Input-specific Attention Subnetworks for Adversarial Detection
This addresses the problem of adversarial vulnerability in NLP models, particularly for BERT encoders, with incremental improvements in detection accuracy.
The paper tackled adversarial detection in Transformer models by constructing input-specific attention subnetworks to extract features for discriminating authentic and adversarial inputs, resulting in a 7.5% improvement in state-of-the-art accuracy on 10 NLU datasets with 11 attack types.
Self-attention heads are characteristic of Transformer models and have been well studied for interpretability and pruning. In this work, we demonstrate an altogether different utility of attention heads, namely for adversarial detection. Specifically, we propose a method to construct input-specific attention subnetworks (IAS) from which we extract three features to discriminate between authentic and adversarial inputs. The resultant detector significantly improves (by over 7.5%) the state-of-the-art adversarial detection accuracy for the BERT encoder on 10 NLU datasets with 11 different adversarial attack types. We also demonstrate that our method (a) is more accurate for larger models which are likely to have more spurious correlations and thus vulnerable to adversarial attack, and (b) performs well even with modest training sets of adversarial examples.