Even though the large-scale language models have achieved excellent performances, they suffer from various adversarial attacks. A large body of defense methods has been proposed. However, they are still limited due to redundant attack search spaces and the inability to defend against various types of attacks. In this work, we present a novel fine-tuning approach called \textbf{RO}bust \textbf{SE}letive fine-tuning (\textbf{ROSE}) to address this issue. ROSE conducts selective updates when adapting pre-trained models to downstream tasks, filtering out invaluable and unrobust updates of parameters. Specifically, we propose two strategies: the first-order and second-order ROSE for selecting target robust parameters. The experimental results show that ROSE achieves significant improvements in adversarial robustness on various downstream NLP tasks, and the ensemble method even surpasses both variants above. Furthermore, ROSE can be easily incorporated into existing fine-tuning methods to improve their adversarial robustness further. The empirical analysis confirms that ROSE eliminates unrobust spurious updates during fine-tuning, leading to solutions corresponding to flatter and wider optima than the conventional method. Code is available at \url{https://github.com/jiangllan/ROSE}.
翻译:尽管大规模语言模式取得了出色的表现,但它们却受到各种对抗性攻击的影响。提出了大量的防御方法。然而,由于冗余的攻击搜索空间和无法抵御各种类型的攻击,这些方法仍然有限。在这项工作中,我们提出了一个叫做\ textbf{RO}bust \ textbff{SE}细微调整(\ textbf{ROSE})的新微调整方法,以解决这一问题。ROSE在根据下游任务调整预先训练的模型时进行有选择的更新,过滤了宝贵的和不受限制的参数更新。具体地说,我们提出了两种战略:选择目标稳健参数的第一阶和第二阶的ROSE。实验结果表明,ROSE在各种下游任务的对抗性强势性上取得了显著的改进,而整体性调整方法甚至超过了上述两种变式。此外,ROSE很容易被纳入现有的微调整方法,以进一步提高其对抗性强性。经验分析证实,ROSE在微调过程中消除了不严谨的不严谨性更新。我们提出了两种战略:第一阶和第二阶的ROSE值的更新,导致常规的解决方案比常规法更加广泛。