Exploring Gradient-Guided Masked Language Model to Detect Textual Adversarial Attacks

TL;DR

This paper tackles the vulnerability of NLP systems to textual adversarial attacks by using masked language models to detect off-manifold inputs. It first introduces MLMD, which uses mask/unmask operations to induce manifold changes and distinguishes adversarial from normal texts, and then improves practicality with GradMLMD, which uses gradient signals to skip non-keywords and focus on crucial words. Through extensive experiments on AG-NEWS, IMDB, and SST-2 with PWWS, TextFooler, TextBugger, and DeepWordBug across CNN, LSTM, BERT, and ALBERT, MLMD and GradMLMD achieve superior or on-par detection relative to state-of-the-art detectors while reducing computational overhead, especially in GradMLMD (~30% of words processed). The results show that unmask operations are essential, gradient-guided keyword selection yields high overlap with oracle non-keyword sets, and fine-tuning masked language models on target domains offers additional performance gains. Overall, the work demonstrates a practical path to deploying MLM-based adversarial detectors that preserve normal-task performance while substantially increasing the cost for attackers to circumvent detection.

Abstract

Textual adversarial examples pose serious threats to the reliability of natural language processing systems. Recent studies suggest that adversarial examples tend to deviate from the underlying manifold of normal texts, whereas pre-trained masked language models can approximate the manifold of normal data. These findings inspire the exploration of masked language models for detecting textual adversarial attacks. We first introduce Masked Language Model-based Detection (MLMD), leveraging the mask and unmask operations of the masked language modeling (MLM) objective to induce the difference in manifold changes between normal and adversarial texts. Although MLMD achieves competitive detection performance, its exhaustive one-by-one masking strategy introduces significant computational overhead. Our posterior analysis reveals that a significant number of non-keywords in the input are not important for detection but consume resources. Building on this, we introduce Gradient-guided MLMD (GradMLMD), which leverages gradient information to identify and skip non-keywords during detection, significantly reducing resource consumption without compromising detection performance.

Figures (6)

• Figure 1: An overview of Masked Language Model-based Detection (MLMD) and Gradient-guided MLMD (GradMLMD). They share the same detection process, exploiting the differences in manifold changes between normal and adversarial examples induced by masked language models to detect adversarial attacks. However, MLMD adopts a one-by-one masking strategy where every word in the input is masked individually, i.e., $r=1$. In contrast, GradMLMD employs gradient signals to assess the importance of each word. It exclusively operates on keywords (yellow) in subsequent operations (i.e., $r<1$), thereby significantly reducing resource overhead.
• Figure 2: (a) The effect of the masking rate of the one-by-one masking strategy on detection performance. Results averaged over $5$ runs. (b) The distribution of distinguishable score $S$ for adversarial examples with different $\gamma$. This experiment is carried out with the AG-NEWS-TextFooler-BERT configuration. The y-axis represents the number of adversarial examples.
• Figure 3: (a) The proportion of non-keywords selected by the oracle method to the input. (b) The overlap rate between non-keywords is identified by the oracle method and the gradient-guided method. The victim models for both experiments are fine-tuned BERT. We use SST, AG to represent SST-2, AG-NEWS, respectively, and PW, TF, TB, and DWB stand for PWWS, TextFooler, TextBugger and DeepWordBug, respectively.
• Figure 4: The F1 score comparison between MLMD-O and MLMD across three datasets, four attack methods, and four victim models.
• Figure 5: The histogram displays the distinguishable scores $S$ defined by Eq. (\ref{['Eq:disScores']}) calculated for normal examples and their corresponding adversarial counterparts generated by attacking BERT trained on AG-NEWS using four different attack methods. Adversarial examples exhibit substantial changes in manifold following the mask and unmask operations, resulting in significantly different predictions (of the victim model) from original inputs. In contrast, after the two detection operations, normal inputs are still projected back to the manifold of normal data, ensuring consistency in their prediction results with the original ones. Thus, their distinguishable scores $S$ tend to cluster tightly around $0.0$.