Adversarial attacks are a serious threat to the reliable deployment of machine learning models in safety-critical applications. They can misguide current models to predict incorrectly by slightly modifying the inputs. Recently, substantial work has shown that adversarial examples tend to deviate from the underlying data manifold of normal examples, whereas pre-trained masked language models can fit the manifold of normal NLP data. To explore how to use the masked language model in adversarial detection, we propose a novel textual adversarial example detection method, namely Masked Language Model-based Detection (MLMD), which can produce clearly distinguishable signals between normal examples and adversarial examples by exploring the changes in manifolds induced by the masked language model. MLMD features a plug and play usage (i.e., no need to retrain the victim model) for adversarial defense and it is agnostic to classification tasks, victim model's architectures, and to-be-defended attack methods. We evaluate MLMD on various benchmark textual datasets, widely studied machine learning models, and state-of-the-art (SOTA) adversarial attacks (in total $3*4*4 = 48$ settings). Experimental results show that MLMD can achieve strong performance, with detection accuracy up to 0.984, 0.967, and 0.901 on AG-NEWS, IMDB, and SST-2 datasets, respectively. Additionally, MLMD is superior, or at least comparable to, the SOTA detection defenses in detection accuracy and F1 score. Among many defenses based on the off-manifold assumption of adversarial examples, this work offers a new angle for capturing the manifold change. The code for this work is openly accessible at \url{https://github.com/mlmddetection/MLMDdetection}.

翻译：对抗攻击对机器学习模型在安全关键应用中的可靠部署构成严重威胁。此类攻击通过微小输入扰动即可诱导现有模型产生错误预测。近期研究表明，对抗样本往往偏离正常样本的底层数据流形，而预训练掩码语言模型能够拟合自然语言处理数据的流形结构。为探索掩码语言模型在对抗检测中的应用，我们提出了一种新型文本对抗样本检测方法——基于掩码语言模型的检测方法（MLMD）。该方法通过分析掩码语言模型引发的流形变化，可清晰区分正常样本与对抗样本产生的信号差异。MLMD具有即插即用的特性（即无需重新训练受害模型），可应用于对抗防御，且与分类任务、受害模型架构及待防御攻击方法无关。我们在多种基准文本数据集、广泛研究的机器学习模型及最新（SOTA）对抗攻击方法上进行了评估（共计$3\times 4\times 4 = 48$种实验配置）。实验结果表明，MLMD在AG-NEWS、IMDB和SST-2数据集上的检测准确率分别达到0.984、0.967和0.901，展现出卓越性能。此外，MLMD在检测准确率和F1分数方面优于或至少持平于当前最优检测防御方法。在基于对抗样本偏离流形假设的诸多防御方法中，本文为捕捉流形变化提供了全新视角。本工作相关代码开源发布于\url{https://github.com/mlmddetection/MLMDdetection}。