Quantifying Robustness to Adversarial Word Substitutions
This work addresses the robustness issue for deep-learning-based NLP models, which is crucial for their safe deployment, but it is incremental as it builds on existing attack and verification methods.
The authors tackled the problem of evaluating the robustness of NLP models to adversarial word substitutions by proposing a formal framework that estimates safe regions and introduces a robustness metric with statistical guarantees. They found that state-of-the-art models like BERT are vulnerable to a few substitutions but generalize well to real-world noise.
Deep-learning-based NLP models are found to be vulnerable to word substitution perturbations. Before they are widely adopted, the fundamental issues of robustness need to be addressed. Along this line, we propose a formal framework to evaluate word-level robustness. First, to study safe regions for a model, we introduce robustness radius which is the boundary where the model can resist any perturbation. As calculating the maximum robustness radius is computationally hard, we estimate its upper and lower bound. We repurpose attack methods as ways of seeking upper bound and design a pseudo-dynamic programming algorithm for a tighter upper bound. Then verification method is utilized for a lower bound. Further, for evaluating the robustness of regions outside a safe radius, we reexamine robustness from another view: quantification. A robustness metric with a rigorous statistical guarantee is introduced to measure the quantification of adversarial examples, which indicates the model's susceptibility to perturbations outside the safe radius. The metric helps us figure out why state-of-the-art models like BERT can be easily fooled by a few word substitutions, but generalize well in the presence of real-world noises.