Large Language Model Text Adversarial Defense Method Based on Disturbance Detection and Error Correction

Abstract

This study aims to effectively defend against complex and diverse adversarial attacks, enhance adversarial defense performance in the field of textual adversarial examples, and address existing issues in current defense methods such as models’ inability to accurately detect perturbations and perform effective error correction. To this end, we propose a Large Language Model Adversarial Defense (LLMAD) method based on perturbation detection and correction. The LLMAD framework consists of two modules: a perturbation detection module and a perturbation correction module. The detection module combines pre-trained models with soft-masking layers to rapidly determine whether samples contain adversarial perturbations. The correction module employs large language models fine-tuned using an adversarial example perturbation dataset constructed through data augmentation, enhancing task performance in adversarial defense and enabling efficient and accurate error correction of adversarial samples. Experimental results demonstrate that, across multiple datasets, various target models defended through the LLMAD method achieve satisfactory defense effectiveness against different types of adversarial attacks. The classification accuracy of defended models shows an average improvement of 66.8% compared to undefended baselines and outperforms existing methods by 13.4% on average. Additional perturbation detection performance tests and ablation studies further validate the accuracy of detection capabilities and the effectiveness of module combinations. A series of experiments confirm that the LLMAD method can significantly enhance defensive effectiveness against textual adversarial attacks.

1. Introduction

Deep learning technology, as a research hotspot and frontier, has been widely applied in natural language processing [1], computer vision [2], and other research directions, achieving unprecedented breakthroughs. Although deep learning models have been extensively adopted in academia and industry, demonstrating performance surpassing traditional methods, they still face numerous security threats and vulnerabilities [3]. Among these, adversarial examples are one critical issue [4]. Adversarial examples are input samples crafted by attackers through imperceptible, subtle perturbations intentionally added to datasets, causing models to misjudge and output erroneous results [5]. Initial research on adversarial examples primarily focused on the image domain, where methods like FGSM [6] achieved relatively effective results in tasks such as image classification.

With the expanding application of natural language processing in artificial intelligence, researchers have identified the existence of adversarial examples in the text domain, raising growing concerns about textual security. In recent years, adversarial example research in the image domain has matured, while studies in the text domain remain relatively limited [7,8]. This disparity primarily stems from the fact that images are typically two-dimensional or three-dimensional continuous data, whereas text is one-dimensional discrete data, conveying information through combinations of numbers, letters, and symbols. Consequently, most adversarial attack and defense methods applicable to the image domain cannot be transferred to the text domain.

The phenomenon of textual adversarial examples has become pervasive across various NLP downstream tasks. In the context of opinion manipulation, a 2019 investigation exposed that Google’s online translation platform could transform the sentiment polarity of user-input sentences from negative to positive. Furthermore, the 2022 EU Cybersecurity Report highlighted that adversarially generated reviews could bypass content moderation systems, with specific emoji-embedded text reducing misinformation detection accuracy from 98% to 32%. In autonomous driving applications, textual adversarial attacks on traffic signs through added special characters have caused vehicular NLP systems to misinterpret “speed limit 60” as “speed limit 80”, directly elevating collision risk indices. The widespread existence of textual adversarial phenomena underscores the critical necessity of enhancing application security research for corresponding models.

Before the emergence of large language models (LLMs), researchers proposed adversarial defense methods from multiple perspectives to counter malicious textual adversarial attacks and enhance model robustness. However, significant challenges persist. First, detection-based defense methods in deep learning models predominantly rely on masked language models for adversarial example detection. These methods tend to identify errors without correcting them, and their performance requires improvement. This limitation arises because only 10–20% of characters are masked for prediction during pre-training, resulting in insufficient error detection and correction capabilities. Second, current adversarial defense methods struggle to balance robustness improvements with classification accuracy on clean samples. Furthermore, their effectiveness may vary inconsistently across different NLP tasks (e.g., sentiment analysis, natural language inference) [9], and in some cases, they may even reduce model robustness. Finally, models face difficulties in countering diverse adversarial attacks. The rich semantic-syntactic structures and varied expressions in textual data enable attackers to generate adversarial examples through multiple strategies, bypassing existing defense frameworks and causing erroneous text classification.

Therefore, to address the aforementioned issues, we first apply LLM technology to textual adversarial example defense. This paper proposes Large Language Model Adversarial Defense (LLMAD), a defense method based on textual perturbation detection and correction. LLMAD consists of a perturbation detection module and a perturbation correction module. Leveraging the exceptional semantic understanding and text processing capabilities of large language models, it detects and corrects perturbations introduced via attacks, thereby accomplishing adversarial example defense tasks. The main contributions of this paper are as follows:

(1) This paper proposes a large language model-based adversarial defense method for textual perturbation detection and correction. Applying large models to textual adversarial defense deepens expertise in adversarial defense and significantly enhances the model’s capability to defend against adversarial attacks.

(2) This paper rigorously validates the feasibility and effectiveness of integrating large language models into adversarial defense through a series of experiments. The method enables error detection and semantic understanding in text, achieves efficient and precise correction of adversarial examples, and strengthens the model’s ability to detect and eliminate adversarial samples.

(3) This paper proposes and constructs a scalable, comprehensive defense framework. It explores the integration of adversarial defense and text correction technologies to improve defense task performance, providing technical pathways and theoretical foundations for enhancing model security.

2. Related Work

Szegedy et al. [10] first proposed the concept of adversarial examples by constructing adversarial samples through subtle perturbations added to images, attacking classification models and causing deep learning models to make erroneous predictions. Papernot et al. [11] introduced adversarial attacks into the text domain for the first time, utilizing the fast gradient sign method to compute gradients of loss functions and generate word-level adversarial examples. Hou et al. [12] proposed the Multi-Level Disturbance Localization Method (MDLM) method, which integrates heterogeneous deep neural network models as attack targets and combines an improved word importance evaluation function to localize perturbations.

