robust naive bayes
TRANSCRIPT
Robust Naive Bayes
Aditya Mishra
Electrical Engineering and Computer SciencesUniversity of California, Berkeley
Technical Report No. UCB/EECS-2021-66
http://www2.eecs.berkeley.edu/Pubs/TechRpts/2021/EECS-2021-66.html
May 13, 2021
Copyright © 2021, by the author(s).All rights reserved.
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission.
Acknowledgement
First, I would like to thank my advisor Laurent El Ghaoui for supervising thisproject and Professor Somayeh Sojoudi for serving as a second reader.Next, I would like to thank Anand Siththaranjan and Armin Askari for beingwonderful collaborators on this project. Finally, I would like to thank myfamily for their support throughout my years at Berkeley.
Robust Naïve Bayes
by Aditya Mishra
Research Project
Submitted to the Department of Electrical Engineering and Computer Sciences, University of California at Berkeley, in partial satisfaction of the requirements for the degree of Master of Science, Plan II. Approval for the Report and Comprehensive Examination:
Committee:
Professor Laurent El Ghaoui Research Advisor
(Date)
* * * * * * *
Professor Somayeh Sojoudi Second Reader
(Date)
4/20/2021
5/03/2021
Robust Naive Bayes
Aditya Mishra ∗
Abstract
Robustness of deep learning methods remainsan open issue in a variety of NLP tasks due tothe inherent complexity of neural networks. Inthis paper, we focus on a simple, yet effectivemodel for large-scale text classification: Multi-nomial Naive Bayes (MNB). In this work, wederive the robust counterpart to MNB, RobustNaive Bayes (RNB), in different adversarialsettings that are relevant to text. We comparethe robustness of our model against SVM, lo-gistic regression and neural networks in a vari-ety of settings. Our results show that RNB iscomparable to other models under random per-turbations but vastly outperforms them againsttargeted attacks. We describe an algorithm fortraining our model which is orders of magni-tude faster than the training time of more com-plex models.
1 Introduction
Deep neural networks and transformer models arethe current state-of-the-art for text classificationproblems. However, a key concern surroundingthese models is the potential lack of robustnessin the presence of noise and ill-intentioned ad-versaries affecting the data. For instance, Iyyeret al. (2018) show that syntactic transformationscan drastically reduce the accuracy of bidirectionalLSTMs, while Jin et al. (2020) are able to generatesemantically and syntactically similar examples totraining data that drastically reduce the test perfor-mance of BERT.
Since robustness is difficult to analyze for highlycomplex models, we turn our attention to a muchsimpler model: the Multinomial Naive Bayes(MNB) classifier, a model that has persisted in textclassification for its ease of implementation. Wepose the following question: Can a robustly trained
∗Please see Section D of the appendix for acknowledge-ment of collaborators and their contributions.
MNB model outperform complex models when sub-ject to random or adversarial attacks? For oneinstance of a structured adversary, we give an affir-mative answer. In this paper:
• We formulate a Robust Naive Bayes problemthat accounts for the worst-case noise under atypo-based uncertainty model.
• We present a fast algorithm that scales linearly(up to logarithmic factors) with the dimension-ality of the data points.
• We show that our Robust Naive Bayes clas-sifier not only trains faster, but significantlyoutperforms other models when the data issubject to adversarial perturbations.
1.1 Related WorksRobust classification is a well-studied topic for tra-ditional machine learning models such as supportvector machines, logistic regression and decisiontrees (Bertsimas et al., 2019), in which a min maxformulation is used (Ben-Tal et al., 2009). Thesetechniques offer the opportunity to consider un-certainty under worst-case and/or probabilistic as-sumptions, and improve the robustness of algo-rithms against real-world data perturbations. In ourwork we employ the robust optimization methodol-ogy to MNB with an uncertainty set that is actuallymeaningful in a text classification settings (as op-posed to `p-norm ball uncertainties).
A comprehensive study of robust deep learningfor problems in natural language processing is ex-plored in (Wang et al., 2019). This work providesa characterization of different adversarial exam-ples and the constraints they obey. They note avariety of techniques including those based on fast-gradient sign-method (FGSM), optimization-basedand importance-score based approaches. Attacktypes are also varied, including character-, word-
and sentence-level attacks that undergo a mixtureof inserting, flipping, swapping (for character-levelattacks), replacing (for word-level attacks) and re-moving features. In our work, we explore word-level attacks for frequency-based encodings of sen-tences (that is, count vectors) by considering typo-based uncertainties (i.e. perturbations that insert,replace or remove words from the original sen-tence).
A complete survey on Naive Bayes and its ex-tensions can be found in (Jiang et al., 2007). Ofparticular interest are works that try to make NaiveBayes models more robust. There have been var-ious works making naive Bayes classifiers robustto different types of noise. (Ramoni and Sabastini,2001) formulated a naive Bayes model that takesinto account missing entries, both in the form ofdata points not having a label, and labels not hav-ing a corresponding data point. In our work, wespecifically consider a noise model where wordsare added or removed from sentences.
2 Background on Naive Bayes
2.1 Notation
We are given a non-negative data-matrix of countvectors X = [x(1), . . . , x(n)]> ∈ Nn×d, and a vec-tor y ∈ {−1, 1}n that encodes the class informa-tion for the n data points of dimension d. Further-more, let C± denote the positive and negative classrespectively. Unless otherwise specified, functionaloperations (such as max(x, y)) on vectors are per-formed element-wise. We also define
I± := {i|y(i) = ±1}, f± :=∑i∈I±
x(i)
Finally, P = {θ | θ ∈ [0, 1]d, 1>θ = 1} denotesthe d-dimensional simplex. Throughout the paper,we will use terms count vectors and sentences in-terchageably.
