Adversarial Defence without Adversarial Defence: Enhancing Language Model Robustness via Instance-level Principal Component Removal

TL;DR

PuRe addresses the vulnerability of PLMs to adversarial perturbations by introducing an instance-level purification process that removes the top principal component from final-layer embeddings, pushing the representation space toward isotropy. The method, implemented as a light, plug-in module using randomised SVD for efficiency, does not rely on adversarial examples or training-time augmentation. Across eight NLP datasets, PuRe achieves improved adversarial robustness while maintaining competitive before-attack accuracy, revealing a favorable trade-off between robustness and generalisation. This approach offers a practical, model-agnostic defense mechanism with low computational overhead and broad applicability to discriminative NLP tasks, setting the stage for adaptive PCR strategies and extensions to generation tasks.

Abstract

Pre-trained language models (PLMs) have driven substantial progress in natural language processing but remain vulnerable to adversarial attacks, raising concerns about their robustness in real-world applications. Previous studies have sought to mitigate the impact of adversarial attacks by introducing adversarial perturbations into the training process, either implicitly or explicitly. While both strategies enhance robustness, they often incur high computational costs. In this work, we propose a simple yet effective add-on module that enhances the adversarial robustness of PLMs by removing instance-level principal components, without relying on conventional adversarial defences or perturbing the original training data. Our approach transforms the embedding space to approximate Gaussian properties, thereby reducing its susceptibility to adversarial perturbations while preserving semantic relationships. This transformation aligns embedding distributions in a way that minimises the impact of adversarial noise on decision boundaries, enhancing robustness without requiring adversarial examples or costly training-time augmentation. Evaluations on eight benchmark datasets show that our approach improves adversarial robustness while maintaining comparable before-attack accuracy to baselines, achieving a balanced trade-off between robustness and generalisation.

Figures (4)

• Figure 1: The development trajectory of the module design of PuRe. Each line is based on a modification of the immediately preceding line, tested on the SST2 test set.
• Figure 2: Apdr comparison of the AdvAug training using BERT-base model on the SST2 test set. While AdvAug improves robustness, PuRe achieves a higher Apdr without incurring the computational overhead of generating and incorporating adversarial examples.
• Figure 3: Comparison of before-attack (bar plots) and after-attack (line plots) accuracy on the SST2 test set across various model architectures for both the standard fine-tune baseline and our proposed PuRe approach. The left y-axis shows the models' performance before adversarial attacks, while the right y-axis shows their performance after attacks. PuRe consistently achieves higher after-attack accuracy while maintaining competitive before-attack performance, demonstrating its enhanced adversarial robustness.
• Figure 4: Each token (not each sentence) is projected onto a 2D subspace using UMAP mcinnes2018umap. The baselines exhibit anisotropic distributions: stopword tokens (green) cluster near dominant singular vector directions (yellow), consistent with findings that high-frequency tokens tend to align with top principal components arora2017simple. This alignment creates predictable directions that adversaries can exploit. In contrast, PuRe disperses both stopwords and dominant components, resulting in a more isotropic distribution that substantially reduces concentrated adversarial attack surfaces.