A primary objective of adversarial defense research is to minimize the impact of attacks on model robustness and accuracy by leveraging adversarial examples generated through the aforementioned attack methods, thereby enhancing model security in practical applications. Adversarial detection, the most studied defense approach, identifies adversarial perturbations in input samples and replaces or restores them to clean samples. Zhou et al. [13] proposed the Discriminate Perturbations (DISP) framework, which identifies perturbed words via a perturbation discriminator and finds replacement words through hierarchical classification and K-nearest neighbors search, all while preserving the original model architectures and training processes. Mozes et al. [14] introduced the Frequency Guided Word Substitutions (FGWS) method, which replaces low-frequency words with semantically similar high-frequency words to restore adversarial examples to clean samples. Huang et al. [15] developed the Siamese Calibrated Reconstruction Network (SCRN) method, which optimizes classification consistency via symmetric Kullback–Leibler divergence, forcing models to rely on high-level contextual features and improving resistance to adversarial perturbations. While these defense methods achieve promising results, most focus on specific attack types. Their error detection and correction capabilities degrade in complex textual environments, and they are vulnerable to bypassing by attackers, highlighting insufficient generalization.

LLMs [16] exhibit significant advantages in addressing these challenges. During pre-training, LLMs learn fundamental language structures and general knowledge from large-scale text corpora. Leveraging their exceptional generalization and emergent capabilities [17], they can handle diverse tasks, mitigating the limitations of low generalization and poor transferability in existing adversarial defense methods. The self-attention mechanism [18] in LLMs enables them to process complex syntactic structures in text data and generate semantically similar, natural substitutions, thereby enhancing model robustness and classification accuracy. Prior to the proposal of this paper, large language models had already been applied in the field of adversarial sample attacks. Xu et al. [19] proposed PromptAttack, which converts adversarial textual attacks into an attack prompt that can cause the victim LLM to output the adversarial sample to fool itself. In the field of adversarial example defense, there existed no methods integrated with large language models.

To address the critical limitations of existing adversarial defense methods—including excessive reliance on surface features like word frequency analysis, difficulty in handling semantically coherent perturbations, the accuracy–robustness trade-off dilemma, and insufficient generalization capability—this paper proposes LLMAD, a large language model-based adversarial defense method for textual perturbation detection and correction. LLMAD successfully distinguishes adversarial perturbations from natural variations (e.g., detecting “suttle”→“subtle” substitutions overlooked with FGWS) by leveraging the contextual understanding capabilities of large language models. Through its synergistic dual-module design combining detection and correction, subsequent experiments demonstrate enhanced perturbation detection capability while minimizing the impact on clean samples. These results highlight LLMAD’s unique ability to balance robustness and accuracy, bridging gaps in existing methods and providing an innovative solution for adversarial example defense tasks.

3. Approach

3.1. Problem Formulation

Adversarial examples constitute a class of specialized input samples targeting deep neural network models, typically generated by introducing imperceptible perturbations to original data. These carefully crafted perturbations, though often human-indiscernible, suffice to induce significant output deviations, transforming correct predictions into erroneous ones. This work specifically addresses two adversarial attack typologies: character-level and word-level perturbations in textual domains. The primary objective of our adversarial defense framework lies in enabling deep neural network-based classification models to accurately process adversarial samples through dual enhancements: enhancing both perturbation detection rates and classification accuracy while systematically improving the model’s adversarial robustness.

This paper focuses on adversarial defense methods in the direction of adversarial example detection. Thus, adversarial defense can be formulated as the following task: Given a classification model, M, original sample data $X=\left\{x_1,x_2,\cdots ,x_n\right\}$, and classification labels, $Y=\left\{y_1,y_2,\cdots ,y_m\right\}$, the model, M, learns a correct mapping, $f:X\to Y$, through training, which maps an input, $x_i$, to its corresponding label, $y_i$ in Y. The maximum probability formula for classification is as follows:

$$argmaxP\left(y_i\mid x_i\right)=y_{true},y_i\in Y$$

(1)

Given an adversarial example, $x_{adv}=\left\{w_1,w_{adv},w_3,\cdots ,w_n\right\}$, the model, M, misclassifies $x_{adv}$, as expressed by the following:

$$argmaxP\left(y_i\mid x_{adv}\right)\ne y_{true},y_i\in Y$$

(2)

By applying adversarial defense methods to M, adversarial example detection and correction are performed to convert $x_{adv}=\left\{w_1,w_{adv},\cdots ,w_n\right\}$ into $x_{true}=\left\{w_1,w_{true},\cdots ,w_n\right\}$, where the adversarial perturbation $w_{adv}$ in $x_{adv}$ is restored or replaced to obtain $w_{true}$. This results in a defended model $M_{AD}$, which restores the correct label for $x_{adv}$ while maintaining accurate classification for normal inputs:

$$M_{AD}\left(x_{adv}\right)=y_{true},M_{AD}\left(x_i\right)=y_i$$

(3)

3.2. Model

To address adversarial examples generated via contextual perturbations caused by adversarial attacks on original samples, this paper proposes LLMAD, a textual adversarial defense method based on perturbation detection and correction, with its detailed structure illustrated in Figure 1. LLMAD consists of a perturbation detection module and a perturbation correction module. The detection module localizes and detects perturbations in adversarial samples, predicts error probabilities, determines whether an input sample is adversarial, and forwards adversarial examples to the correction module. The correction module restores or replaces adversarial samples with clean counterparts, thereby eliminating adversarial perturbations and ensuring correct model outputs.

