DiffuseDef: Improved Robustness to Adversarial Attacks via Iterative Denoising

TL;DR

DiffuseDef introduces an iterative denoising diffusion layer to enhance the robustness of language models against adversarial attacks, achieving state-of-the-art defense performance through a plug-and-play approach.

Contribution

The paper presents a novel diffusion-based adversarial defense method for language models, integrating denoising and ensembling to improve robustness against attacks.

Findings

Outperforms existing adversarial defense methods.

Achieves state-of-the-art results against black-box and white-box attacks.

Seamless plug-and-play integration with existing models.

Abstract

Pretrained language models have significantly advanced performance across various natural language processing tasks. However, adversarial attacks continue to pose a critical challenge to systems built using these models, as they can be exploited with carefully crafted adversarial texts. Inspired by the ability of diffusion models to predict and reduce noise in computer vision, we propose a novel and flexible adversarial defense method for language classification tasks, DiffuseDef, which incorporates a diffusion layer as a denoiser between the encoder and the classifier. The diffusion layer is trained on top of the existing classifier, ensuring seamless integration with any model in a plug-and-play manner. During inference, the adversarial hidden state is first combined with sampled noise, then denoised iteratively and finally ensembled to produce a robust text representation. By integrating adversarial training, denoising, and ensembling techniques, we show that DiffuseDef improves over existing adversarial defense methods and achieves state-of-the-art performance against common black-box and white-box adversarial attacks.