Breaking the Adversarial Robustness-Performance Trade-off in Text Classification via Manifold Purification
This addresses a persistent challenge in text classification for improving model security without sacrificing performance, representing a strong specific gain rather than an incremental improvement.
The paper tackles the trade-off between adversarial robustness and clean data performance in text classification by modeling the clean data distribution in the embedding manifold, achieving new state-of-the-art robustness while fully preserving or slightly improving clean data accuracy.
A persistent challenge in text classification (TC) is that enhancing model robustness against adversarial attacks typically degrades performance on clean data. We argue that this challenge can be resolved by modeling the distribution of clean samples in the encoder embedding manifold. To this end, we propose the Manifold-Correcting Causal Flow (MC^2F), a two-module system that operates directly on sentence embeddings. A Stratified Riemannian Continuous Normalizing Flow (SR-CNF) learns the density of the clean data manifold. It identifies out-of-distribution embeddings, which are then corrected by a Geodesic Purification Solver. This solver projects adversarial points back onto the learned manifold via the shortest path, restoring a clean, semantically coherent representation. We conducted extensive evaluations on text classification (TC) across three datasets and multiple adversarial attacks. The results demonstrate that our method, MC^2F, not only establishes a new state-of-the-art in adversarial robustness but also fully preserves performance on clean data, even yielding modest gains in accuracy.