Finding a Needle in the Adversarial Haystack: A Targeted Paraphrasing Approach For Uncovering Edge Cases with Minimal Distribution Distortion

TL;DR

Adversarial vulnerabilities in NLP models motivate a scalable data-efficient approach to discover edge cases without distorting the data distribution. The authors introduce Targeted Paraphrasing via RL (TPRL), which combines FLAN-T5-based paraphrasing with proximal policy optimization to generate semantically preserved adversarial samples that confuse classifiers. A curated paraphrase dataset and a Mutual Implication-based similarity metric guide RL to produce diverse, natural samples that improve robustness through adversarial training, with evidence of a universal attacking policy across classifiers. The method achieves consistent improvements on multiple datasets and models, highlighting its potential to systematically uncover and strengthen model weaknesses while maintaining label integrity. However, the work notes limitations like using a single scalar reward and sequence-length constraints, suggesting multi-objective RL and longer sequences for future work.

Abstract

Adversarial attacks against language models(LMs) are a significant concern. In particular, adversarial samples exploit the model's sensitivity to small input changes. While these changes appear insignificant on the semantics of the input sample, they result in significant decay in model performance. In this paper, we propose Targeted Paraphrasing via RL (TPRL), an approach to automatically learn a policy to generate challenging samples that most likely improve the model's performance. TPRL leverages FLAN T5, a language model, as a generator and employs a self learned policy using a proximal policy gradient to generate the adversarial examples automatically. TPRL's reward is based on the confusion induced in the classifier, preserving the original text meaning through a Mutual Implication score. We demonstrate and evaluate TPRL's effectiveness in discovering natural adversarial attacks and improving model performance through extensive experiments on four diverse NLP classification tasks via Automatic and Human evaluation. TPRL outperforms strong baselines, exhibits generalizability across classifiers and datasets, and combines the strengths of language modeling and reinforcement learning to generate diverse and influential adversarial examples.

Figures (7)

• Figure 1: Components of our framework TPRL for Natural Adversarial Generation. (1) Employing Data filtering and then paraphrasing fine-tuning. (2) Targetted paraphrasing through employing RL on classification Datasets.
• Figure 2: T-SNE visualization of the vectorized original and TPRL-adversarial sentences in the SST-2. The adversarial sentences (circles) mostly overlap with the original sentences (triangles), suggesting that generated sentences maintain the original class distribution.
• Figure 3: T-SNE visualization of the vectorized original and TPRL-adversarial sentences in the SST-2. The adversarial sentences (circles) mostly overlap with the original sentences (triangles), suggesting that generated sentences maintain the original class distribution.
• Figure 4: T-SNE visualization of the vectorized original and TPRL-adversarial sentences in the SST-5. The adversarial sentences (circles) mostly overlap with the original sentences (triangles), suggesting that generated sentences maintain the original class distribution.
• Figure 5: T-SNE visualization of the vectorized original and TPRL-adversarial sentences in OFF. The adversarial sentences (circles) mostly overlap with the original sentences (triangles), suggesting that generated sentences maintain the original class distribution.