PhD Defense of Elias Abad Rocamorra

Abstract:

Neural networks have become increasingly popular tools for natural language processing, being able to perform as general chatbots through Large Language Models (LLMs), perform information retrieval or even generate images and video from text descriptions. Despite their incredible power, naive perturbations, such as replacing a word with a synonym or introducing a typo in the prompt, can lead to unexpectedly large variations in the output of the model. This can be exploited by adversaries to craft prompts (adversarial examples) that lead to malicious outputs from a model, e.g., fooling an LLM into providing instructions to commit a crime. This has fostered the development of automatic tools for obtaining adversarial examples (adversarial attacks), training models that are robust against adversarial examples (adversarial defenses) or certifying that no adversarial example exists (robustness certification). Before this thesis, it was believed that character-level perturbations could be easily avoided by preprocessing prompts with typo-correctors, deeming character-level attacks, defenses and certification methods underexplored. In this thesis, we show that character-level attacks can in fact bypass typo-corrector defenses, becoming an interesting area to study robustness. Additionally, we propose Charmer, an efficient character-level adversarial attack; LEAF, an efficient adversarial training method that we use to finetune large CLIP models and effectively robustify them; LipsLev, the first method to certify text models against character-level perturbations in a single forward pass, being able to handle insertions and deletions of characters. This thesis opens the path to study character-level adversarial robustness further, highlighting the remaining challenges and possible directions to follow.