Text Adversarial Purification as Defense against Adversarial Attacks (2023.acl-long)
Copied to clipboard
| Challenge: | Existing methods for defending against adversarial examples are difficult due to the discrete nature of texts. |
| Approach: | They propose a novel adversarial purification method that aims to remove adversarials and make correct predictions based on the recovered clean samples. |
| Outcome: | The proposed method can defend against word-substitution adversarial attacks using language models. |
Similar Papers
BERT-ATTACK: Adversarial Attack Against BERT Using BERT (2020.emnlp-main)
Copied to clipboard
| Challenge: | Current approaches to generate adversarial samples for discrete data are heuristic replacement strategies that are difficult to implement in continuous data. |
| Approach: | They propose a method to generate adversarial samples using pre-trained masked language models using BERT. |
| Outcome: | The proposed method outperforms state-of-the-art methods in success rate and perturb percentage while remaining fluent and semantically preserved. |
Searching for an Effective Defender: Benchmarking Defense against Adversarial Word Substitution (2021.emnlp-main)
Copied to clipboard
Zongyi Li, Jianhan Xu, Jiehang Zeng, Linyang Li, Xiaoqing Zheng, Qi Zhang, Kai-Wei Chang, Cho-Jui Hsieh
| Challenge: | Existing methods to defend against adversarial word-substitution attacks have not been evaluated or compared in a systematic manner. |
| Approach: | They propose to compare different defense methods under representative adversarial attacks . they propose a method that improves the robustness of neural text classifiers against such attacks a . |
| Outcome: | The proposed method improves robustness of neural text classifiers against such attacks by a significant margin. |
Adversarial Text Normalization (2022.naacl-industry)
Copied to clipboard
| Challenge: | Text-based adversarial attacks are becoming more commonplace and accessible to general internet users. |
| Approach: | They propose a method that restores baseline performance on attacked content with low computational overhead. |
| Outcome: | The proposed method restores baseline performance on attacked content with low computational overhead. |
Generating Textual Adversaries with Minimal Perturbation (2022.findings-emnlp)
Copied to clipboard
| Challenge: | Existing word-level adversarial approaches for textual data have various limitations due to the large search space consisting of combinations of candidate words. |
| Approach: | They propose a novel attack strategy to find adversarial texts with high similarity to original texts without perturbation. |
| Outcome: | The proposed approach achieves higher success rates and lower perturbation rates in four benchmark datasets compared with state-of-the-art approaches. |
DiffuseDef: Improved Robustness to Adversarial Attacks via Iterative Denoising (2025.acl-long)
Copied to clipboard
| Challenge: | Existing adversarial defense methods for natural language processing still pose challenges to adversarials. |
| Approach: | They propose a novel adversarial defense method that incorporates a diffusion layer as a denoiser between the encoder and the classifier. |
| Outcome: | The proposed method improves over existing adversarial defense methods and achieves state-of-the-art performance against black-box and white-box adversarials. |
Concealed Data Poisoning Attacks on NLP Models (2021.naacl-main)
Copied to clipboard
| Challenge: | In contrast, adversarial attacks can cause model errors by modifying inputs, such as the universal triggers attack. |
| Approach: | They propose a data poisoning attack that allows an adversary to control model predictions whenever a desired trigger phrase is present in the input. |
| Outcome: | The proposed attack can cause model errors by modifying inputs, but it can also cause extra human annotation. |
Improving Gradient-based Adversarial Training for Text Classification by Contrastive Learning and Auto-Encoder (2021.findings-acl)
Copied to clipboard
| Challenge: | Recent work has shown that models can be easily fooled by intentionally designed adversarial examples. |
| Approach: | They propose two efficient approaches for generating adversarial perturbations on embeddings and propose two new approaches to help model learn adversarials more efficiently. |
| Outcome: | The proposed approaches outperform strong baselines on various text classification datasets and the model's performance drops less under adversarial attack. |
BAE: BERT-based Adversarial Examples for Text Classification (2020.emnlp-main)
Copied to clipboard
| Challenge: | Recent studies have exposed the vulnerability of text classification models to adversarial examples . perturbed versions of the original text are indiscernible by humans and misclassified by the model . |
| Approach: | They propose a black box attack for generating adversarial examples using contextual perturbations from a BERT-masked language model. |
| Outcome: | The proposed attack produces examples with improved grammaticality and semantic coherence compared to previous work. |
Phrase-level Textual Adversarial Attack with Label Preservation (2022.findings-naacl)
Copied to clipboard
| Challenge: | Existing adversarial attacks are usually realized through word-level or sentence-level perturbations, which either limit the perturbation space or sacrifice fluency and textual quality. |
| Approach: | They propose a phrase-level perturbation-based adversarial ATtack that generates adversarials through phrase- level perturbations. |
| Outcome: | The proposed approach improves the performance of natural language processing models by reducing the need for word-level perturbations and preserving the fluency and grammaticality of the samples. |
Humanizing Machine-Generated Content: Evading AI-Text Detection through Adversarial Attack (2024.lrec-main)
Copied to clipboard
| Challenge: | Despite the development of large language models, there are still significant challenges in detecting whether text is generated by a machine. |
| Approach: | They propose a framework for a broader class of adversarial attacks to perform minor perturbations in machine-generated content to evade detection. |
| Outcome: | The proposed framework can be compromised in as little as 10 seconds, and improves over iterative adversarial learning. |