Adversarial Style Augmentation via Large Language Model for Robust Fake News Detection

TL;DR

AdStyle introduces adversarial style augmentation to fortify fake news detectors against style-conversion attacks enabled by large language models. It automatically generates adversarial style-conversion prompts via in-context demonstration and selects a diverse, coherent top-k subset to augment training data, guiding the detector toward robustness with a BCE objective. Empirical results on Politifact, GossipCop, and Constraint show superior robustness and detection performance under multiple style-conversion attacks, and across different LLM backbones, outperforming several baselines. The approach is compatible with existing detectors, scalable across rounds, and accompanied by code release to support practical deployment and further research in adversarial stylometry defense.

Abstract

The spread of fake news harms individuals and presents a critical social challenge that must be addressed. Although numerous algorithmic and insightful features have been developed to detect fake news, many of these features can be manipulated with style-conversion attacks, especially with the emergence of advanced language models, making it more difficult to differentiate from genuine news. This study proposes adversarial style augmentation, AdStyle, designed to train a fake news detector that remains robust against various style-conversion attacks. The primary mechanism involves the strategic use of LLMs to automatically generate a diverse and coherent array of style-conversion attack prompts, enhancing the generation of particularly challenging prompts for the detector. Experiments indicate that our augmentation strategy significantly improves robustness and detection performance when evaluated on fake news benchmark datasets.

Figures (14)

• Figure 1: Illustration of AdStyle. The model undergoes multiple rounds of training. In each round, it utilizes the style-conversion prompt and prediction confusion score from the previous round to create prompt candidates aimed at maximizing the detector model's confusion. Subsequently, a subset of the training dataset is used to select the top-$k$ prompts, based on factors such as adversarialness, coherency, and diversity. These selected prompts are then employed as augmentations in the training process. Repetition of this process allows the model to consider a wide range of adversarial prompts, making the director more resilient to future attacks.
• Figure 2: Prompt for generating adversarial style-conversion prompts. The text in blue represents the score trajectory, and the remaining text represents the problem description.
• Figure 3: Prompt for style conversion. The "publisher name" part will be filled with the name of a representative publisher (e.g., newspaper or journal), and the "news article" part will contain the original news text.
• Figure 4: Performance changes across rounds on the PolitiFact dataset for four different style-conversion attacks. The x-axis represents the training rounds, and the y-axis represents the detector's AUC. For all attacks, the detector's performance improved as the rounds progressed.
• Figure 5: Performance of selection strategies over training rounds on PolitiFact. The x-axis represents the training rounds, while the y-axis represents the detector's AUC.