Alert-ME: An Explainability-Driven Defense Against Adversarial Examples in Transformer-Based Text Classification
Bushra Sabir, Yansong Gao, Alsharif Abuadbba, M. Ali Babar
TL;DR
This work tackles the vulnerability of transformer-based text classifiers to adversarial word substitutions by introducing EDIT, an explainability-driven defense composed of a Training Adversarial Detector (TAD) and a Test-Time Detection and Transformation (TDT) pipeline. EDIT fuses attention- and gradient-based explainability signals with frequency-based features to detect adversarial examples, identify perturbed words, and apply optimal, semantically-preserving transformations, with automated alerting for human analysts when needed. Across four datasets and two victim models against seven attacks, EDIT achieves a median F1 of $89.69\%$ and BAL_ACC of $89.70\%$, while offering significantly faster feature extraction than baselines and robust resilience to adaptive attacks. The framework emphasizes interpretability and security operations, enabling threat intelligence logging and human-in-the-loop intervention to bolster practical deployment in security-critical NLP applications.
Abstract
Transformer-based text classifiers such as BERT, RoBERTa, T5, and GPT have shown strong performance in natural language processing tasks but remain vulnerable to adversarial examples. These vulnerabilities raise significant security concerns, as small input perturbations can cause severe misclassifications. Existing robustness methods often require heavy computation or lack interpretability. This paper presents a unified framework called Explainability-driven Detection, Identification, and Transformation (EDIT) to strengthen inference-time defenses. EDIT integrates explainability tools, including attention maps and integrated gradients, with frequency-based features to automatically detect and identify adversarial perturbations while offering insight into model behavior. After detection, EDIT refines adversarial inputs using an optimal transformation process that leverages pre-trained embeddings and model feedback to replace corrupted tokens. To enhance security assurance, EDIT incorporates automated alerting mechanisms that involve human analysts when necessary. Beyond static defenses, EDIT also provides adaptive resilience by enforcing internal feature similarity and transforming inputs, thereby disrupting the attackers optimization process and limiting the effectiveness of adaptive adversarial attacks. Experiments using BERT and RoBERTa on IMDB, YELP, AGNEWS, and SST2 datasets against seven word substitution attacks demonstrate that EDIT achieves an average Fscore of 89.69 percent and balanced accuracy of 89.70 percent. Compared to four state-of-the-art defenses, EDIT improves balanced accuracy by 1.22 times and F1-score by 1.33 times while being 83 times faster in feature extraction. The framework provides robust, interpretable, and efficient protection against both standard, zero-day, and adaptive adversarial threats in text classification models.