Defense against Adversarial Attacks in NLP via Dirichlet Neighborhood Ensemble

TL;DR

This paper introduces Dirichlet Neighborhood Ensemble (DNE), a randomized smoothing technique that enhances NLP model robustness against substitution-based adversarial attacks by augmenting training data with virtual sentences.

Contribution

The paper proposes a novel defense method, DNE, which forms virtual sentences using convex hull sampling to improve adversarial robustness in NLP models without sacrificing performance.

Findings

DNE outperforms existing defense methods across various architectures.

The method maintains high accuracy on clean data while defending against attacks.

DNE scales effectively to large NLP models.

Abstract

Despite neural networks have achieved prominent performance on many natural language processing (NLP) tasks, they are vulnerable to adversarial examples. In this paper, we propose Dirichlet Neighborhood Ensemble (DNE), a randomized smoothing method for training a robust model to defense substitution-based attacks. During training, DNE forms virtual sentences by sampling embedding vectors for each word in an input sentence from a convex hull spanned by the word and its synonyms, and it augments them with the training data. In such a way, the model is robust to adversarial attacks while maintaining the performance on the original clean data. DNE is agnostic to the network architectures and scales to large models for NLP applications. We demonstrate through extensive experimentation that our method consistently outperforms recently proposed defense methods by a significant margin across different network architectures and multiple data sets.