Second-Order NLP Adversarial Examples

TL;DR

This paper introduces the concept of second-order adversarial examples in NLP, highlighting their existence and proposing new evaluation tools to assess the robustness of semantic similarity constraints against such examples.

Contribution

It defines second-order adversarial examples, develops the constraint robustness curve and ACCS metric, and evaluates their effectiveness on USE and BERTScore constraints.

Findings

Second-order adversarial examples exist but are less common than first-order ones.

USE is an effective constraint against second-order adversarial examples.

BERTScore is nearly ineffective as a constraint.

Abstract

Adversarial example generation methods in NLP rely on models like language models or sentence encoders to determine if potential adversarial examples are valid. In these methods, a valid adversarial example fools the model being attacked, and is determined to be semantically or syntactically valid by a second model. Research to date has counted all such examples as errors by the attacked model. We contend that these adversarial examples may not be flaws in the attacked model, but flaws in the model that determines validity. We term such invalid inputs second-order adversarial examples. We propose the constraint robustness curve and associated metric ACCS as tools for evaluating the robustness of a constraint to second-order adversarial examples. To generate this curve, we design an adversarial attack to run directly on the semantic similarity models. We test on two constraints, the Universal Sentence Encoder (USE) and BERTScore. Our findings indicate that such second-order examples exist, but are typically less common than first-order adversarial examples in state-of-the-art models. They also indicate that USE is effective as constraint on NLP adversarial examples, while BERTScore is nearly ineffectual. Code for running the experiments in this paper is available at https://github.com/jxmorris12/second-order-adversarial-examples.