Abstract

Neural networks are part of many contemporary NLP systems, yet their empirical success comes at the price of vulnerability to adversarial attacks, e.g. by synonym replacements or adversarial text deletion. While much previous work uses adversarial training or data augmentation to partially mitigate such brittleness, these methods are unlikely to actually find worst-case inputs due to the complexity of the search space arising from discrete text perturbations. In this talk, I will introduce an approach that tackles the problem of adversarial robustness from the opposite direction: we formally verify a system’s robustness against pre-defined classes of adversarial attacks. To this end we adopt Interval Bound Propagation and bound the consequences which input changes can have on model predictions, thus establishing bounds on worst-case adversarial attacks. We furthermore modify the conventional log-likelihood training objective to train models which can be efficiently verified in constant time—this would otherwise come with exponential search complexity. The resulting models have much improved verified accuracy, and come with an efficiently computable formal guarantee on worst case adversarial attacks.