Transformer-based models, such as BERT and GPT, have been widely adopted in natural language processing (NLP) due to their exceptional performance. However, recent studies show their vulnerability to textual adversarial attacks where the model's output can be misled by intentionally manipulating the text inputs. Despite various methods that have been proposed to enhance the model's robustness and mitigate this vulnerability, many require heavy consumption resources (e.g., adversarial training) or only provide limited protection (e.g., defensive dropout). In this paper, we propose a novel method called dynamic attention, tailored for the transformer architecture, to enhance the inherent robustness of the model itself against various adversarial attacks. Our method requires no downstream task knowledge and does not incur additional costs. The proposed dynamic attention consists of two modules: (I) attention rectification, which masks or weakens the attention value of the chosen tokens, and (ii) dynamic modeling, which dynamically builds the set of candidate tokens. Extensive experiments demonstrate that dynamic attention significantly mitigates the impact of adversarial attacks, improving up to 33\% better performance than previous methods against widely-used adversarial attacks. The model-level design of dynamic attention enables it to be easily combined with other defense methods (e.g., adversarial training) to further enhance the model's robustness. Furthermore, we demonstrate that dynamic attention preserves the state-of-the-art robustness space of the original model compared to other dynamic modeling methods.

翻译：基于Transformer的模型（如BERT和GPT）因其卓越性能被广泛采用于自然语言处理领域。然而，近期研究表明这类模型易受文本对抗攻击影响——通过刻意操控文本输入即可误导模型输出。尽管已有多种方法被提出以增强模型鲁棒性、缓解这一脆弱性，但许多方法需要消耗大量资源（如对抗训练），或仅提供有限保护（如防御性丢弃）。本文针对Transformer架构提出一种名为动态注意力的新型方法，以增强模型本身对抗各类对抗攻击的本征鲁棒性。该方法无需下游任务知识且不增加额外成本。所提出的动态注意力包含两个模块：（Ⅰ）注意力修正——遮蔽或弱化选定Token的注意力值；（Ⅱ）动态建模——动态构建候选Token集合。大量实验表明，动态注意力能显著削弱对抗攻击的影响，相较于现有方法，针对主流对抗攻击的性能提升最高达33%。由于动态注意力采用模型级设计，可轻松与其他防御方法（如对抗训练）结合，以进一步增强模型鲁棒性。此外，我们证明相较于其他动态建模方法，动态注意力能保留原始模型的最优鲁棒性空间。