2.2 Naive Bayes
Here, we wish to predict the class labelof a test point x ∈ Nd via y(x) =arg maxε∈{+.−} P (Cε|x). To calculate the poste-rior probability, we use Bayes’ Rule and the “naive”assumption that features are conditionally indepen-dent, leading to the prediction rule
y(x) = arg maxε∈{+,−}
logP (Cε) +
m∑j=1
logP (xj |Cε)
The above equation requires an explicit model forP (xj |Cε). Throughout this paper, we use the multi-nomial distribution and determine the optimal pa-rameters of the distribution via maximum likeli-hood estimation.
2.3 Multinomial Naive Bayes
With integer-valued features, we parameterize theconditional distribution P (xj |Cε) with two non-negative d-dimensional vectors θ± ∈ P . The prob-ability distribution P (x(i)|C±) is
P (x|C±) =(∑d
j=1 xj)!
Πdj=1xj !
d∏j=1
(θ±j )xj
and the maximum likelihood estimator θ±∗ is
θ±∗ = arg maxθ±∈P
(f±)>logθ± (1)
The solution to (1) is θ±∗ = f±
1>f±, and we get the
following classification rule:
y(x) = sign
(log
P (C+)
P (C−)+
(log
θ+∗θ−∗
)>x
)
We refer the reader to Askari et al. (2020) forfurther details on the derivation of the model.
3 Robust Classification
Here we outline our main contribution; the robustmultinomial naive bayes (RNB) model under dif-ferent types of noise. We also show how to trainother classifiers under the same uncertainty sets.
3.1 Constructing Robust classifiers
In the problem of robust classification, we seek tofind a classifier that operates well under a certaindistribution shift. In order to learn a robust classi-fier, we solve the following optimization problem:
θ∗ = arg maxθ
minU∈U(X)
L(U, y)
where L : Rn×d × Rn → R is a loss func-tion that takes in a data matrix U and labels y;U : Rn×d → Rn×d returns a set of noisy perturba-tion around our nominal data matrix X , accordingto our uncertainty set; and θ are the parameters ofour classifier. This traditional approach to robustclassification utilises the inner problem to considerthe worst-case uncertainty in our data to learn a
classifier that is resistant to these adversarial set-tings. Traditionally, the robust training problem isa min max problem but since our original problemis a maximization problem it is instead a max min.
We assume that the uncertainty affects each datapoint independently. This leads to uncertainty setsof the form
U(X) ={
[u1, . . . , un] ∈ Rn×d : ui ∈ V(xi)}
where a set V(x) ⊆ Rd models the uncertainty ona generic data point x ∈ Rd. We study on two dif-ferent types of uncertainty sets; a shift uncertaintyfor a real-valued vector x ∈ Rd
Vshift(x) = {δ : δ + x ∈ Nd, δ ∈ [−γ, γ]d ∩ Zd},(γ-shift)
and a typo uncertainty for an integer valued countvector x ∈ Nd
Vtypo(x) = {δ : δ + x ∈ Nd, ‖δ‖1≤ κ}(κ-typo)
Vtypo(x) models the fact that count vectors can bealtered by adding or subtracting at most κ countsto x. In Section 4, we parameterize κ = t‖x‖1where t ≥ 0 denotes the proportion of typos as apercentage and ‖x‖1 denotes the number of wordsin the sentence x.
In the remainder of this section, we considerthe following robust optimization problem undervarious uncertainty sets D±:
maxθ±∈P
minδ±∈D±
∑ε∈{+,−}
(fε + δε)>(log θε)
where D± denotes either the shift or typo uncer-tainty for the positive and negative class accord-ingly. Also note that the optimization problem isseparable in terms of the pairs of variables (θ+, δ+)and (θ−, δ−), so we focus on efficiently solving theoptimization problem:
maxθ∈P
minδ∈D
(f + δ)>(log θ) (2)
We first show an interesting connection between the(γ-shift) uncertainty set and laplace smoothing forMNB. The rest of the section is then focused on the(κ-typo) uncertainty set since this is the uncertaintyset we consider for our experiments in Section 4.
RNB with shift uncertainty. Under the shift un-certainty set (γ-shift), we can derive the represen-tative RNB model.
Lemma 3.1. The robust counterpart of MNB un-der the uncertainty set (γ-shift) can be cast as thefollowing optimization problem:
maxθ±∈P
∑ε∈{+,−}
(fε + |Cε|γ1)>(log θε)
which has closed form solution
θ±∗ =f± + |C±|γ1∑mi=1 f±,i + |C±|γ
where |C+| and |C−| are the number of data pointsfor the positive and negative classes respectively.
Proof. See section C.6 of the Appendix.
If we consider |C+|= |C−| and γ = γ′
|C+| , thenthe solution is of the same form as that whenLaplace smoothing with parameter γ′ is used in theMultinomial Naive Bayes solution. Alternatively,we could also considered two different parameterγ± = γ′
|C±| for each class to find this solution. Thisshowcases the observed relationship between reg-ularization and robustness explored in regressionmethods when a prior is enforced (Bertsimas andCopenhaver, 2017). In fact, Laplace smoothing isequivalent to enforcing a Dirichlet prior on θ (seeSection C.7 of the Appendix).
RNB with typo uncertainty set Under the typouncertainty (κ-typo), we can derive the representa-tive RNB model.
Lemma 3.2. The robust counterpart of MNB (2)under the uncertainty set (κ-typo) can be solvedvia the scalar convex optimization problem
maxv>0
d∑i=1
(fi log max(fi, v)−max(fi, v))
− κ log v (3)
The optimal estimate θ∗ can be recovered via
θ∗,i =max{fi, v∗}κ+ 1>f
and the optimal adversary is given by
δ∗,i =
{κ if i = arg minj θj
0 o.w
Proof. See Section C.1 of the Appendix.
