Learn2Weight: Parameter Adaptation against Similar-domain Adversarial Attacks

TL;DR

This paper introduces Learn2Weight, a domain adaptation-based defense mechanism against similar-domain adversarial attacks in NLP, demonstrating its effectiveness over standard defenses on sentiment classification datasets.

Contribution

It proposes a novel domain adaptation-inspired defense method, Learn2Weight, to counter similar-domain adversarial attacks in NLP, filling a gap in existing black-box defense strategies.

Findings

Learn2Weight outperforms adversarial training and defensive distillation.

Effective against transfer-based black-box adversarial attacks.

Validated on Amazon multi-domain sentiment datasets.

Abstract

Recent work in black-box adversarial attacks for NLP systems has attracted much attention. Prior black-box attacks assume that attackers can observe output labels from target models based on selected inputs. In this work, inspired by adversarial transferability, we propose a new type of black-box NLP adversarial attack that an attacker can choose a similar domain and transfer the adversarial examples to the target domain and cause poor performance in target model. Based on domain adaptation theory, we then propose a defensive strategy, called Learn2Weight, which trains to predict the weight adjustments for a target model in order to defend against an attack of similar-domain adversarial examples. Using Amazon multi-domain sentiment classification datasets, we empirically show that Learn2Weight is effective against the attack compared to standard black-box defense methods such as adversarial training and defensive distillation. This work contributes to the growing literature on machine learning safety.