3.3. Disturbance Detection Module

The perturbation detection module in this study consists of a Bi-GRU model and a soft-masking layer, designed to determine whether input samples are adversarial. This module aims to distinguish between adversarial examples and clean samples, forwarding detected adversarial examples to the perturbation correction module to eliminate their adversarial nature, thereby achieving defense against adversarial attacks. On the one hand, the module avoids unnecessary modifications to clean samples; on the other hand, it enhances the efficiency of the defense framework. The architecture of the perturbation detection module in the LLMAD method is illustrated in Figure 2.

The input is an embedding sequence $E=\left(e_1,e_2,\cdots ,e_n\right)$, where $e_i$ represents the embedding of the word $x_i$, which is the sum of the word embedding, positional embedding, and segment embedding of $x_i$. The output is a label sequence $G=\left(g_1,g_2,\cdots ,g_n\right)$, where $g_i$ denotes the label of the i-th character, with 1 indicating an incorrect character and 0 indicating a correct one. For each word, there is a probability $p_i$, representing the likelihood of being labeled 1. A higher $p_i$ corresponds to a greater probability of incorrectness. For each word in the sequence, the error probability $p_i$ is defined as shown in Equation (4), where $P_{ddm}\left(g_i=1\mid X\right)$ denotes the conditional probability provided via the detection network, $\sigma$ represents the sigmoid function, $h_i^{ddm}$ is the hidden state of the Bi-GRU, and $W_{ddm}$ and $b_{ddm}$ are learnable parameters:

$$p_i=P_{ddm}\left(g_i=1\mid X\right)=\sigma \left(W_{ddm}{h}_i^{ddm}+b_{ddm}\right)$$

(4)

Additionally, the hidden states are defined in Equations (5)–(7), where GRU denotes the GRU function, and $\left[{\overrightarrow{h}}_i^{ddm};{\overleftarrow{h}}_i^{ddm}\right]$ represents the concatenation of the hidden states from both directions of the Bi-GRU:

$${\overrightarrow{h}}_i^{ddm}=GRU\left({\overrightarrow{h}}_{i-1}^{ddm},e_i\right)$$

(5)

$${\overleftarrow{h}}_i^{ddm}=GRU\left({\overleftarrow{h}}_{i+1}^{ddm},e_i\right)$$

(6)

$$h_i^{ddm}=\left[{\overrightarrow{h}}_i^{ddm};{\overleftarrow{h}}_i^{ddm}\right]$$

(7)

The soft-masking layer corresponds to a weighted sum of the input embeddings and mask embeddings, with the error probability serving as the weight. The soft-masked embedding $e_i^{\prime }$ for the i-th character is defined in Equation (8), where $e_i$ is the input embedding, and $e_{mask}$ is the mask embedding:

$$e_i^{\prime }=p_i·e_{mask}+\left(1-p_i\right)·e_i$$

(8)

The perturbation detection module employs Equation (9) to determine whether an input sample is adversarial, where $\alpha$ and $\beta$ are hyperparameters. If $E_{ddm}⩽\beta$, the sample is non-adversarial; otherwise, it is forwarded to the perturbation correction module:

$$E_{ddm}={\displaystyle \frac{{\sum }_{i:p_i>\alpha }^n\left(p_i·e_{mask}+\left(1-p_i\right)·e_i\right)}{{\sum }_i^n{e}_i^{\prime }}}\le \beta$$

(9)

The training of the perturbation detection module follows an end-to-end approach. Given training data pairs consisting of original sequences and corrected sequences, $\left\{\left(X_1,Y_1\right),\left(X_2,Y_2\right),\cdots ,\left(X_n,Y_n\right)\right\}$, where $X_i$ represents an error-containing sequence and $Y_i$ denotes the corresponding error-free sequence, ($i=1,2,\cdots ,n$). The training objective is to optimize the loss function ${\mathcal{L}}_{ddm}$ for improved detection performance:

$${\mathcal{L}}_{ddm}=-\sum _{i=1}^{n}log{P}_d\left(g_i\mid X\right)$$

(10)

3.4. Perturbation Correction Module

3.4.1. Construction of Adversarial Perturbation Dataset

Due to the scarcity of publicly available high-quality adversarial example datasets, this paper employs data augmentation on adversarial examples to enhance the capability of large models in textual adversarial defense tasks and improve the performance of the perturbation correction module. Specifically, the adversarial example dataset is combined with a text correction dataset to construct an adversarial perturbation dataset, which is then used to fine-tune the large model, as illustrated in Figure 3.

On the one hand, state-of-the-art adversarial attack algorithms are applied to original samples to generate adversarial examples, which are combined to form the adversarial example dataset. These include the ATGSL-SA [20], TextHacker [21], and GBDA [22] algorithms:

• ATGSL-SA employs a heuristic search-based attack algorithm combined with a linguistic lexicon to generate adversarial examples with high semantic similarity;
• TextHacker utilizes a learning-based hybrid local search algorithm that estimates word importance through prediction label changes induced via word substitutions and optimizes adversarial perturbations to minimize deviations from original samples;
• GBDA searches for an adversarial distribution, leveraging BERTScore and language model perplexity to enhance perceptual quality and fluency. The integration of these components enables powerful, efficient, and gradient-based textual adversarial attacks.

On the other hand, the text correction dataset is constructed using the FEC dataset and NUCLE dataset [23], both widely adopted as baseline datasets for text correction tasks:

• The FEC dataset consists of 1244 scripts written by international learners of English as a second language. Each script typically contains two errors, with each error annotated and corrected by human annotators based on a framework of 88 error types;
• The NUCLE dataset comprises 1397 argumentative essays covering diverse topics such as technology, healthcare, and finance. Each essay is corrected by an annotator following a taxonomy of 28 error types.

