BERT-Defense: A Probabilistic Model Based on BERT to Combat Cognitively Inspired Orthographic Adversarial Attacks

Keller, Yannik; Mackensen, Jan; Eger, Steffen

doi:10.18653/v1/2021.findings-acl.141

Cited by 17 publications

(10 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We find that all metrics capture these linguistic aspects to certain (but differing) degrees, and they are particularly sensitive to lexical overlap, which makes them prone to similar adversarial fooling (cf. Li et al, 2020;Keller et al, 2021) as BLEU-based lexical overlap metrics. Overall, our contributions are:…”

Section: Introductionmentioning

confidence: 99%

Global Explainability of BERT-Based Evaluation Metrics by Disentangling along Linguistic Factors

Kaster

Zhao

Eger

2021

Proceedings of the 2021 Conference on Empirical Methods in Natural Language Processing

Self Cite

View full text Add to dashboard Cite

Evaluation metrics are a key ingredient for progress of text generation systems. In recent years, several BERT-based evaluation metrics have been proposed (including BERTScore, MoverScore, BLEURT, etc.) which correlate much better with human assessment of text generation quality than BLEU or ROUGE, invented two decades ago. However, little is known what these metrics, which are based on black-box language model representations, actually capture (it is typically assumed they model semantic similarity). In this work, we use a simple regression based global explainability technique to disentangle metric scores along linguistic factors, including semantics, syntax, morphology, and lexical overlap. We show that the different metrics capture all aspects to some degree, but that they are all substantially sensitive to lexical overlap, just like BLEU and ROUGE. This exposes limitations of these novelly proposed metrics, which we also highlight in an adversarial test scenario.

show abstract

Section: Introductionmentioning

confidence: 99%

Global Explainability of BERT-Based Evaluation Metrics by Disentangling along Linguistic Factors

Kaster

Zhao

Eger

2021

Proceedings of the 2021 Conference on Empirical Methods in Natural Language Processing

Self Cite

View full text Add to dashboard Cite

show abstract

“…The NLP community has differentiated between sentence-, word-and character-level attacks (Zeng et al 2021). Sentenceand word-level attacks often have the goal to produce examples that are similar in terms of meaning (Alzantot et al 2018;Li et al 2020), while character-level attacks mimick various forms of typographical errors (including visual and phonetic modifications) (Ebrahimi et al 2018;Pruthi, Dhingra, and Lipton 2019;Eger et al 2019;Eger and Benz 2020;Keller, Mackensen, and Eger 2021).…”

Section: New Explainability Approaches For Mt Evaluationmentioning

confidence: 99%

Towards Explainable Evaluation Metrics for Natural Language Generation

Leiter¹,

Lertvittayakumjorn²,

Fomicheva³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Unlike classical lexical overlap metrics such as BLEU, most current evaluation metrics (such as BERTScore or MoverScore) are based on black-box language models such as BERT or XLM-R. They often achieve strong correlations with human judgments, but recent research indicates that the lower-quality classical metrics remain dominant, one of the potential reasons being that their decision processes are transparent. To foster more widespread acceptance of the novel high-quality metrics, explainability thus becomes crucial. In this concept paper, we identify key properties and propose key goals of explainable machine translation evaluation metrics. We also provide a synthesizing overview over recent approaches for explainable machine translation metrics and discuss how they relate to those goals and properties. Further, we conduct own novel experiments, which (among others) find that current adversarial NLP techniques are unsuitable for automatically identifying limitations of high-quality black-box evaluation metrics, as they are not meaning-preserving. Finally, we provide a vision of future approaches to explainable evaluation metrics and their evaluation. We hope that our work can help catalyze and guide future research on explainable evaluation metrics and, mediately, also contribute to better and more transparent text generation systems.

show abstract

“…Other defenses. Several other shielding methods exist (Keller et al, 2021;Eger et al, 2019;Zhu et al, 2021). For example, Rodriguez and Galeano (2018) defend Perspective (Google's toxicity classification model) by neutralizing adversarial inputs via a negated predicates list.…”

Section: Related Workmentioning

confidence: 99%

Don't sweat the small stuff, classify the rest: Sample Shielding to protect text classifiers against adversarial attacks

Rusert¹,

Srinivasan²

2022

Preprint

View full text Add to dashboard Cite

Deep learning (DL) is being used extensively for text classification. However, researchers have demonstrated the vulnerability of such classifiers to adversarial attacks. Attackers modify the text in a way which misleads the classifier while keeping the original meaning close to intact. State-of-the-art (SOTA) attack algorithms follow the general principle of making minimal changes to the text so as to not jeopardize semantics. Taking advantage of this we propose a novel and intuitive defense strategy called Sample Shielding. It is attacker and classifier agnostic, does not require any reconfiguration of the classifier or external resources and is simple to implement. Essentially, we sample subsets of the input text, classify them and summarize these into a final decision. We shield three popular DL text classifiers with Sample Shielding, test their resilience against four SOTA attackers across three datasets in a realistic threat setting. Even when given the advantage of knowing about our shielding strategy the adversary's attack success rate is <= 10% with only one exception and often < 5%. Additionally, Sample Shielding maintains near original accuracy when applied to original texts. Crucially, we show that the 'make minimal changes' approach of SOTA attackers leads to critical vulnerabilities that can be defended against with an intuitive sampling strategy. 1

show abstract

BERT-Defense: A Probabilistic Model Based on BERT to Combat Cognitively Inspired Orthographic Adversarial Attacks

Cited by 17 publications

References 23 publications

Global Explainability of BERT-Based Evaluation Metrics by Disentangling along Linguistic Factors

Global Explainability of BERT-Based Evaluation Metrics by Disentangling along Linguistic Factors

Towards Explainable Evaluation Metrics for Natural Language Generation

Don't sweat the small stuff, classify the rest: Sample Shielding to protect text classifiers against adversarial attacks

Contact Info

Product

Resources

About