Algorithm 1 solves Eq 3 with complexityO(nd+d log d). The key idea is to split the domain of thescalar variable v into n+ 1 intervals based off ofthe fi’s and then find a closed form maximizer vkfor each interval (see Section C.2 of the Appendix).
Algorithm 1: Solution to (3)
Input: A sorted vector f ∈ Rd; κ ∈ R≥0
Output: A scalar v∗ ∈ R>0 minimizingEquation 3
Define ρk = κ+∑n
i=k+1 fi, andhk =
∑ki=1 fi log fi − fi;
Initialize ρ0 = κ+ 1>f , v0 = max(f1,ρ0n ),
and h0 = 0;Set v∗ = v0;for i = 1 . . . n do
Set ρk = ρk−1 − fk,hk = hk−1 + fk log fk − fk;
Set vk = min(fk,max(fk+1,ρkn−k ))
and Fk = hk + ρk log vk − (n− k)vk;If F (vk) > F (v∗), set v∗ = vk;
endreturn v∗;
3.2 Robust Logistic Regression and SupportVector Machine
In the cases of using `2-regularized logistic regres-sion (LR) and soft-margin `2-regularized supportvector machine (SVM) classifiers, we can considerthe following problems:
minβ,β0
maxδi∈∆i
n∑i=1
log(1 + e−yi(β>(xi+δi)+β0)) (4)
+ λ(‖β‖22+β20)
minw
maxδi∈∆i
1
n
n∑i=1
max{0, zi}+ λ‖w‖22 (5)
s.t. zi = 1− yi((xi + δi)>w − b)
where the uncertainty set is defined by
δi ∈ ∆i = {δi : xi + δi ≥ 0, , ‖δi‖1≤ κi} (6)
We consider both problems jointly due to the simi-lar nature by which the inner maximization prob-lem is solved. Additionally, we only consider thethe uncertainty set (κ-typo) since it is more inter-pretable for the experiments in Section 4.
Lemma 3.3. The robust counterpart under the un-certainty set (κ-typo) for `2-regularized logisticregression can be cast as
minβ,β0,λi≥0
n∑i=1
log(1 + exp(−yi(β>xi + β0)
+ κi‖yiβ − λi‖∞+λ>i xi)
+ λ(‖β‖22+β20).
For soft-margin `2-regularized SVM the robustproblem reads
minw,zi≥0,λi≥0
1
n
n∑i=1
zi + λ‖w‖22
s.t. zi ≥ 1− yi(x>i w − b)+κi‖yiw − λi‖∞+λ>i xi
both of which are convex. The optimal adversaryδ∗i for both models is found using Algorithm 2.
Proof. See Sections C.3, C.4 of the Appendix.
We present a greedy method of solving for theoptimal adversary in in the inner optimization of(4) and (5) in Algorithm 2 (see Section C.5 of theAppendix), which has a runtime ofO(d log d). Thesame algorithm is able to solve for both adversariesdue to the linear structure of the inner maximiza-tion. Though the robust counterpart presented inLemma 3.3 are both convex programs, they are dif-ficult to solve efficiently at scale. We consider thisbeyond the scope of this work.
4 Experiments
We now study the robustness and training times ofdifferent classifiers with the (κ-typo) uncertaintyset. We show that subject to targeted attacks, ourRNB classifier outperforms other common NLPclassfication techniques, while having comparableperformance against random perturbations.
4.1 Experimental Set Up
The models we consider are RNB, RNB wherethe noise parameter κ is misspecified by 20%(RNB±20), the classical MNB, `2-regularized sup-port vector machine (SVM), `2-regularized logisticregression (LR), a multi-layer perceptron (MLP)with 3 layers, and a pretrained BERTCASE model(Devlin et al., 2019). We consider five differentdatasets: Amazon (Ni et al., 2019), SST2 (Socheret al., 2013), MPQA (Deng and Wiebe, 2015), MR
Dataset Vocabulary Size ntrain ntest Avg Document LengthAmazon (Ni et al., 2019) 34816 7997 2000 35.8SST2 (Socher et al., 2013) 16893 63723 15931 4.8MPQA (Deng and Wiebe, 2015) 5952 5299 1325 1.8MR (Pang and Lee, 2005) 19587 8529 2133 17.9Spam (Almeida et al., 2011) 6958 4456 1115 7.9
Table 1: Details of dataset used, containing the size of the vocabulary (ie. number of unique words), the size ofthe training set (ntrain), the size of test set (ntest) and the average document length after pre-processing across bothtrain and test set (to 1 decimal places).
(Pang and Lee, 2005) and Spam (Almeida et al.,2011). We preprocess each dataset and transformthe data into count vectors (see Appendix A). Onlybasic preprocessing was done and as a result thepost processed data contains typos and mispellings.The size of the datasets can be found in Table 1.
4.2 Comparing Robust ClassifiersWe evaluate the robustness of the different mod-els subject to (κ-typo) uncertainty. We do this byperturbing the datasets randomly, training our mod-els on this perturbed data and then evaluating theperformance at test time either on randomly or ad-versarially perturbed data. A random perturbationmeans for each data point, we choose an index atrandom, randomly decide if we are going to addor subtract a count from it, and repeat this pro-cess until the total number of changes made is κ.For each data point, the total number of words weadd/remove is proportional to the length of the sen-tence (e.g. if the length of a sentence is 100 words,a proportion of 0% means we do not alter the sen-tence while 50% indicates we add/remove up to50 words). An optimal perturbation means givena model and proportion, we find the best perturba-tion of the data point by solving an optimizationproblem (see Section 3). Since computing the opti-mal adversary is not possible in general for neuralnetworks, we compute a pseudo-adversary by sam-pling ten random perturbations and taking the onethat maximizes the loss at test time.