3.4.2. Fine-Tuning of the Perturbation Correction Module

The perturbation correction module in this study is based on the ChatGLM3-6b large language model fine-tuned with low-rank adaptation (LoRA), designed to restore or replace adversarial samples with clean counterparts. The input consists of an adversarial sequence, $x_{adv}=\left\{w_1,w_{adv},w_3,\cdots ,w_i\right\}$, and a prompt, while the output is the corrected sequence $x_{true}=\left\{w_1,w_{true},w_3,\cdots ,w_i\right\}$. The ChatGLM model architecture comprises 28 GLM blocks. Unlike standard transformer modules, each GLM block contains a multi-query attention (MQA) layer and a gated linear unit (GLU), defined as follows:

$$Q_i=Q{W}_i^Q,K^{\prime }=K{W}^K,V^{\prime }=V{W}^V$$

(11)

$${Head}_i=softmax\left({\displaystyle \frac{Q_i{\left(K^{\prime }\right)}^T}{\sqrt{d_k}}}\right)V^{\prime }$$

(12)

$$\mathrm{MQA}(Q,K,V)=\mathrm{Concat}({\mathrm{Head}}_i,\cdots ,{\mathrm{Head}}_h)·W^O$$

(13)

$$FN{N}_{GLU}\left(x,W,V,W_2\right)=\left(\mathrm{Sigmoid}(x{W}_1\right)\otimes xV)W_2$$

(14)

where the following applies: Q, K, and V denote the query, key, and value matrices, respectively; i represents the current head number, and h represents the total number of attention heads; $W_i^Q,W^K,W^V$ are learnable weight matrices; ${Head}_i$ represents the output of the i-th attention head; and $d_k$ is the dimensionality of the key vectors. In MQA, each head maintains its own $Q_i$ matrix, while all heads share the same $K^{\prime }$ and $V^{\prime }$ matrices. Despite sharing $K^{\prime }$ and $V^{\prime }$, each head independently computes its attention distribution. Compared to multi-head attention, MQA reduces memory consumption and improves computational efficiency. $Concat$ denotes vector concatenation, and $FN{N}_{GLU}$ replaces the standard feed-forward network (FFN) layer with a gated linear unit. The parameters $W^O,W_1,W_2$ are optimized during training.

LLMs, pre-trained on massive datasets with substantial computational resources, have acquired extensive general features and patterns, making them foundational for diverse tasks. Building upon these pre-trained models, this study fine-tunes them using an adversarial example perturbation dataset to enhance their performance on downstream specific tasks and meet required benchmarks. Compared to the prohibitive computational costs of full-parameter fine-tuning, LoRA offers a more efficient alternative. LoRA indirectly trains specific dense layers by optimizing rank-decomposition matrices that approximate changes in dense layers during adaptation, while keeping pre-trained weights frozen. This approach significantly improves training efficiency and lowers hardware requirements. The architecture of the perturbation correction module in the LLMAD method is illustrated in Figure 4.

During the training of the perturbation correction module, for a predicted weight matrix, $W_0\in {\mathbb{R}}^{d\times d}$, we approximate the weight update $▵W_{\mathrm{LLMAD}}$ via low-rank decomposition using matrices $A_{LLMAD}$ and $B_{LLMAD}$:

$$W_0+▵W_{\mathrm{LLMAD}}=W_0+B_{LLMAD}{A}_{LLMAD}\left\{\begin{array}{c}{B}_{LLMAD}\in {\mathbb{R}}^{d\times r}\hfill \\ A_{LLMAD}\in {\mathbb{R}}^{r\times k}\hfill \\ r\ll min(d,k)\hfill \end{array}\right.$$

(15)

During training, $W_0$ remains frozen and receives no gradient updates, while $A_{LLMAD}$ and $B_{LLMAD}$ contain trainable parameters. For $h=W_{0}x$, the modified forward propagation result is given via Equation (16):

$$h=W_{0}x+▵W_{\mathrm{LLMAD}}x=W_{0}x+B_{LLMAD}{A}_{LLMAD}x$$

(16)

During training, $A_{LLMAD}$ is random Gaussian-initialized, and $B_{LLMAD}$ is zero-initialized, ensuring that $▵W_{LLMAD}=B_{\mathrm{LLMAD}}{A}_{LLMAD}$ is initially zero. Subsequently, $▵W_{\mathrm{LLMAD}}$ is scaled by ${\displaystyle \frac{a}{r}}$, yielding the final output as Equation (17):

$$h=W_{0}x+{\displaystyle \frac{a}{r}}{B}_{LLMAD}{A}_{LLMAD}x$$

(17)

Inference process of the perturbation correction module: By integrating LoRA, the low-rank matrices are merged with the pre-trained weights. This reduces the number of fine-tuned parameters from $d\times d$ to $2\times r\times d$ while preserving the output dimensionality. The modified model then performs standard forward inference, achieving efficient parameter adaptation without compromising the high performance of the pre-trained model.

When applying the perturbation correction module, adversarial samples are input into the prompt template of the perturbation correction module to construct prompts for the fine-tuned large language model. In

Table 1. Prompt template for perturbation correction module.

Model	Prompt Template	Output
ChatGLM3-6b	input: {adversarial sample} Please correct the spelling and grammar errors in the previous sentence, with minimal modificatio- ns and try not to change the sentence length, and output the corrected sentence	{correct sample}

, adversarial sample denotes the adversarial input, while correct sample represents the corrected output.

In the perturbation correction model, the prompt templates need to constrain the model’s modification range and minimize changes to sentence length, guiding the model to accomplish adversarial example defense tasks with minimal cost, which aligns with real-world perturbation correction scenarios. To address this, this paper applies the constraint statements “minimal modifications” and “try not to change the sentence length” to construct prompt templates.

