Breaking the Adversarial Robustness-Performance Trade-off in Text Classification via Manifold Purification

A persistent challenge in text classification (TC) is that enhancing model robustness against adversarial attacks typically degrades performance on clean data. We argue that this challenge can be resolved by modeling the distribution of clean samples in the encoder embedding manifold. To this end, we propose the Manifold-Correcting Causal Flow (MC^2F), a two-module system that operates directly on sentence embeddings. A Stratified Riemannian Continuous Normalizing Flow (SR-CNF) learns the density of the clean data manifold. It identifies out-of-distribution embeddings, which are then corrected by a Geodesic Purification Solver. This solver projects adversarial points back onto the learned manifold via the shortest path, restoring a clean, semantically coherent representation. We conducted extensive evaluations on text classification (TC) across three datasets and multiple adversarial attacks. The results demonstrate that our method, MC^2F, not only establishes a new state-of-the-art in adversarial robustness but also fully preserves performance on clean data, even yielding modest gains in accuracy.

Key Contributions

• Empirical demonstration that clean and adversarial text embeddings are geometrically separable in PLM representation spaces, reframing adversarial defense as a geometric purification problem
• Stratified Riemannian Continuous Normalizing Flow (SR-CNF) that models the clean data manifold density and identifies out-of-distribution adversarial embeddings
• Geodesic Purification Solver that projects flagged adversarial embeddings back onto the learned clean manifold via shortest-path (geodesic) optimization, resolving the robustness-accuracy trade-off

🛡️ Threat Analysis

Details

Similar Papers