SEPP: Similarity Estimation of Predicted Probabilities for Defending and Detecting Adversarial Text

  • 2021-10-13 02:17:45
  • Hoang-Quoc Nguyen-Son, Seira Hidano, Kazuhide Fukushima, Shinsaku Kiyomoto
  • 0


There are two cases describing how a classifier processes input text, namely,misclassification and correct classification. In terms of misclassified texts,a classifier handles the texts with both incorrect predictions and adversarialtexts, which are generated to fool the classifier, which is called a victim.Both types are misunderstood by the victim, but they can still be recognized byother classifiers. This induces large gaps in predicted probabilities betweenthe victim and the other classifiers. In contrast, text correctly classified bythe victim is often successfully predicted by the others and induces smallgaps. In this paper, we propose an ensemble model based on similarityestimation of predicted probabilities (SEPP) to exploit the large gaps in themisclassified predictions in contrast to small gaps in the correctclassification. SEPP then corrects the incorrect predictions of themisclassified texts. We demonstrate the resilience of SEPP in defending anddetecting adversarial texts through different types of victim classifiers,classification tasks, and adversarial attacks.


Quick Read (beta)

loading the full paper ...