4. Experiments

4.1. Dataset and Metrics

The datasets used in the study are as follows: the movie review dataset IMDB [24], the news classification dataset AG’s News [25], and the social Q&A dataset Yahoo!Answers [25]. Detailed information about the datasets is shown in

Table 2. Experimental dataset. IMDB for sentiment analysis (positive/negative movie reviews), AG’s News for news topic classification (world/sports/business/sci-tech news topics), and Yahoo!Answers for multi-domain Q&A categorization (health/education/travel, etc.). IMDB uses an official balanced split (50% positive/negative); AG’s News follows a temporal split (pre-2012 for training and 2014 for testing); Yahoo!Answers a adopts random split (5% held out for testing).

Dataset	Classes	Number of Training Samples	Number of Test Samples	Average Length
IMDB	2	25,000	25,000	215
AG’s News	4	120,000	7600	43
Yahoo!Answers	10	140,000	5000	108

.

To assess the performance of perturbation detection, three metrics are employed: precision, recall, and F1-score, as defined in Equations (18)–(20):

$$\mathrm{Precision}={\displaystyle \frac{TP}{TP+FP}}$$

(18)

$$\mathrm{Recall}={\displaystyle \frac{TP}{TP+FN}}$$

(19)

$$\mathrm{F}1\mathrm{-score}={\displaystyle \frac{2\ast \mathrm{Precision}\ast \mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}}$$

(20)

where $TP$ denotes correctly predicted positive samples; $TN$ denotes Correctly predicted negative samples; $FP$ denotes Incorrectly predicted positive samples; $FN$ denotes Incorrectly predicted negative samples.

The effectiveness of adversarial defense methods is measured using the classification accuracy (accuracy) of the model under attack. A higher accuracy after applying defense methods indicates stronger defensive capabilities. The accuracy formula is given in Equation (21):

$$\mathrm{Accuracy}={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$$

(21)

4.2. Baselines

For comparison, we chose the following models as the target models and adopted the following methods as baselines.

CNN [26], LSTM [27], and BERT [28], as classic target models extensively utilized in the adversarial defense field with widespread adoption in numerous studies, are shown below:

• CNN: CNN uses multi-scale convolutional kernels, embedding layers, varied convolutions, max-pooling, fully-connected layers, and softmax for text feature extraction and classification.
• LSTM: LSTM network introduces a gated mechanism, employing forget gates, input gates, and output gates to dynamically control the retention, updating, and transmission of sequential state information.
• BERT: BERT, a bidirectional transformer model, uses self-attention and masked language tasks to learn global context. Fine-tuning adapts it to downstream tasks with improved transfer.

Adversarial attack methods are shown below:

• PWWS [29]: PWWS creates text adversarial examples by replacing words with synonyms weighted by word saliency and classification probability change.
• TextFooler [30]: TextFooler generates adversarial text by replacing important words with semantically similar synonyms to alter model predictions while preserving semantic meaning.
• DeepWordBug [31]: DeepWordBug generates adversarial text sequences by identifying critical tokens and applying small character-level transformations to evade deep learning classifiers.

Adversarial defense baselines are shown below:

• FGWS [14]: FGWS detects adversarial examples by replacing infrequent words with semantically similar, more frequent ones based on a frequency analysis of adversarial substitutions.
• WDR [32]: WDR detects adversarial text examples by analyzing logits variation to identify suspicious word-level changes in classifier reactions.
• SEM [33]: SEM defends against synonym substitution attacks by encoding synonyms to unique tokens before the input layer.

4.3. Experiment Setting

The runtime environment is Ubuntu OS with 4 NVIDIA Tesla T4 GPUs and 128 GB of memory. The deep learning framework uses Python 3.12.4 and PyTorch 2.4.1. The key model fine-tuning parameters are as follows: a learning rate of 5 × 10⁻⁵, 3.0 training epochs, a maximum of 100,000 samples, a batch size of 8, gradient accumulation steps of 8, a LoRA rank of 8, a LoRA scaling factor of 16, and other hyperparameters set to default values.

FGWS and WDR algorithms are text-adversarial detection methods, and the minimum confidence threshold for detecting adversarial samples is set to 0.9, with a true positive rate parameter $\gamma =0.85$. For the SEM algorithm, which is a synonym-encoding method, the synonym set $S\left(w\right)$ for each word $w\in W$ is defined as the k nearest words within the Euclidean distance $\delta$ in the embedding space. Here, $k=0.5$, and $\delta =0.5$.

4.4. Main Results

To validate the performance of the proposed LLMAD method in adversarial defense, this section compares it with three baseline methods by evaluating the classification accuracy of the CNN, LSTM, and BERT models under different adversarial attacks. A stronger defense method is indicated by higher classification accuracy and enhanced robustness across various adversarial attacks. Key results are summarized in

Table 3. Defense effectiveness of LLMAD and baseline defense methods on IMDB dataset. We show the Accuracy, with the best performance metrics highlighted in bold for all methods except the None-defense baseline.

Model	Defense Approach	None	PWWS	TextFooler	DeepWord-Bug
CNN	None	89.5	0.8	2.8	1.6
	FGWS	81.5	76.2	76.5	44.1
	WDR	85.2	63.8	67.1	64.7
	SEM	87.4	63.7	63.9	61.7
	LLMAD	88.1	82.4	82.7	83.7
LSTM	None	89	0.4	1.8	0.5
	FGWS	77.4	67.8	68	46.8
	WDR	85	72	75.2	74.1
	SEM	86.3	63.4	63.8	62.2
	LLMAD	87.4	80.4	80.5	76.9
BERT	None	92.2	16.4	8.1	1.7
	FGWS	72.1	60.1	61.2	38.1
	WDR	81.3	65.2	65.4	63.9
	SEM	89.5	70.2	70.8	69.6
	LLMAD	91.6	82.6	82.8	81.4

,

Table 4. Defense effectiveness of LLMAD and baseline defense methods on AG’s News dataset. We show the accuracy, with the best performance metrics highlighted in bold for all methods except the none-defense baseline.

