Defense against Adversarial Attacks in NLP via Dirichlet Neighborhood Ensemble
This work addresses the problem of adversarial attacks in NLP for researchers and practitioners, offering a scalable and architecture-agnostic defense method that is incremental in improving robustness.
The paper tackles the vulnerability of neural networks to adversarial examples in NLP by proposing Dirichlet Neighborhood Ensemble (DNE), a randomized smoothing method that forms virtual sentences from word embeddings and synonyms to train robust models, resulting in consistent and significant outperformance over recent defense methods across various architectures and datasets.
Despite neural networks have achieved prominent performance on many natural language processing (NLP) tasks, they are vulnerable to adversarial examples. In this paper, we propose Dirichlet Neighborhood Ensemble (DNE), a randomized smoothing method for training a robust model to defense substitution-based attacks. During training, DNE forms virtual sentences by sampling embedding vectors for each word in an input sentence from a convex hull spanned by the word and its synonyms, and it augments them with the training data. In such a way, the model is robust to adversarial attacks while maintaining the performance on the original clean data. DNE is agnostic to the network architectures and scales to large models for NLP applications. We demonstrate through extensive experimentation that our method consistently outperforms recently proposed defense methods by a significant margin across different network architectures and multiple data sets.