Reformulation is All You Need: Addressing Malicious Text Features in DNNs
This work provides a unified defense against multiple attack types in NLP, though it appears incremental as it builds on existing sample-oriented approaches.
The paper tackles the problem of adversarial and backdoor attacks in NLP DNNs by addressing malicious text features through a reformulation-based defense framework, achieving superior performance over existing baselines in experiments.
Human language encompasses a wide range of intricate and diverse implicit features, which attackers can exploit to launch adversarial or backdoor attacks, compromising DNN models for NLP tasks. Existing model-oriented defenses often require substantial computational resources as model size increases, whereas sample-oriented defenses typically focus on specific attack vectors or schemes, rendering them vulnerable to adaptive attacks. We observe that the root cause of both adversarial and backdoor attacks lies in the encoding process of DNN models, where subtle textual features, negligible for human comprehension, are erroneously assigned significant weight by less robust or trojaned models. Based on it we propose a unified and adaptive defense framework that is effective against both adversarial and backdoor attacks. Our approach leverages reformulation modules to address potential malicious features in textual inputs while preserving the original semantic integrity. Extensive experiments demonstrate that our framework outperforms existing sample-oriented defense baselines across a diverse range of malicious textual features.