In order to make the comparison between RNBand the other models fair, we use `2-regularizedSVM and LR models (since regularized modelsreduce over fitting and are known to exhibit robust-ness properties) and we use data augmentation fortraining the neural network models. Specifically,for MLP and BERT, we take our training set, per-turb it randomly two times as explained above, andthen use that augmented dataset in order to trainour neural networks.
In Figures 1 and 2, we plot the performance ofthe models as we increase the strength of our per-turbations at training and test time. For all modelsand proportions, we randomly perturb the trainingset 10 times and we perform 3-fold cross validationeach time for tuning hyperparameters. We only ran-domly perturb the training set three and two timesfor MLP and pretrained BERTCASE respectively,and use fixed hyperparameters (see Section B formore details).
Figure 1 shows that under an optimal adversary,RNB significantly outperforms other models forhigh noise levels. In particular, the accuracy of allthe other models steeply drops down for sufficientlyhigh proportions of typos while RNB declines grad-ually. Figure 2 shows that RNB gives comparableperformance to other models (in particular the 3-layer MLP and pretrained BERT models) whensubject to a random adversary. We emphasize thatthe important takeaway from Figures 1 and 2 isnot the accuracy values themselves but rather thetrends of the different models. In particular, theMLP and BERT models could have been trained toattain higher overall accuracy, but our main focusis the degradation in accuracy as the proportionof typos increases. Even when the noise parame-ter is mispecified by 20%, RNB still significantlyoutperforms the other models.
The high variance of the MNB models in Fig-ure 1 can be attributed to the interplay of twofactors; the MNB model itself and the sparsitylevel/dimensionality of the datasets. As per Lemma3.2, the optimal adversary for the MNB model putsall its weight on the minimum entry of a discreteprobability distribution. From (1), we see that θ±∗ isdirectly proportional to f . For an extremely sparsedataset, where some words may only appear once,it is possible that the index corresponding to theminimum entry of θ±∗ is not unique. As a result,when constructing our adversary we simply choose
0 100 2000.0
0.2
0.4
0.6
0.8
1.0Spam
0 100 2000.0
0.2
0.4
0.6
0.8
1.0MPQA
0 100 2000.0
0.2
0.4
0.6
0.8
1.0Amazon
MNB
RNB
RNB+20
RNB-20
SVM
LR
MLP
BERT
0 100 2000.0
0.2
0.4
0.6
0.8
1.0MR
0 100 2000.0
0.2
0.4
0.6
0.8
1.0SST2
Proportion of Typos (%)
Acc
ura
cy
Figure 1: Test accuracy on the various datasets. An optimal adversary was used to perturb the dataset at test timefor different proportions of typos.
0 100 2000.5
0.6
0.7
0.8
0.9
1.0Spam
0 100 2000.5
0.6
0.7
0.8
0.9
1.0MPQA
0 100 2000.5
0.6
0.7
0.8
0.9
1.0Amazon
MNB
RNB
RNB+20
RNB-20
SVM
LR
MLP
BERT
0 100 2000.5
0.6
0.7
0.8
0.9
1.0MR
0 100 2000.5
0.6
0.7
0.8
0.9
1.0SST2
Proportion of Typos (%)
Acc
ura
cy
Figure 2: Test accuracy on the various datasets. A random adversary was used to perturb the dataset at test timefor different proportions of typos. Note that the y-axis has a range of [0.5,1.0].
Amazon MPQA SST2 MR SpamMNB 0.67(0.11) 0.08(0.02) 5.22(5.38) 0.3409(0.01) 0.07(0.0007)RNB 1.69(0.0831) 0.20(0.01) 6.59(3.42) 0.9531(0.02) 0.21(0.0022)LR 22.06(1.68) 1.37(0.08) 58.47(2.91) 22.66 (0.33) 0.78(0.0032)
SVM 16.29(5.93) 4.46(0.51) 351.03(49.06) 8.479(0.18) 2.06(0.29)3 Layer MLP 155.15(43.48) 82.30(40.82) 992.25(138.15) 116.10(27.97) 75.02(31.22)
Pretrained BERT 802.79(2.10) - - - -
Table 2: Mean training time (one standard deviation in parentheses) in seconds for each model.
Classifier Sentence Removed/Added
RNB
‘3d rocks this video is incredible in 3d it was a gift for arelative and he absolutely loves it viewed on a 3d tv and 3d
bluray player it was just like going to a movie on the big screen’000 x2
‘noise pollution every time i hear that song one wish itmakes me want to throw up i hope he never makes another cd’
000
MNB
‘wonderful this is a wonderful story it left me thinkinginstead of my usual forgetting about it 5 minutes laterthe characters are intriging and the story is interesting
making me not want to put it down i being only inhigh school would definitly suggest that you read it’
001 x2
‘not safe and no fun once you get this toy in your handsyou can see the cheap constructionthe buttons dont work
smoothly and the eggtops are easy to pull off just theright size for my toddler to pop in his mouth i chucked
this one right in the garbage’
000 x2
LR
‘clean excellent copy and shipped fast this is one ofthe books that i have been waiting to read clean book’
boring
‘i couldnt get into it i just coulafter getting more than 50through the book i had to stop i just couldnt get into it
and didnt like the writting style’excellent
SVM
‘great movie i thought it was a very entertaining movieshould have gotten more press when it came out
very good acting also’great
‘this is high density module this is high density module itworks only with a fewmainboards it does not with the two
i haveamazoncom please correct me if i am wrong’great
MLP
‘clean excellent copy and shipped fast this is one ofthe books that i have been waiting to read clean book’
excellentthanked
‘fort apache the movie is old fashioned and not well actedit was melodrmatic and artificialthe supplier of the dvd
was prompt and professional’
suppliercollecting
BERT
‘its nice i was replacing my old cook book i thoughtthis was the same one but it isnt but it is a nice cook book’
butbucked
‘not kindle ready its hard to put together any nice wordsabout this transcription it is not kindle ready although it is textually
complete should be a freebie’
thisfreebie
Table 3: Sentences and their adversarial perturbation at 10% error strength for each classifier and class on theAmazon dataset. Bold indicates an addition, italics indicate a removal, and unless otherwise stated these refer to asingle addition/removal respectively. (Top) Examples from positive class. (Bottom) Examples from negative class.
one at random which in turn results in the accuracygreatly varying across different trials at test time.Note that regularization (via Laplace smoothing)does not solve this problem while other forms ofregularization may help.
