Defense of Word-level Adversarial Attacks via Random Substitution Encoding

TL;DR

This paper proposes a novel defense framework called Random Substitution Encoding (RSE) that enhances neural network robustness against word-level adversarial attacks in NLP by incorporating random substitutions during training.

Contribution

The paper introduces RSE, a new defense method that improves NLP model resilience to synonym substitution attacks through random encoding during training.

Findings

RSE significantly improves defense against word-level adversarial attacks.

The framework is effective across various models and attack types.

Experimental results show increased robustness in text classification tasks.

Abstract

The adversarial attacks against deep neural networks on computer vision tasks have spawned many new technologies that help protect models from avoiding false predictions. Recently, word-level adversarial attacks on deep models of Natural Language Processing (NLP) tasks have also demonstrated strong power, e.g., fooling a sentiment classification neural network to make wrong decisions. Unfortunately, few previous literatures have discussed the defense of such word-level synonym substitution based attacks since they are hard to be perceived and detected. In this paper, we shed light on this problem and propose a novel defense framework called Random Substitution Encoding (RSE), which introduces a random substitution encoder into the training process of original neural networks. Extensive experiments on text classification tasks demonstrate the effectiveness of our framework on defense of word-level adversarial attacks, under various base and attack models.