Model	Defense Approach	None	PWWS	TextFooler	DeepWord-Bug
CNN	None	62.9	1.2	1.5	0.9
	FGWS	52.4	47.8	48.2	32.0
	WDR	61.7	50.3	52.0	50.5
	SEM	60.5	34.8	34.5	32.7
	LLMAD	59.8	57.1	57.3	56.8
LSTM	None	65.8	0.6	1.0	0.6
	FGWS	42.8	42.3	41.7	28.1
	WDR	62.7	48.3	49.8	47.2
	SEM	61.9	35.2	35.3	33.8
	LLMAD	62.9	58.0	57.8	57.5
BERT	None	65.9	2.5	1.5	0.9
	FGWS	58.3	44.7	42.5	29.5
	WDR	63.4	50.3	51.0	49,5
	SEM	64.0	39.9	37.5	39.6
	LLMAD	63.2	55.8	55.3	55.7

and

Table 5. Defense effectiveness of LLMAD and baseline defense methods on Yahoo! dataset. We show the accuracy, with the best performance metrics highlighted in bold for all methods except the none-defense baseline.

Model	Defense Approach	None	PWWS	TextFooler	DeepWord-Bug
CNN	None	72.8	6.9	7.3	5.1
	FGWS	63.5	55.1	55.3	38.7
	WDR	72.3	62.7	63.1	62.8
	SEM	69.5	53.6	52.7	52.3
	LLMAD	69.5	66.5	66.3	67.2
LSTM	None	74.9	11.4	10.1	6.8
	FGWS	54.7	47.8	47.9	33.7
	WDR	73.8	61.0	60.5	60.3
	SEM	72.3	57.2	56.5	56.0
	LLMAD	71.9	69.2	68.4	68.1
BERT	None	77.3	21.0	10.5	7.5
	FGWS	70.9	59.9	62.4	37.2
	WDR	75.6	66.8	67.5	65.3
	SEM	75.2	64.6	62.8	62.3
	LLMAD	75.5	71.4	71.8	71.3

, where “None” indicates that the model was not subjected to any attacks or defenses.

As shown in Table 3, on the IMDB dataset, LLMAD improves the classification accuracy by 6.2–39.6% for the CNN model, 2.8–30.1% for the LSTM model, and 11.8–43.3% for the BERT model. In Table 4, on the AG’s News dataset, LLMAD enhances classification accuracy by 5.3–24.8% for the CNN model, 8.0–29.4% for the LSTM model, and 4.3–26.2% for the BERT model. Table 5 demonstrates that, on the Yahoo! Answers dataset, LLMAD achieves accuracy improvements of 3.2–28.5% for the CNN model, 7.8–34.4% for the LSTM model, and 4.3–34.1% for the BERT model. Under various attack scenarios, the classification accuracy of the models improved by an average of 66.8% compared to the undefended state and by an average of 13.4% compared to baseline methods. LLMAD achieved the most optimal defense performance across all three datasets, demonstrating a significant advantage over baseline defense methods.

Additionally, in the absence of attacks, after the LLMAD defense was applied, the classification accuracy of the models on the IMDB dataset showed the least decline, while the performance on the other two datasets remained close to the original sample classification accuracy—defined as the classification accuracy under no attack or defense conditions, corresponding to the value at the intersection of the “None” row and “None” column in the tables—with a decline of no more than 3.3%. Furthermore, compared to the three baseline defense methods, LLMAD achieved classification accuracy closest to the original sample classification accuracy on the IMDB dataset. On the other two datasets, the classification accuracy of LLMAD was slightly lower than that of WDR and SEM methods, but the difference did not exceed 2.7%. These results confirm that LLMAD minimally impacts the correct classification of clean, non-attacked samples while providing robust adversarial defense.

4.5. Perturbation Detection Performance

To validate the perturbation detection performance of the proposed LLMAD method, this section compares it with two baseline methods, FGWS and WDR, by evaluating the recall and F1-scores of CNN, LSTM, and BERT models under diverse adversarial attacks. SEM, which employs synonym encoding, is excluded from perturbation detection comparisons. As shown in

Table 6. Perturbation detection performance on three datasets. We show the Rec (recall) and F1 (F1-scores), with the best performance metrics highlighted in bold.

Dataset	Model	Attack Method	FGWS		WDR		LLMAD
			Rec	F1	Rec	F1	Rec	F1
IMDB	CNN	PWWS	80.2	86	87.9	87.2	97.7	95.8
		TextFooler	75.8	85.1	89.9	91.5	97	94.5
		DeepWordBug	56.7	57.8	91	86.3	95.3	93.1
	LSTM	PWWS	70.7	80.1	92.5	92.4	95	94.6
		TextFooler	77.6	83.7	94.8	95	95.7	95.5
		DeepWordBug	59.8	60.1	92	93.6	96.2	96.1
	BERT	PWWS	82.6	85.9	91.7	93.2	92	93.7
		TextFooler	79.9	86.6	93.7	93.9	97.1	95.2
		DeepWordBug	58.8	64.7	92	91.5	92.2	93.6
AG’s News	CNN	PWWS	86	90.2	91	86.1	94.2	90.5
		TextFooler	82.5	85.9	92.5	87.7	95.3	91.2
		DeepWordBug	49.7	57.2	90.1	85.3	92.3	87.9
	LSTM	PWWS	87.3	86.7	84.6	86.8	94.5	88.5
		TextFooler	89.7	89	91.2	89.8	96.2	91.2
		DeepWordBug	56.7	62.1	83.4	83.3	88.6	84.1
	BERT	PWWS	85	89.5	87.9	90.6	91.9	92.2
		TextFooler	81.5	87.5	84.5	86.3	91.7	90.5
		DeepWordBug	62.2	67.9	75.4	78.3	85.3	85.8
Yahoo!	CNN	PWWS	79.8	85.7	89.5	89.2	94.8	94.1
		TextFooler	74.3	84	88.7	89.8	94.5	93.2
		DeepWordBug	55.2	56.4	89.6	84.5	93.8	91.5
	LSTM	PWWS	82.3	86.1	90.8	90.1	93.4	92.3
		TextFooler	89.2	89.5	92.6	92.7	94.2	94.0
		DeepWordBug	58.4	63.5	90.3	91.8	91.5	92.4
	BERT	PWWS	81.1	84.6	91.5	92.4	91.8	92.1
		TextFooler	78.4	85.3	91.8	91.7	95.4	94.6
		DeepWordBug	59.5	63.9	89.9	90.5	90.2	90.3