4.2.1 Adversarial ExamplesWe present a handful of adversarial examples forvarious classifiers in Table 3. We considered opti-mal perturbations acting at 10% strength where thepredicted class label changed.
Note that for RNB and MNB, the optimal adver-sary is the same for every test point in the sameclass (positive or negative) since the adversary isconstructed solely based on the minimum indexof θ±∗ (see Lemma 3.2). This is not the case forlogistic regression, SVM and neural networks (seeSections C.3 and C.4 in the Appendix). This isbecause for the RNB and MNB models, the opti-mal adversary at test time is only a function of thelearned parameters and label and not the data pointitself, whereas in the other models the adversary isadditionally a function of the test point itself. Thisis a result of the fact that RNB/MNB are trainedon the aggregate statistics of the data (f±) insteadof individual data points (xi) which results in thisobserved robust behaviour. This is also seen in Ta-ble 3 where the RNB model coincidentally choosesthe same adversarial perturbation (adding the word000) for both classes. This also means that if anyother examples from the positive or negative classwere shown, the optimal perturbation for those ex-amples would also be 000. On the other hand, theother models have more interesting adversarial ex-amples that are semantically more meaningful andreflective of the drastic performance decrease thatthe classifiers seen in Figure 1. In particular, Ta-ble 3 shows how brittle the more complex modelsare. For example, for the SVM classifier, simply byremoving the word great from the sentence, thepredicted label changes even if the sentiment of themodified sentence is still clearly positive. Similarlyfor the MLP, by replacing the word excellentwith thanked, the MLP also changes the label,while it is clear the sentiment has not changed.
We also look at the case when the proportion oftypos is set to 200% and consequently our trainingdata is extremely noisy. Consider the followingexample:
“boring my friend likes this movie so ichecked it out i didnt like it kind of bor-
ing couldnt get through the whole thingfastforward solved the problem"
At proportion 200%, LR adds the wordexcellent 24 times and removes boringtwice, which results in a class change. BERTalso changes the label but changes the sentencealtogether:
“mundi dubbed ethnically likes web-cam mackellan pointed cure seller drum-spleaseit tommy lowry totally withtwelveotheremail protector 70 mckellan coralcsection through the whole addict norasolved she funnywe"
For RNB, the perturbation does not change the la-bel; it adds 000 26 times, which unlike LR andBERT, preserves the original semantics. As ex-pected, even for extremely high proportions of ty-pos, the RNB model only adds one unique word afixed number of times to a sentence. In this case,000 is not semantically meaningful and RNB isable to resist against extremely strong adversaries.
4.3 Training SpeedWe compare the run time of the different models inTable 2 1. We see that the training time of the RNBmodel is comparable to that of MNB while provid-ing significantly improved accuracy as in Figure1. The other classifiers take orders of magnitudelonger to train than RNB; in the extreme case wesee that on the SST2 dataset, the MLP takes 100xlonger to train.
5 Conclusion
In this work, we make the case that under a typo un-certainty set, robustly training a Multinomial NaiveBayes model significantly outperforms other mod-els when subject to an adversarial attack. We showthat our new classifier is extremely robust both qual-itatively and quantitatively against adversaries ascompared to much more complex models. We alsoshow that the adversary is the same across all datapoints in the class (which is not the case for othermore complex models), which results in much bet-ter performance against adversarial perturbations,while performing as well as other models when sub-ject to a random perturbation. We also show that
1All our models were trained on a 72 CPU (2.30 GHz IntelXeon E5-2686 Processor) machine with 64 GB of RAM. Thedeep learning models additionally were trained using a singleNVIDIA Titan V GPU.
the main complexity in training our model comesfrom sorting a vector, and as a result trains ordersof magnitude faster than other models.
ReferencesTiago A. Almeida, José María G. Hidalgo, and Akebo
Yamakami. 2011. Contributions to the study of smsspam filtering: New collection and results. In Pro-ceedings of the 11th ACM Symposium on DocumentEngineering, DocEng ’11, page 259–262, New York,NY, USA. Association for Computing Machinery.
Armin Askari, Alexandre d’Aspremont, and Laurent ElGhaoui. 2020. Sparse weighted naive bayes clas-sifier for efficient classification of categorical data.Proceedings of the Twenty Third International Con-ference on Artificial Intelligence and Statistics.
A. Ben-Tal, L. El Ghaoui, and A.S. Nemirovski. 2009.Robust Optimization. Princeton Series in AppliedMathematics. Princeton University Press.
Dimitris Bertsimas and Martin S. Copenhaver. 2017.Characterization of the equivalence of robustifica-tion and regularization in linear and matrix regres-sion.
Dimitris Bertsimas, Jack Dunn, Colin Pawlowski, andYing Daisy Zhuo. 2019. Robust classification. IN-FORMS Journal on Optimization, 1(1):2–34.
Lingjia Deng and Janyce Wiebe. 2015. MPQA 3.0: Anentity/event-level sentiment corpus. In Proceedingsof the 2015 Conference of the North American Chap-ter of the Association for Computational Linguistics:Human Language Technologies, pages 1323–1328,Denver, Colorado. Association for ComputationalLinguistics.
