Don't sweat the small stuff, classify the rest: Sample Shielding to protect text classifiers against adversarial attacks

TL;DR

This paper introduces Sample Shielding, a simple, classifier-agnostic defense method that enhances the robustness of deep learning text classifiers against minimal-change adversarial attacks without sacrificing original accuracy.

Contribution

It proposes a novel, easy-to-implement sampling-based defense strategy that significantly reduces attack success rates across multiple classifiers and datasets.

Findings

Attack success rate drops to <=10% with shielding

Sample Shielding maintains high accuracy on original texts

Effective against state-of-the-art minimal-change attacks

Abstract

Deep learning (DL) is being used extensively for text classification. However, researchers have demonstrated the vulnerability of such classifiers to adversarial attacks. Attackers modify the text in a way which misleads the classifier while keeping the original meaning close to intact. State-of-the-art (SOTA) attack algorithms follow the general principle of making minimal changes to the text so as to not jeopardize semantics. Taking advantage of this we propose a novel and intuitive defense strategy called Sample Shielding. It is attacker and classifier agnostic, does not require any reconfiguration of the classifier or external resources and is simple to implement. Essentially, we sample subsets of the input text, classify them and summarize these into a final decision. We shield three popular DL text classifiers with Sample Shielding, test their resilience against four SOTA attackers across three datasets in a realistic threat setting. Even when given the advantage of knowing about our shielding strategy the adversary's attack success rate is <=10% with only one exception and often < 5%. Additionally, Sample Shielding maintains near original accuracy when applied to original texts. Crucially, we show that the `make minimal changes' approach of SOTA attackers leads to critical vulnerabilities that can be defended against with an intuitive sampling strategy.