Perturbing Inputs for Fragile Interpretations in Deep Natural Language Processing

TL;DR

This paper reveals that popular interpretability methods for NLP models can be easily manipulated through simple word perturbations, exposing their fragility and raising concerns about their reliability in critical applications.

Contribution

The study demonstrates how minimal word swaps can significantly alter explanations of NLP models without changing their predictions, exposing vulnerabilities in current interpretability techniques.

Findings

Rank correlation drops over 20% with less than 10% word perturbation

Interpretability methods are highly sensitive to small input changes

Generated adversarial examples maintain high semantic similarity and prediction consistency

Abstract

Interpretability methods like Integrated Gradient and LIME are popular choices for explaining natural language model predictions with relative word importance scores. These interpretations need to be robust for trustworthy NLP applications in high-stake areas like medicine or finance. Our paper demonstrates how interpretations can be manipulated by making simple word perturbations on an input text. Via a small portion of word-level swaps, these adversarial perturbations aim to make the resulting text semantically and spatially similar to its seed input (therefore sharing similar interpretations). Simultaneously, the generated examples achieve the same prediction label as the seed yet are given a substantially different explanation by the interpretation methods. Our experiments generate fragile interpretations to attack two SOTA interpretation methods, across three popular Transformer models and on two different NLP datasets. We observe that the rank order correlation drops by over 20% when less than 10% of words are perturbed on average. Further, rank-order correlation keeps decreasing as more words get perturbed. Furthermore, we demonstrate that candidates generated from our method have good quality metrics.