Jacob Devlin, Ming-Wei Chang, Kenton Lee, andKristina Toutanova. 2019. BERT: Pre-training ofdeep bidirectional transformers for language under-standing. In Proceedings of the 2019 Conferenceof the North American Chapter of the Associationfor Computational Linguistics: Human LanguageTechnologies, Volume 1 (Long and Short Papers),pages 4171–4186, Minneapolis, Minnesota. Associ-ation for Computational Linguistics.
Mohit Iyyer, John Wieting, Kevin Gimpel, and LukeZettlemoyer. 2018. Adversarial example generationwith syntactically controlled paraphrase networks.In Proceedings of the 2018 Conference of the NorthAmerican Chapter of the Association for Computa-tional Linguistics: Human Language Technologies,Volume 1 (Long Papers), pages 1875–1885, NewOrleans, Louisiana. Association for ComputationalLinguistics.
Liangxiao Jiang, Dianhong Wang, Zhihua Cai, andXuesong Yan. 2007. Survey of improving naivebayes for classification. International Conferenceon Advanced Data Mining and Applications.
Di Jin, Zhijing Jin, Joey Tianyi Zhou, and PeterSzolovits. 2020. Is bert really robust? a strong base-line for natural language attack on text classificationand entailment. Proceedings of the AAAI Confer-ence on Artificial Intelligence, 34(05):8018–8025.
Ilya Loshchilov and Frank Hutter. 2019. Decoupledweight decay regularization. International Confer-ence on Learning Representations.
Jianmo Ni, Jiacheng Li, and Julian McAuley. 2019.Justifying recommendations using distantly-labeledreviews and fine-grained aspects. In Proceedingsof the 2019 Conference on Empirical Methods inNatural Language Processing and the 9th Interna-tional Joint Conference on Natural Language Pro-cessing (EMNLP-IJCNLP), pages 188–197, HongKong, China. Association for Computational Lin-guistics.
Bo Pang and Lillian Lee. 2005. Seeing stars: Exploit-ing class relationships for sentiment categorizationwith respect to rating scales. In Proceedings of theACL.
F Pedregosa, G Varoquaux, A Gramfort, V Michel,B Thirion, O Grisel, M Blondel, P Prettenhofer,R Weiss, and V Dubourg. 2011. Scikit-learn: Ma-chine learning in python. Journal of machine learn-ing research.
Marco Ramoni and Paola Sabastini. 2001. Robustbayes classifiers. Artificial Intelligence.
Richard Socher, Alex Perelygin, Jean Wu, JasonChuang, Christopher D. Manning, Andrew Ng, andChristopher Potts. 2013. Recursive deep modelsfor semantic compositionality over a sentiment tree-bank. In Proceedings of the 2013 Conference onEmpirical Methods in Natural Language Processing,pages 1631–1642, Seattle, Washington, USA. Asso-ciation for Computational Linguistics.
Wenqi Wang, Benxiao Tang, Run Wang, Lina Wang,and Aoshuang Ye. 2019. A survey on adversarialattacks and defenses in text. CoRR, abs/1902.07285.
Thomas Wolf, Lysandre Debut, Victor Sanh, JulienChaumond, Clement Delangue, Anthony Moi, Pier-ric Cistac, Tim Rault, Rémi Louf, Morgan Funtow-icz, Joe Davison, Sam Shleifer, Patrick von Platen,Clara Ma, Yacine Jernite, Julien Plu, Canwen Xu,Teven Le Scao, Sylvain Gugger, Mariama Drame,Quentin Lhoest, and Alexander M. Rush. 2020.Transformers: State-of-the-art natural language pro-cessing. pages 38–45, Online. Association for Com-putational Linguistics.
A Dataset Preprocessing
We enumerate the preprocessing steps for each ofthe datasets that have used.
• Amazon: The complete Amazon reviews dataset was collected from here; only a subset ofthis data was used which can be found here.This data set was randomly split into 80/20train/test.
• SST2: The Stanford Sentiment Treebankdataset can be found here, and was pre-processed using the code here.
• MPQA: The MPQA opinion corpus can befound here and was pre-processed using thecode found here. We balance the dataset bygenerating a random 80-20 ratio between thesize of training and test data.
• MR: The Movie review dataset can be foundhere and was pre-processed using the samecode as the Amazon dataset.
• Spam: SMS Spam Collection dataset can befound here and was pre-processed using thecode found here.
B Model Details
B.1 Classical Models
For each of our classical models, we used Sklearn’simplementation (Pedregosa et al., 2011). We listout the hyperparameter tuning procedure for eachof the models below:
• RNB/MNB: We performed a grid search overthe Laplace smoothing parameter using valuesranging from α ∈ [0.5, 9.5] in increments of0.5. The RNB model used the same α as thetuned MNB model.
• SVM: We performed a grid search over theregularization parameter using values rangingfrom α ∈ [0.5, 9.5] in increments of 0.5.
• LR: We evaluated each model with the fol-lowing values of regularization parameters:{0.001, 0.01, 0.1, 1, 10, 100}.
We use 3-fold cross validation to determine thebest set of hyperparameters for each model.
B.2 Deep Learning ModelsB.2.1 3 Layer MLPWe trained a 3 layer fully connected network, with512 and 128 as the dimensions of the first and sec-ond hidden layers respectively. For training, we usean Adam Optimizer with 10−4 as the learning rate.We employ batchnormalization and apply dropout(p = 0.1) after the second hidden layer. We trainedthe model for 10 epochs, keeping the model withthe best performing validation accuracy.
B.2.2 Pretrained BERTCASE
We used a pretrained BERT model that had ahidden layer with softmax activation from theHuggingFace transformers repository (Wolf et al.,2020). Per the authors’ recommendation, wetrained the model for 3 epochs, keeping the modelwith the highest validation accuracy. Due to mem-ory constraints, we trained the model with a batchsize of 16 and a maximum padding length of 256.During training, we used a AdamW optimizer(Loshchilov and Hutter, 2019) with a learning rateof 5 · 10−5 and ε = 10−8.
