Certified Robustness to Programmable Transformations in LSTMs
This addresses the fragility of NLP models to adversarial attacks, offering a certified defense method, though it is incremental as it builds on existing robustness techniques.
The paper tackles the problem of adversarial examples in natural language processing by developing an approach to certify and train robust LSTMs against programmatically defined string transformations, showing improved robustness and high certification accuracy compared to existing techniques.
Deep neural networks for natural language processing are fragile in the face of adversarial examples -- small input perturbations, like synonym substitution or word duplication, which cause a neural network to change its prediction. We present an approach to certifying the robustness of LSTMs (and extensions of LSTMs) and training models that can be efficiently certified. Our approach can certify robustness to intractably large perturbation spaces defined programmatically in a language of string transformations. Our evaluation shows that (1) our approach can train models that are more robust to combinations of string transformations than those produced using existing techniques; (2) our approach can show high certification accuracy of the resulting models.