A Sweet Rabbit Hole by DARCY: Using Honeypots to Detect Universal Trigger’s Adversarial Attacks

Le, Thai; Park, Noseong; Lee, Dongwon

doi:10.18653/v1/2021.acl-long.296

Cited by 16 publications

(11 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A seminal work (Xu et al, 2018) on adversarial example detection in the image domain assumes the first scenario, whereas existing works in NLP (Le et al, 2021;Mozes et al, 2021) only experiment on the second scenario. Our benchmark framework provides the data and tools for experimenting on both.…”

Section: Detecting Adversarial Examplesmentioning

confidence: 99%

“…FGWS (Mozes et al, 2021) outperforms DISP in detection by building on the observation that attacked samples are composed of rare words on 2 attack methods. Le et al (2021) tackle a particular attack method called UniTrigger (Wallace et al, 2019), which pre-pends or appends an identical phrase in all sentences. While the performance is impressive, applying this method to other attacks requires significant adjustment due to the distinct characteristics of UniTrigger.…”

Section: Related Workmentioning

confidence: 99%

“…Many existing works that employ detection as an auxiliary task for defense require adversarial samples for training, which may be a restrictive scenario given the variety of attack methods and sparsity of adversarial samples in the real world. In addition, some works either focus on a single type of attack (Le et al, 2021) or is limited to characterlevel attacks (Pruthi et al, 2019), both of which do not abide the two key constraints (semantics †Determined by the experimented types of attacks. Some works can be trivially modified to adjust to a different type of attacks.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Detection of Word Adversarial Examples in Text Classification: Benchmark and Baseline via Robust Density Estimation

Yoo¹,

Kim²,

Jang³

et al. 2022

Preprint

View full text Add to dashboard Cite

Word-level adversarial attacks have shown success in NLP models, drastically decreasing the performance of transformer-based models in recent years. As a countermeasure, adversarial defense has been explored, but relatively few efforts have been made to detect adversarial examples. However, detecting adversarial examples may be crucial for automated tasks (e.g. review sentiment analysis) that wish to amass information about a certain population and additionally be a step towards a robust defense system. To this end, we release a dataset for four popular attack methods on four datasets and four models to encourage further research in this field. Along with it, we propose a competitive baseline based on density estimation that has the highest AUC on 29 out of 30 dataset-attack-model combinations. 1

show abstract

Section: Detecting Adversarial Examplesmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Detection of Word Adversarial Examples in Text Classification: Benchmark and Baseline via Robust Density Estimation

Yoo¹,

Kim²,

Jang³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Existing defense approaches against UAT maintain additional adversary detectors. For example, DARCY (Le et al, 2021) searches for the potential triggers first, and then retrain a classifier using the exploited triggers as a UAT adversary detector; T-Miner (Azizi et al, 2021) leverages Seq2Seq model to probe the hidden representation of the suspicious classifier into a synthetic text sequence that is likely to contain adversarial triggers. In addition, neither of the methods have been tested on large-scale pretrained LM.…”

Section: A Comparison With Regular Finetuningmentioning

confidence: 99%

On Robust Prefix-Tuning for Text Classification

Yang¹,

Liu²

2022

Preprint

View full text Add to dashboard Cite

Recently, prefix-tuning has gained increasing attention as a parameter-efficient finetuning method for large-scale pretrained language models. The method keeps the pretrained models fixed and only updates the prefix token parameters for each downstream task. Despite being lightweight and modular, prefix-tuning still lacks robustness to textual adversarial attacks. However, most currently developed defense techniques necessitate auxiliary model update and storage, which inevitably hamper the modularity and low storage of prefix-tuning. In this work, we propose a robust prefix-tuning framework that preserves the efficiency and modularity of prefix-tuning. The core idea of our framework is leveraging the layerwise activations of the language model by correctly-classified training data as the standard for additional prefix finetuning. During the test phase, an extra batch-level prefix is tuned for each batch and added to the original prefix for robustness enhancement. Extensive experiments on three text classification benchmarks show that our framework substantially improves robustness over several strong baselines against five textual attacks of different types while maintaining comparable accuracy on clean texts. We also interpret our robust prefix-tuning framework from the optimal control perspective and pose several directions for future research 1 .

show abstract

“…In addition, a robust ML pipeline is often equipped to detect and remove potential adversarial perturbations either via automatic software (Jayanthi et al, 2020;Pruthi et al, 2019), trapdoors (Le et al, 2021) or human-in-the-loop (Le et al, 2020). Such detection is feasible especially when the perturbed texts are curated using a set of fixed rules that can be easily re-purposed for defense.…”

Section: Introductionmentioning

confidence: 99%

Perturbations in the Wild: Leveraging Human-Written Text Perturbations for Realistic Adversarial Attack and Defense

Le¹,

Lee²,

Yen³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

We proposes a novel algorithm, ANTHRO, that inductively extracts over 600K human-written text perturbations in the wild and leverages them for realistic adversarial attack. Unlike existing character-based attacks which often deductively hypothesize a set of manipulation strategies, our work is grounded on actual observations from real-world texts. We find that adversarial texts generated by AN-THRO achieve the best trade-off between (1) attack success rate, (2) semantic preservation of the original text, and (3) stealthiness-i.e. indistinguishable from human writings hence harder to be flagged as suspicious. Specifically, our attacks accomplished around 83% and 91% attack success rates on BERT and RoBERTa, respectively. Moreover, it outperformed the TextBugger baseline with an increase of 50% and 40% in terms of semantic preservation and stealthiness when evaluated by both layperson and professional human workers. ANTHRO can further enhance a BERT classifier's performance in understanding different variations of human-written toxic texts via adversarial training when compared to the Perspective API. Source code will be published at github.com/lethaiq/ perturbations-in-the-wild.

show abstract

A Sweet Rabbit Hole by DARCY: Using Honeypots to Detect Universal Trigger’s Adversarial Attacks

Cited by 16 publications

References 22 publications

Detection of Word Adversarial Examples in Text Classification: Benchmark and Baseline via Robust Density Estimation

Detection of Word Adversarial Examples in Text Classification: Benchmark and Baseline via Robust Density Estimation

On Robust Prefix-Tuning for Text Classification

Perturbations in the Wild: Leveraging Human-Written Text Perturbations for Realistic Adversarial Attack and Defense

Contact Info

Product

Resources

About