C Proofs of Section 3
C.1 Proof of Lemma 3.2Recall that P is the d-dimensional probabilitysimplex and that D is the typo uncertainty set(κ-typo). Note since the objective function is lin-ear, we can perform the minimization over the con-vex hull of the feasible region. Thus, we can setD = {δ ∈ Rd : f + δ ≥ 0, ‖δ‖1 ≤ κ}.
We have that
p∗(f, κ) = maxθ∈P
f> log θ + minδ∈D
δ> log θ
= maxθ∈P
f> log θ + κ min1≤i≤n
log θi
= maxθ∈P
f> log θ + κt : t1 ≤ log θ
We form the dual problem:
= minτ
maxθ,t
f> log θ + κt+ τ(1− 1>θ) : exp(t)1 ≤ θ
= minτ
maxθ,u>0
f> log θ + κ log u+ τ(1− 1>θ) : u1 ≤ θ
where we make the substitution u = exp(t). Now,consider the following problem, given fixed u, τ .
q∗ = maxθ∈[0,1]d,u>0
f> log θ − τ1>θ : u1 ≤ θ
If τ ≤ 0, the problem is unbounded. Oth-erwise, we see that the optimal point is θ∗ =
max(f/τ, u1). Plugging it back in to our expres-sion for p∗, we have that:
q∗ =
n∑i=1
(fi max(log fi, log(τu))−
max(fi, τu))− (1>f) log τ
Setting ρ = κ + 1>f and plugging the expres-sion for q∗ back, we simplify p∗(f, κ):
maxτ>0
maxu>0
n∑i=1
[fi log max(fi, log(τu))
−max(fi, τu)]
− (1>f) log τ + κ log u+ τ
= maxτ>0
maxv>0
n∑i=1
[fi log max(fi, log v)
−max(fi, v)]
+ κ log v + τ − ρ log τ
= maxv>0
n∑i=1
[fi log max(fi, v)
−max(fi, v)]− κ log v
Note that τ∗ = ρ. Going back to our originalproblem, we know that p∗(f, κ) is
maxθ,u>0
f> log θ + κ log u+ τ∗(1− 1>θ)
We conclude that the optimal θi(f, κ) =max(fi/τ
∗, v∗/τ∗). Note that finding theoptimal adversary is equivalent to solvingarg minδ∈D δ
> log θ∗.
C.2 Proof of Algorithm 1We consider the following optimization problem.
maxv>0
F (v) =
n∑i=1
(fi log max(fi, v)
−max(fi, v))
− κ log v
The key idea of the algorithm is to split the do-main of v (which is all of R>0) into n+ 1 intervalsbased off of the fi’s and find a closed form maxi-mizer vk for each interval. We then output the vkthat maximizes Equation 3.
Suppose without loss of generality that f1 ≥f2 ≥ . . . ≥ fn > 0. Let f0 = ∞ andfn+1 = 0. Let Ik = [fk+1, fk], and denotevk = argmaxv∈IkF (v).
To prove that the algorithm is correct, it sufficesto show the following:
• v0 = max(f1,
ρ0n
)• vn = fn
• vk = min(fk,max
(fk+1,
ρkn−k
))Verifying the stated expressions for F0, Fn, and
Fk is a matter of plugging in the relevant v into themain expression.
We first prove the first statement. Since v0 ∈ I0,we can simplify F (v) as follows:
F (v) = −nv + (κ+
n∑i=1
fi) log v
Taking derivatives and setting it to 0 yields thatthe optimal v∗ is κ+
∑ni=1 fin . However, depending
on κ, v∗ might not be in I0. In the case that it isn’t,it follows that:
κ+
n∑i=1
fi < nf1
We analyze the derivative F ′(v) in the intervalI0. We have that
F ′(v) = −nv +κ+
∑ni=1 fin
<nf1
v− n ≤ 0
We conclude that F is decreasing on I0, andso in the case where v∗ 6∈ I0, we choose our newoptimal point as f1. To account for both these cases,we conclude that v0 = max
(f1,
ρ0n
).
We proceed to prove the second statement. Wenote that now vn ∈ In = (0, fn]. Like before, wecan use this information to simply F (v) to:
F (v) =n∑i=1
[fi log fi − fi] + κ log v
We see that F ′(v) is strictly positive on the in-terval In, so the optimal vn is therefore fn.
Finally, we show the last statement. We note thatnow vn ∈ Ik = [fk+1, fk]. We rewrite F (v) as
F (v) = hk + ρk log v − (n− k)v
The optimal v∗ is ρkn−k . Like before, depending
on κ, v∗ may not be in Ik. There are two caseswe need to consider: v∗ < fk+1 and v∗ > fk.We analyze the derivative F ′(v) in each of the tworegimes. In the first case, we see that
F ′(v) =ρkv− (n− k) <
fk+1(n− k)
v− (n− k)
≤ fk+1(n− k)
fk+1− (n− k) = 0
We conclude that F is strictly decreasing, inwhich case the optimal v∗ would be fk+1.
Moving onto the second case, we see that v∗ >fk implies that κ >
∑ni=k+1(fk − fi). We thus
have:
F ′(v) =ρkv− (n− k)
>
∑ni=k+1(fk − fi) + fi
v− (n− k)
=(n− k)fk
v− (n− k) ≥ 0
We conclude that F is strictly increasing,in which case the optimal v∗ would be fksince v∗ needs to be in Ik. To account forboth these cases, we express the optimal vk asmin
(fk,max
(fk+1,
ρkn−k
)).
