Enhance Robustness of Language Models Against Variation Attack through Graph Integration

TL;DR

This work tackles adversarial robustness of Chinese PLMs to character-variation attacks by introducing CHANGE, which integrates a Chinese Character Variation Graph into transformer models. The approach combines CVGI, which reconstructs attacked inputs using attacking paths and a 2D attention mechanism, with Variation Graph Instructed Pre-training across ATP, AMP, and ACP tasks to strengthen path recognition and restoration. Empirical results on TNews, AFQMC, and Message show that CHANGE improves robustness under attacks with only negligible loss on clean data, outperforming several strong baselines. The findings demonstrate the practical potential of graph-guided, multi-task pre-training to bolster robustness in real-world Chinese NLP applications, with opportunities to extend to other languages and attack types.

Abstract

The widespread use of pre-trained language models (PLMs) in natural language processing (NLP) has greatly improved performance outcomes. However, these models' vulnerability to adversarial attacks (e.g., camouflaged hints from drug dealers), particularly in the Chinese language with its rich character diversity/variation and complex structures, hatches vital apprehension. In this study, we propose a novel method, CHinese vAriatioN Graph Enhancement (CHANGE), to increase the robustness of PLMs against character variation attacks in Chinese content. CHANGE presents a novel approach for incorporating a Chinese character variation graph into the PLMs. Through designing different supplementary tasks utilizing the graph structure, CHANGE essentially enhances PLMs' interpretation of adversarially manipulated text. Experiments conducted in a multitude of NLP tasks show that CHANGE outperforms current language models in combating against adversarial attacks and serves as a valuable contribution to robust language model research. These findings contribute to the groundwork on robust language models and highlight the substantial potential of graph-guided pre-training strategies for real-world applications.

Figures (4)

• Figure 1: Character Variations via semantic, visual, and pronunciation in Chinese Spam Texts.
• Figure 2: The overview architecture of the CHANGE method. For the attacked content, the Chinese Variation Graph Integration recognizes the possible variation and reconstruct a postfix attached to the raw input.
• Figure 3: (a): An example of reconstruction. In the Variation Graph, the red "+" symbol has two variations: "加" through pinyin variation and "十" through visual variation. Similarly, the red "莪" character possesses two variations in the Variation Graph: "我" and "窝", both derived from pinyin variation. The red "徽" character features two variations in the graph: "薇" through pinyin variation and "微" through visual variation. (b): An example of adversarial 2d attention map. In the whole reconstructed sentence, the raw text segment "您有筷递超时未取" employs full cross-attention. The identified attacked character "筷" exclusively attends to its variations in the postfix segment. And the candidate original characters, "[PIN]块[/PIN]" in example, only have attention with the attacked character "快".
• Figure 4: The impact of corpus size and training costs on the f1-score performance of CHANGE-enhanced PLM on the TNews Dataset.