Don’t sweat the small stuff, classify the rest: Sample Shielding to protect text classifiers against adversarial attacks

Jonathan Rusert, Padmini Srinivasan


Abstract
Deep learning (DL) is being used extensively for text classification. However, researchers have demonstrated the vulnerability of such classifiers to adversarial attacks. Attackers modify the text in a way which misleads the classifier while keeping the original meaning close to intact. State-of-the-art (SOTA) attack algorithms follow the general principle of making minimal changes to the text so as to not jeopardize semantics. Taking advantage of this we propose a novel and intuitive defense strategy called Sample Shielding.It is attacker and classifier agnostic, does not require any reconfiguration of the classifier or external resources and is simple to implement. Essentially, we sample subsets of the input text, classify them and summarize these into a final decision. We shield three popular DL text classifiers with Sample Shielding, test their resilience against four SOTA attackers across three datasets in a realistic threat setting. Even when given the advantage of knowing about our shielding strategy the adversary’s attack success rate is <=10% with only one exception and often < 5%. Additionally, Sample Shielding maintains near original accuracy when applied to original texts. Crucially, we show that the ‘make minimal changes’ approach of SOTA attackers leads to critical vulnerabilities that can be defended against with an intuitive sampling strategy.
Anthology ID:
2022.naacl-main.195
Volume:
Proceedings of the 2022 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies
Month:
July
Year:
2022
Address:
Seattle, United States
Venue:
NAACL
SIG:
Publisher:
Association for Computational Linguistics
Note:
Pages:
2716–2725
Language:
URL:
https://aclanthology.org/2022.naacl-main.195
DOI:
10.18653/v1/2022.naacl-main.195
Bibkey:
Cite (ACL):
Jonathan Rusert and Padmini Srinivasan. 2022. Don’t sweat the small stuff, classify the rest: Sample Shielding to protect text classifiers against adversarial attacks. In Proceedings of the 2022 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, pages 2716–2725, Seattle, United States. Association for Computational Linguistics.
Cite (Informal):
Don’t sweat the small stuff, classify the rest: Sample Shielding to protect text classifiers against adversarial attacks (Rusert & Srinivasan, NAACL 2022)
Copy Citation:
PDF:
https://aclanthology.org/2022.naacl-main.195.pdf
Software:
 2022.naacl-main.195.software.zip
Code
 jonrusert/sampleshielding