{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,23]],"date-time":"2026-01-23T17:11:16Z","timestamp":1769188276973,"version":"3.49.0"},"reference-count":57,"publisher":"MDPI AG","issue":"8","license":[{"start":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T00:00:00Z","timestamp":1754092800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computers"],"abstract":"Adversarial attacks in Natural Language Processing (NLP) present a critical challenge, particularly in sentiment analysis, where subtle input modifications can significantly alter model predictions. In search of more robust defenses against adversarial attacks on sentimental analysis, this research work introduces two novel defense mechanisms: the Lexicon-Based Random Substitute Model (LRSM) and the Word-Variant Voting Model (WVVM). LRSM employs randomized substitutions from a dataset-specific lexicon to generate diverse input variations, disrupting adversarial strategies by introducing unpredictability. Unlike traditional defenses requiring synonym dictionaries or precomputed semantic relationships, LRSM directly substitutes words with random lexicon alternatives, reducing overhead while maintaining robustness. Notably, LRSM not only neutralizes adversarial perturbations but occasionally surpasses the original accuracy by correcting inherent model misclassifications. Building on LRSM, WVVM integrates LRSM, Frequency-Guided Word Substitution (FGWS), and Synonym Random Substitution and Voting (RS&V) in an ensemble framework that adaptively combines their outputs. Logistic Regression (LR) emerged as the optimal ensemble configuration, leveraging its regularization parameters to balance the contributions of individual defenses. WVVM consistently outperformed standalone defenses, demonstrating superior restored accuracy and F1 scores across adversarial scenarios. The proposed defenses were evaluated on two well-known sentiment analysis benchmarks: the IMDB Sentiment Dataset and the Yelp Polarity Dataset. The IMDB dataset, comprising 50,000 labeled movie reviews, and the Yelp Polarity dataset, containing labeled business reviews, provided diverse linguistic challenges for assessing adversarial robustness. Both datasets were tested using 4000 adversarial examples generated by established attacks, including Probability Weighted Word Saliency, TextFooler, and BERT-based Adversarial Examples. WVVM and LRSM demonstrated superior performance in restoring accuracy and F1 scores across both datasets, with WVVM excelling through its ensemble learning framework. LRSM improved restored accuracy from 75.66% to 83.7% when compared to the second-best individual model, RS&V, while the Support Vector Classifier WVVM variation further improved restored accuracy to 93.17%. Logistic Regression WVVM achieved an F1 score of 86.26% compared to 76.80% for RS&V. These findings establish LRSM and WVVM as robust frameworks for defending against adversarial text attacks in sentiment analysis.<\/jats:p>","DOI":"10.3390\/computers14080315","type":"journal-article","created":{"date-parts":[[2025,8,4]],"date-time":"2025-08-04T13:11:11Z","timestamp":1754313071000},"page":"315","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Lexicon-Based Random Substitute and Word-Variant Voting Models for Detecting Textual Adversarial Attacks"],"prefix":"10.3390","volume":"14","author":[{"given":"Tarik","family":"El Lel","sequence":"first","affiliation":[{"name":"Bytedance FZ LLC, Dubai P.O. Box 503045, United Arab Emirates"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7300-506X","authenticated-orcid":false,"given":"Mominul","family":"Ahsan","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of York, Deramore Lane, York YO10 5GH, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2671-0516","authenticated-orcid":false,"given":"Majid","family":"Latifi","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of York, Deramore Lane, York YO10 5GH, UK"}]}],"member":"1968","published-online":{"date-parts":[[2025,8,2]]},"reference":[{"key":"ref_1","unstructured":"Goodfellow, I.J., Shlens, J., and Szegedy, C. (2024, January 19). Explaining and harnessing adversarial examples. Proceedings of the International Conference on Learning Representations (ICLR), San Diego, CA, USA."},{"key":"ref_2","unstructured":"Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. (2014, January 14\u201316). Intriguing Properties of Neural Networks. Proceedings of the International Conference on Learning Representations (ICLR 2014), Banff, AB, Canada."},{"key":"ref_3","unstructured":"Tram\u00e8r, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., and McDaniel, P. (2018, January 16). Ensemble Adversarial Training: Attacks and Defenses. Proceedings of the International Conference on Learning Representations (ICLR 2018), Vancouver, BC, Canada."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"6453","DOI":"10.1109\/ACCESS.2020.3048120","article-title":"Gradient Masking of Label Smoothing in Adversarial Robustness","volume":"9","author":"Lee","year":"2021","journal-title":"IEEE Access"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Zhao, W., Alwidian, S., and Mahmoud, Q.H. (2022). Adversarial Training Methods for Deep Learning: A Systematic Review. Algorithms, 15.","DOI":"10.3390\/a15080283"},{"key":"ref_6","unstructured":"Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. (May, January 30). Towards Deep Learning Models Resistant to Adversarial Attacks. Proceedings of the 6th International Conference on Learning Representations (ICLR 2018), Vancouver, BC, Canada."},{"key":"ref_7","unstructured":"Wu, Y., Yuan, C., and Wu, S.-H. (2020, January 13\u201318). Adversarial Robustness via Runtime Masking and Cleansing. Proceedings of the 37th International Conference on Machine Learning (ICML 2020), Virtual Event."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"151","DOI":"10.1007\/s11633-019-1211-x","article-title":"Adversarial Attacks and Defenses in Images, Graphs and Text: A Review","volume":"17","author":"Xu","year":"2020","journal-title":"Int. J. Autom. Comput."