Alert-ME: An Explainability-Driven Defense Against Adversarial Examples in Transformer-Based Text Classification

TL;DR

This paper introduces EDIT, a unified, explainability-driven framework that detects, identifies, and transforms adversarial inputs in transformer-based text classifiers, significantly improving robustness and interpretability against various attack types.

Contribution

The paper presents a novel framework combining explainability tools and frequency features for real-time adversarial detection and input transformation in NLP models, enhancing security and interpretability.

Findings

Achieves 89.69% F-score and 89.70% accuracy on multiple datasets.

Outperforms four state-of-the-art defenses in accuracy and speed.

Effectively defends against standard, zero-day, and adaptive attacks.

Abstract

Transformer-based text classifiers such as BERT, RoBERTa, T5, and GPT have shown strong performance in natural language processing tasks but remain vulnerable to adversarial examples. These vulnerabilities raise significant security concerns, as small input perturbations can cause severe misclassifications. Existing robustness methods often require heavy computation or lack interpretability. This paper presents a unified framework called Explainability-driven Detection, Identification, and Transformation (EDIT) to strengthen inference-time defenses. EDIT integrates explainability tools, including attention maps and integrated gradients, with frequency-based features to automatically detect and identify adversarial perturbations while offering insight into model behavior. After detection, EDIT refines adversarial inputs using an optimal transformation process that leverages pre-trained embeddings and model feedback to replace corrupted tokens. To enhance security assurance, EDIT incorporates automated alerting mechanisms that involve human analysts when necessary. Beyond static defenses, EDIT also provides adaptive resilience by enforcing internal feature similarity and transforming inputs, thereby disrupting the attackers optimization process and limiting the effectiveness of adaptive adversarial attacks. Experiments using BERT and RoBERTa on IMDB, YELP, AGNEWS, and SST2 datasets against seven word substitution attacks demonstrate that EDIT achieves an average Fscore of 89.69 percent and balanced accuracy of 89.70 percent. Compared to four state-of-the-art defenses, EDIT improves balanced accuracy by 1.22 times and F1-score by 1.33 times while being 83 times faster in feature extraction. The framework provides robust, interpretable, and efficient protection against both standard, zero-day, and adaptive adversarial threats in text classification models.