Masked Language Model Based Textual Adversarial Example Detection

TL;DR

Adversarial examples in NLP undermine reliable deployment by perturbing inputs while preserving human-like text. MLMD leverages masked language models to probe manifold changes via mask/unmask operations and uses either a threshold or model-based classifier to detect adversarial texts without retraining the victim model. Across AG-NEWS, IMDB, and SST-2, and against PWWS, TextFooler, DeepWordBug, and TextBugger, MLMD achieves high detection accuracy (up to 0.984) and competitive F1 scores, demonstrating strong generalization to multiple architectures and attacks. The work highlights MLM-based manifold tracing as a practical, plug-and-play defense with robust performance, and provides open-source code to facilitate adoption and further exploration.

Abstract

Adversarial attacks are a serious threat to the reliable deployment of machine learning models in safety-critical applications. They can misguide current models to predict incorrectly by slightly modifying the inputs. Recently, substantial work has shown that adversarial examples tend to deviate from the underlying data manifold of normal examples, whereas pre-trained masked language models can fit the manifold of normal NLP data. To explore how to use the masked language model in adversarial detection, we propose a novel textual adversarial example detection method, namely Masked Language Model-based Detection (MLMD), which can produce clearly distinguishable signals between normal examples and adversarial examples by exploring the changes in manifolds induced by the masked language model. MLMD features a plug and play usage (i.e., no need to retrain the victim model) for adversarial defense and it is agnostic to classification tasks, victim model's architectures, and to-be-defended attack methods. We evaluate MLMD on various benchmark textual datasets, widely studied machine learning models, and state-of-the-art (SOTA) adversarial attacks (in total $3*4*4 = 48$ settings). Experimental results show that MLMD can achieve strong performance, with detection accuracy up to 0.984, 0.967, and 0.901 on AG-NEWS, IMDB, and SST-2 datasets, respectively. Additionally, MLMD is superior, or at least comparable to, the SOTA detection defenses in detection accuracy and F1 score. Among many defenses based on the off-manifold assumption of adversarial examples, this work offers a new angle for capturing the manifold change. The code for this work is openly accessible at \url{https://github.com/mlmddetection/MLMDdetection}.

Figures (3)

• Figure 1: An overview of MLMD.
• Figure 2: The histogram of distinguishable scores $S_t$ defined in Eq. (\ref{['Eq:disScores']}) computed for normal examples and their corresponding adversarial examples generated by attacking BERT trained on AG-NEWS with four attack methods. For adversarial examples, the manifold changes drastically after the mask and unmask operations, and therefore the classification results of the victim model are also significantly different from the original ones. In contrast, for normal examples, after the mask and unmask operations, they are still mapped back to the manifold where the normal examples are located. This makes the prediction results consistent with the original ones, and therefore their distinguishable scores $S_t$ are highly concentrated around $1.0$.
• Figure 3: The effect of masking rate on detection performance. Results averaged over 3 runs.