, across 27 experimental groups involving different adversarial attacks, LLMAD achieves stable and superior detection performance. On the IMDB dataset, the LLMAD method achieved an average F1-score improvement of 18% over the FGWS method and 2.9% over the WDR method; on the AG’s News dataset, it improved the average F1-score by 9.5% compared to FGWS and 3% compared to WDR; on the Yahoo!Answers dataset, LLMAD outperformed FGWS by an average F1-score margin of 15.1% and WDR by 2.5%. The experimental results demonstrate that the LLMAD method attained higher recall rates and F1-scores in most cases, consistently surpassing baseline methods and exhibiting comprehensive detection performance advantages.

4.6. Semantic Similarity Performance

To validate that the text samples defended with LLMAD are semantically closer to the original samples, this section presents comparative experiments with two baseline methods (FGWS and WDR) on the IMDB dataset. We measure the semantic similarity between the original texts and the adversarial-defended texts across CNN, LSTM, and BERT models under different attacks using the Universal Sense Encoder (USE). As shown in

Table 7. Semantic similarity performance on the IMDB dataset. We approximate the semantic similarity between the defended sample and the original sample by demonstrating the cosine similarity calculated using USE, with the best performance metrics highlighted in bold.

Model	Attack Method	FGWS	WDR	LLMAD
CNN	PWWS	83.5	84.9	85.8
	TextFooler	85.2	86.4	88.0
	DeepWordBug	85.0	86.6	87.8
LSTM	PWWS	80.3	81.5	83.1
	TextFooler	83.5	84.8	86.2
	DeepWordBug	88.9	90.2	91.6
BERT	PWWS	92.7	94.0	95.4
	TextFooler	94.2	95.5	96.9
	DeepWordBug	92.1	93.5	95.8

, our proposed LLMAD method consistently achieves higher semantic similarity scores than baseline methods, demonstrating that samples processed via LLMAD better preserve the original semantic content compared to those modified with existing defense approaches.

4.7. Ablation Study

To validate the impact of different modules in the LLMAD method on defense performance, ablation experiments were conducted on the IMDB dataset using CNN, LSTM, and BERT models by removing either the perturbation detection module or the perturbation correction module during adversarial defense tasks. The experimental groups included ODDMAD (adversarial defense with only disturbance detection module), which retains the detection module and employs BERT to generate replacement words for defense, and ODCMAD (adversarial defense with only disturbance correction module), which retains only the correction module. The results of the ablation experiments in this paper are shown in

Table 8. Ablation results on IMDB datasets. We show the accuracy, with the best performance metrics highlighted in bold for all methods.

Model	Defense Approach	None	PWWS	TextFooler	DeepWord-Bug
CNN	None	89.5	0.8	2.8	1.6
	ODDMAD	89.1	76.9	76.3	78.7
	ODCMAD	86.7	79.6	79.5	81.3
	MMLAD	88.1	82.4	82.7	83.7
LSTM	None	89	0.4	1.8	0.5
	ODDMAD	89.3	74	75.1	72.6
	ODCMAD	87.4	77.2	77.9	75.1
	MMLAD	87.4	80.4	80.5	76.9
BERT	None	92.2	16.4	8.1	1.7
	ODDMAD	91.2	74.3	76.8	74.1
	ODCMAD	90.6	78.2	80.5	79.5
	MMLAD	91.6	82.6	82.8	81.4

.

As shown in the table, compared to the full LLMAD framework, models defended with ODDMAD exhibit average accuracy reductions of 5.3–7.2% under various attacks, while those defended with ODCMAD show average reductions of 2.5–2.9%. These results indicate that using either module alone degrades defense effectiveness relative to LLMAD. The combined integration of the perturbation detection module and perturbation correction module yields effective performance improvement, demonstrating their synergistic necessity for robust adversarial defense.

5. Discussion

5.1. Future Research Directions

The proposed LLMAD method demonstrates significant potential in text adversarial defense tasks, yet further optimization and expansion necessitate exploration across multiple dimensions for future research directions. Technical pathway optimization could involve investigating the performance disparities of alternative large language models in adversarial defense, particularly validating whether retrieval-augmented architectures can reduce computational costs while preserving high correction accuracy. Additionally, cross-lingual generalization represents a critical direction for validation—for instance, adapting the framework to morphologically complex languages (e.g., Chinese polyphonic characters or Arabic agglutinative roots). This necessitates the construction of multilingual adversarial perturbation datasets and the design of language-adaptive detection modules.

At the data and experimental design level, it is advisable to build larger-scale adversarial example perturbation datasets that incorporate diverse attack types (e.g., text style transfer, syntax perturbations with semantic preservation) and explore an “adversarial co-training” mechanism to jointly optimize detection and correction modules, enabling iterative robustness enhancement in dynamic adversarial environments. Systematic experiments should also be designed to compare the impact of fine-tuning strategies (e.g., LoRA adapters, prompt engineering, and full-parameter fine-tuning) on defense performance, particularly under resource-constrained or few-shot scenarios. Future work ought to incorporate domain-specific knowledge (e.g., medical or legal texts) to establish vertical domain-specific defense benchmarks, thereby driving the transition from generic defense frameworks to task-specific paradigms. This progression would address domain-tailored adversarial threats while maintaining cross-task generalizability.

