Certified Robustness for Large Language Models with Self-Denoising

TL;DR

This paper introduces a self-denoising method leveraging large language models to improve certified robustness against noisy inputs, outperforming existing certification techniques in both theoretical and empirical robustness.

Contribution

It proposes a novel self-denoising approach that enhances robustness certification of LLMs without needing separate models, improving efficiency and flexibility.

Findings

Outperforms existing certification methods in robustness.

Achieves larger certification radii.

Demonstrates improved empirical robustness.

Abstract

Although large language models (LLMs) have achieved great success in vast real-world applications, their vulnerabilities towards noisy inputs have significantly limited their uses, especially in high-stake environments. In these contexts, it is crucial to ensure that every prediction made by large language models is stable, i.e., LLM predictions should be consistent given minor differences in the input. This largely falls into the study of certified robust LLMs, i.e., all predictions of LLM are certified to be correct in a local region around the input. Randomized smoothing has demonstrated great potential in certifying the robustness and prediction stability of LLMs. However, randomized smoothing requires adding noise to the input before model prediction, and its certification performance depends largely on the model's performance on corrupted data. As a result, its direct application to LLMs remains challenging and often results in a small certification radius. To address this issue, we take advantage of the multitasking nature of LLMs and propose to denoise the corrupted inputs with LLMs in a self-denoising manner. Different from previous works like denoised smoothing, which requires training a separate model to robustify LLM, our method enjoys far better efficiency and flexibility. Our experiment results show that our method outperforms the existing certification methods under both certified robustness and empirical robustness. The codes are available at https://github.com/UCSB-NLP-Chang/SelfDenoise.