Adversarial Text Purification: A Large Language Model Approach for Defense
Raha Moraffah, Shubh Khandelwal, Amrita Bhattacharjee, Huan Liu
TL;DR
The paper tackles the vulnerability of text classifiers to adversarial inputs by introducing an LLM-guided adversarial text purification approach that uses instruction-tuned large language models and carefully designed prompts to generate purified, semantically similar texts that are classified correctly without explicitly modeling perturbations. It demonstrates that this method markedly improves post-attack accuracy (average gains over 65%) and outperforms prior purification and adversarial-training baselines on IMDb and AG News with BERT and RoBERTa classifiers. The work includes ablation studies showing the importance of explicit correction guidance in prompts and case studies illustrating fluent, semantically faithful purified outputs. Overall, the approach offers a scalable defense against unseen textual attacks by leveraging off-the-shelf LLMs and prompt engineering, reducing reliance on attack-specific defenses.
Abstract
Adversarial purification is a defense mechanism for safeguarding classifiers against adversarial attacks without knowing the type of attacks or training of the classifier. These techniques characterize and eliminate adversarial perturbations from the attacked inputs, aiming to restore purified samples that retain similarity to the initially attacked ones and are correctly classified by the classifier. Due to the inherent challenges associated with characterizing noise perturbations for discrete inputs, adversarial text purification has been relatively unexplored. In this paper, we investigate the effectiveness of adversarial purification methods in defending text classifiers. We propose a novel adversarial text purification that harnesses the generative capabilities of Large Language Models (LLMs) to purify adversarial text without the need to explicitly characterize the discrete noise perturbations. We utilize prompt engineering to exploit LLMs for recovering the purified examples for given adversarial examples such that they are semantically similar and correctly classified. Our proposed method demonstrates remarkable performance over various classifiers, improving their accuracy under the attack by over 65% on average.