FireBERT: Hardening BERT-based classifiers against adversarial attack

TL;DR

FireBERT introduces three methods to enhance BERT classifiers' robustness against adversarial word-perturbation attacks, maintaining high accuracy on both regular and adversarial samples through co-tuning and evaluation-time perturbations.

Contribution

The paper proposes novel techniques for hardening BERT-based classifiers against adversarial attacks, including co-tuning with synthetic data and evaluation-time perturbations, demonstrating significant robustness improvements.

Findings

Co-tuning with synthetic data protects against 95% of adversarial samples.

Evaluation-time perturbation restores up to 75% of original accuracy under attack.

Methods maintain high accuracy on regular benchmark samples.

Abstract

We present FireBERT, a set of three proof-of-concept NLP classifiers hardened against TextFooler-style word-perturbation by producing diverse alternatives to original samples. In one approach, we co-tune BERT against the training data and synthetic adversarial samples. In a second approach, we generate the synthetic samples at evaluation time through substitution of words and perturbation of embedding vectors. The diversified evaluation results are then combined by voting. A third approach replaces evaluation-time word substitution with perturbation of embedding vectors. We evaluate FireBERT for MNLI and IMDB Movie Review datasets, in the original and on adversarial examples generated by TextFooler. We also test whether TextFooler is less successful in creating new adversarial samples when manipulating FireBERT, compared to working on unhardened classifiers. We show that it is possible to improve the accuracy of BERT-based models in the face of adversarial attacks without significantly reducing the accuracy for regular benchmark samples. We present co-tuning with a synthetic data generator as a highly effective method to protect against 95% of pre-manufactured adversarial samples while maintaining 98% of original benchmark performance. We also demonstrate evaluation-time perturbation as a promising direction for further research, restoring accuracy up to 75% of benchmark performance for pre-made adversarials, and up to 65% (from a baseline of 75% orig. / 12% attack) under active attack by TextFooler.