5.2. Practical Application

In practical applications, LLMAD can be integrated into online review analysis systems to provide defense against adversarial attacks.

Typical application scenarios encompass sentiment analysis of user reviews on e-commerce platforms and public opinion monitoring on social media platforms. The workflow of such systems generally consists of four sequential stages: data input, preprocessing, sentiment analysis, and result output. Within this framework, the perturbation detection module can identify adversarial perturbations in input texts during the preprocessing phase. Subsequently, the perturbation correction module transforms detected adversarial examples into semantically consistent clean text prior to sentiment analysis. By strategically positioning LLMAD at these two critical junctures, the collaborative mechanism between perturbation detection and correction effectively mitigates adversarial attacks while maintaining textual integrity.

5.3. Statistical Significance Test

To evaluate the statistical significance of performance improvements on the IMDB dataset, we conducted independent two-sample t-tests comparing LLMAD against both FGWS and WDR baselines across 20 independent experimental runs, with statistical significance determined at $\alpha$ = 0.05 and adjusted for multiple comparisons using Bonferroni correction. Given the extensive scope covering four attack types and two baseline comparisons per model (totaling 24 test cases), we present only the most critical results, focusing on the most significant comparisons per model or attack method. The results of the statistical significance test in this paper are shown in

Table 9. On the IMDB dataset, independent two-sample t-tests were conducted for the LLMAD method with Bonferroni correction applied for multiple comparison adjustments. The p-value served as the significance threshold, where the null hypothesis was rejected only when p < 0.0083 under the Bonferroni-adjusted significance level ($\alpha$ = 0.0083).

Model	Comparison Pair	Attack Methods	t(38)	p-Value	Significant
CNN	LLMAD vs. FGWS	DeepWordBug	10.21	0.001	Yes
CNN	LLMAD vs. WDR	DeepWordBug	8.76	0.001	Yes
CNN	LLMAD vs. FGWS	PWWS	4.21	0.001	Yes
CNN	LLMAD vs. WDR	PWWS	3.76	0.002	Yes
LSTM	LLMAD vs. FGWS	TextFooler	6.34	0.001	Yes
LSTM	LLMAD vs. WDR	TextFooler	5.12	0.001	Yes
BERT	LLMAD vs. FGWS	None	9.78	0.001	Yes
BERT	LLMAD vs. WDR	None	7.45	0.001	Yes

.

The t-test results conclusively demonstrate that LLMAD’s accuracy gains are not attributable to random variation, with statistically significant superiority over baselines across all attack scenarios (all p-values < 0.0083 after Bonferroni correction). This robust statistical evidence validates our hypothesis that LLMAD enhances adversarial defense capability.

5.4. Case Study

To validate the practical defensive efficacy of LLMAD, we conducted case analyses on specific adversarial instances. The purpose of our case study was to validate the effectiveness of LLMAD’s adversarial perturbation detection and correction mechanisms through comparative analysis of adversarial and post-defense samples, and to demonstrate its ability to preserve semantic integrity and rectify classification outcomes.

As illustrated in Figure 5, adversarial perturbations in the sample (e.g., “trOied”, “mvoie”, “axfully”, and “solppy”) are detected as adversarial modifications. The sample is consequently identified as adversarial and forwarded to the large language model for perturbation correction. Post-defense, these perturbations are successfully eliminated and corrected to “tried”, “movie”, “awfully”, and “sloppy”, respectively. The specific insights we can obtain from the case study are as follows:

• Adversarial perturbation detection: The heatmap highlights significantly elevated perturbation probabilities (darker hues) in tampered words (e.g., “trOied”), confirming the detection module’s precision in localizing adversarial modifications.
• Linguistic error correction: the defense module not only corrects adversarial perturbations (e.g., “mvoie”→“movie”) but also adaptively fixes grammatical errors in original samples (e.g., capitalizing “The”).
• Classification outcome rectification: the post-defense sample’s classification shifts from “positive” to “negative”, empirically proving that perturbation correction restores the model’s understanding of true semantic meaning.

Figure 5. Probability heatmap visualization. The perturbation detection module generates probability heatmaps where darker hues indicate higher probabilities of adversarial perturbation predictions. Color intensity → adversarial perturbation probability (0–1); tampered tokens in adversarial samples (e.g., ’trOied’, ’mvoie’) exhibit high perturbation probabilities (dark hues).

Figure 5. Probability heatmap visualization. The perturbation detection module generates probability heatmaps where darker hues indicate higher probabilities of adversarial perturbation predictions. Color intensity → adversarial perturbation probability (0–1); tampered tokens in adversarial samples (e.g., ’trOied’, ’mvoie’) exhibit high perturbation probabilities (dark hues).

6. Conclusions

This paper has proposed LLMAD, a text disturbance detection and correction-based adversarial sample defense method for large language models. The method comprises two core modules: a disturbance detection module that identifies potential disturbances in input text and assesses their adversarial nature, and a disturbance correction module that replaces disturbances in adversarial samples to accomplish adversarial defense. The experimental results demonstrate that LLMAD achieves 81.5% average accuracy on the IMDB dataset, 56.8% on AG’s News, and 68.9% on Yahoo!Answers, significantly outperforming baseline defense methods. The perturbation detection module improves F1-scores by 0.3% to 26.7% compared to existing approaches. Ablation studies reveal that LLMAD enhances accuracy by 2.5% to 7.2% over single-module variants. These findings validate the method’s capability of enhancing model robustness against diverse adversarial attacks while ensuring the accuracy and reliability of results. For future work, the authors of this paper plan to integrate adversarial defense with diverse large models to explore the development of more efficient and accurate text adversarial defense methods.