SMAAT: Scalable Manifold-Aware Adversarial Training for Large Language Models

Download PDF

Enes Altinisik, Safa Messaoud, Husrev Taha Sencar, Hassan Sajjad, Sanjay Chawla

21 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX
Primary Area: general machine learning (i.e., none of the above)
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Keywords: adversarial training, robustness, sentiment analysis, large language models
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
Abstract: Adversarial Training (AT), the method of finetuning a deep learning model with adversarially generated examples, is the most reliable form of making a model robust against future adversarial perturbations. However, AT is substantially expensive than standard training as it requires several full forward and backward passes to compute adversarial examples. In this paper, we introduce SMAAT, an efficient AT method that uses only adversarial examples generated in the last layer to finetune encoder-based large language models. The basis of our approach are the following three observations (i) the intrinsic dimensionality of the embedding space spanned by different layers of a deep model is substantially lower than the explicit dimensionality of the token embeddings; (ii) Encoder-based language models exhibit a monotonic behavior in their intrinsic dimensionality, i.e., deeper layers (closer to the output) have much lower intrinsic dimensionality than the shallow layers (closer to the input); (iii) off-manifold examples tend to persist across layers, i.e., an image of an off-manifold example generated in a shallow layer continues to remain off-manifold with respect to the embedding space of the later layers. We empirically demonstrate the effectiveness of SMAAT and show that it increases robustness by 8.6%, 15.7%, and 28.8% for BERT and 6.0%, 5.8%, and 19.0% for RoBERTa over the previous state-of-the-art results on AGNEWS, IMDB, and YELP, respectively. These improvements are achieved while maintaining comparable generalization and reducing the computational cost to approximately 1/3 to 1/4 of the GPU times required by the Projected Gradient Descent algorithm.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 3462