RSE) framework, which integrates a random substitution encoder during training to protect models from synonym substitution attacks, showing effectiveness across various base and attack models in text classification tasks.
The adversarial attacks against deep neural networks on computer vision tasks have spawned many new technologies that help protect models from avoiding false predictions. Recently, word-level adversarial attacks on deep models of Natural Language Processing (NLP) tasks have also demonstrated strong power, e.g., fooling a sentiment classification neural network to make wrong decisions. Unfortunately, few previous literatures have discussed the defense of such word-level synonym substitution based attacks since they are hard to be perceived and detected. In this paper, we shed light on this problem and propose a novel defense framework called Random Substitution Encoding (RSE), which introduces a random substitution encoder into the training process of original neural networks. Extensive experiments on text classification tasks demonstrate the effectiveness of our framework on defense of word-level adversarial attacks, under various base and attack models.