C.3 Solving the Robust SVM ProblemRecall the robust counterpart to be the following:
minw
maxδi∈∆i
1
n
n∑i=1
max{0, 1− yi((xi + δi)>w − b)}
+ λ‖w‖22
where the uncertainty set is defined by:
δi ∈ ∆i = {δi : xi + δi ≥ 0 , ‖δi‖1≤ κi}
We proceed first by solving the outermost maxi-mization by noting the order of maximization doesnot matter:
minw
1
n
n∑i=1
max{0, maxδi∈∆i
1− yi((xi + δi)>w − b)}
+ λ‖w‖22
We can first solve the following problem:
maxδi∈∆i
1− yi((xi + δi)>w − b)
= 1− yi(x>i w − b)− minδi∈∆i
δ>i (yiw)
Instead of solving the minimization problemdirectly we can proceed via duality as we knowSlater’s condition holds and the problem is convex:
maxλi≥0
min‖δi‖1≤κi
δ>i (yiw)− λ>i (xi + δi)
= maxλi≥0
min‖δi‖1≤κi
δ>i (yiw − λi)− λ>i xi
= maxλi≥0−κi‖yiw − λi‖∞−λ>i xi
We can now write the original robust problem asthe following:
minw
1
n
n∑i=1
max{0, 1− yi(x>i w − b)+
minλi≥0
κi‖yiw − λi‖∞+λ>i xi}+ λ‖w‖22
Via an epigraph reformulation of the problem wecan equivalently write this as
minw,zi≥0,λi≥0
1
n
n∑i=1
zi + λ‖w‖22
subject to
zi ≥ 1−yi(x>i w− b) +κi‖yiw−λi‖∞+λ>i xi ∀i
The above robust counterpart is a convex quadraticprogram, which can be seen by rewriting the `∞norm in the constraint with 2d linear constraints.Note that solving for the adversary δi can be ac-complished using Algorithm 2, which is detailedin Section C.5 of the Appendix.
C.4 Solving the Robust Logistic RegressionProblem
minβ,β0
maxδi∈∆i
n∑i=1
log(1 + exp(−yi(β>(xi + δi) + β0)))
+ λ(‖β‖22+β20)
where the uncertainty set is defined by
δi ∈ ∆i = {δi : xi + δi ≥ 0, , ‖δi‖1≤ κi}
Solving the inner maximization is the same asthe solving the following:
minδi∈∆i
yi(β>(xi + δi) + β0)
= yi(β>xi + β0) + min
δi∈∆i
yiβ>δi
Note that we can solve the minimization problemvia the same duality-based approach detailed for
robust SVM (see Section C.3 in the Appendix) aswell as the same algorithm to generate the optimaladversary (see Section C.5):
minβ,β0,λi≥0
n∑i=1
log(1 + exp(−yi(β>xi + β0)
+ κi‖yiβ − λi‖∞+λ>i xi)
+ λ(‖β‖22+β20)
C.5 Deriving Adversaries for SVM andLogistic Regression
In this subsection, we detail Algorithm 2, whichsolves the inner optimization for the robust vari-ants of SVM and logisitic regression under typouncertainty.
Algorithm 2: Generate optimal adversaryδ for SVM and logistic regression
Input: Data point x ∈ Rd; Label y; Weightvector w ∈ Rd; Proportion Error t
Output: Return optimal adversary δ∗iInitialize δ = 0d×1, k = t
100 · ‖x‖1 (errorbudget), ind, z = sortDescending(wy);
Set i = 0;while k > 0 do
instructions;if |zi|= 0 then
break;else
if |zi|< 0 thenδindi = k;break;
elseα = max{−1 · xi,−k};δindi = α;k = k − α;
endendi← i+ 1;
end
C.6 Proof of Lemma 3.1Note that the lemma at hand can be proved bysolving a problem of the following form:
maxp∈P
minδ∈Vshift(f)
(f + δ)> log θ
which can be seen due to separability across θ±,f± and δ±. Noting that the inner minimization
problem is a linear program over a non-convex set,we can equivalently undergo the minimization overthe convex hull of the set:
Co(Vshift(f)) = {δ : δ + f ≥ 0, ‖δ‖∞ ≤ γ}
This allows the inner minimization to be easilysolved, where we take advantage of the fact thatlog(θ) ≤ 0 and f ≥ 0:
minδ∈Co(Vshift(f))
δ> log θ = −γ‖log(θ)‖1= γ1> log(θ)
This results in the following maximization prob-lem:
maxp∈P
(f + γ1)> log θ
Choosing different γ for each uncertainty setwith respect to each class, ie γ1 = γ|C1| andγ2 = γ|C2|, gives the final form of the optimiza-tion problem presented in Lemma 3.1.
C.7 Dirichlet Prior and Laplace SmoothingLemma C.1. MAP estimation of θ for a multino-mial distribution under a Dirichlet prior parameterα = (λ+ 1)1 is equivalent to Laplace smoothingwith parameter λ.
Proof. This proof relies on the Dirichlet distribu-tion being a conjugate prior to the multinomial dis-tribution. Hence given a multinomial and Dirichletdistribution parameterized by θ ∈ Rd and α ∈ Rdrespectively, we can say the following about theposterior distribution of θ given an observation ofthe multinomial distribution x:
P (θ|x) ∝ P (x|θ)P (θ)
∝d∏j=1
θxjj
d∏j=1
θαj−1j
=
d∏j=1
θαj−1+xjj
∝ P (x+ α− 1|θ)
Hence it can be seen that choosing α = (λ + 1)1will lead to Laplace smoothing with smoothingparameter λ.
D Acknowledgements
I would like to thank my team of collaborators forthis project: Anand Siththaranjan, Armin Askari,and Laurent El Ghaoui. Each member provided in-valuable contributions to this project: (1) AS built
scripts for evaluating each of the classical modelsand helped write up the paper, (2) AA providedhigh-level ideas throughout the project and con-tributed to writing. Finally, LEG was the primaryadviser for this project.