},{"key":"ref_9","unstructured":"Devlin, J., Chang, M.-W., Lee, K., and Toutanova, K. (2019, January 2\u20137). BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding. Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT 2019), Minneapolis, MN, USA."},{"key":"ref_10","unstructured":"Brown, T.B., Mann, B., Ryder, N., Subbiah, M., Kaplan, J., Dhariwal, P., Neelakantan, A., Shyam, P., Sastry, G., and Askell, A. (2020, January 6\u201312). Language Models are Few-Shot Learners. Proceedings of the 33rd Conference on Neural Information Processing Systems (NeurIPS 2020), Virtual Event."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"104278","DOI":"10.1016\/j.cose.2024.104278","article-title":"Textual Adversarial Attacks in Cybersecurity Named Entity Recognition","volume":"150","author":"Jiang","year":"2025","journal-title":"Comput. Secur."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Roumeliotis, K.I., Tselikas, N.D., and Nasiopoulos, D.K. (2024). Next-Generation Spam Filtering: Comparative Fine-Tuning of LLMs, NLPs, and CNN Models for Email Spam Classification. Electronics, 13.","DOI":"10.3390\/electronics13112034"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"137","DOI":"10.1007\/s40012-018-0193-0","article-title":"Detection of Spam Reviews: A Sentiment Analysis Approach","volume":"6","author":"Visvesvaraya","year":"2018","journal-title":"CSI Trans. ICT"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Chen, Y., Gao, H., Cui, G., Qi, F., Huang, L., Liu, Z., and Sun, M. (2022, January 7\u201311). Why Should Adversarial Perturbations be Imperceptible? Rethink the Research Paradigm in Adversarial NLP. Proceedings of the 2022 Conference on Empirical Methods in Natural Language Processing (EMNLP 2022), Abu Dhabi, United Arab Emirates.","DOI":"10.18653\/v1\/2022.emnlp-main.771"},{"key":"ref_15","unstructured":"Nestaas, F., Debenedetti, E., and Tram\u00e8r, F. (2024). Adversarial Search Engine Optimization for Large Language Models. arXiv, Available online: https:\/\/arxiv.org\/abs\/2406.18382."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Young, J.C., Arthur, R., and Williams, H.T.P. (2024). CIDER: Context-Sensitive Polarity Measurement for Short-Form Text. PLoS ONE, 19.","DOI":"10.1371\/journal.pone.0299490"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Li, Z., Xu, J., Zeng, J., Li, L., Zheng, X., Zhang, Q., Chang, K.-W., and Hsieh, C.-J. (2021, January 7\u201311). Searching for an Effective Defender: Benchmarking Defense against Adversarial Word Substitution. Proceedings of the 2021 Conference on Empirical Methods in Natural Language Processing (EMNLP 2021), Punta Cana, Dominican Republic.","DOI":"10.18653\/v1\/2021.emnlp-main.251"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Xie, Y., Wang, D., Chen, P.-Y., Xiong, J., Liu, S., and Koyejo, O. (2022, January 10\u201315). A Word is Worth a Thousand Dollars: Adversarial Attack on Tweets Fools Stock Prediction. Proceedings of the 2022 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL 2022), Seattle, WA, USA.","DOI":"10.18653\/v1\/2022.naacl-main.43"},{"key":"ref_19","first-page":"1","article-title":"Adversarial Attacks on Deep-Learning Models in Natural Language Processing: A Survey","volume":"11","author":"Zhang","year":"2020","journal-title":"ACM Trans. Intell. Syst. Technol."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Li, J., Ji, S., Du, T., Li, B., and Wang, T. (2019, January 24\u201327). TextBugger: Generating Adversarial Text Against Real-World Applications. Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS 2019), San Diego, CA, USA.","DOI":"10.14722\/ndss.2019.23138"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"17966","DOI":"10.1109\/ACCESS.2022.3148413","article-title":"A Differentiable Language Model Adversarial Attack on Text Classifiers","volume":"10","author":"Fursov","year":"2022","journal-title":"IEEE Access"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"332","DOI":"10.1145\/3593042","article-title":"A Survey of Adversarial Defenses and Robustness in NLP","volume":"55","author":"Goyal","year":"2023","journal-title":"ACM Comput. Surv."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"103817","DOI":"10.1016\/j.cose.2024.103817","article-title":"BFS2Adv: Black-Box Adversarial Attack Towards Hard-to-Attack Short Texts","volume":"141","author":"Han","year":"2024","journal-title":"Comput. Secur."},{"key":"ref_24","unstructured":"Belinkov, Y., and Bisk, Y. (2017). Synthetic and Natural Noise Both Break Neural Machine Translation. arXiv, Available online: https:\/\/arxiv.org\/abs\/1711.02173."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Zang, Y., Qi, F., Yang, C., Liu, Z., Zhang, M., Liu, Q., and Sun, M. (2020, January 5\u201310). Word-Level Textual Adversarial Attacking as Combinatorial Optimization. Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics (ACL 2020), Online.","DOI":"10.18653\/v1\/2020.acl-main.540"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"106971","DOI":"10.1016\/j.neunet.2024.106971","article-title":"Strongly Concealed Adversarial Attack Against Text Classification Models with Limited Queries","volume":"162","author":"Cheng","year":"2025","journal-title":"Neural Netw."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"102433","DOI":"10.1016\/j.cose.2021.102433","article-title":"BDDR: An Effective Defense Against Textual Backdoor Attacks","volume":"102","author":"Shao","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_28","unstructured":"Zhao, Z., Dua, D., and Singh, S. (May, January 30). Generating Natural Adversarial Examples. Proceedings of the International Conference on Learning Representations (ICLR 2018), Vancouver, BC, Canada."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"6458488","DOI":"10.1155\/2022\/6458488","article-title":"Text Adversarial Attacks and Defenses: Issues, Taxonomy, and Perspectives","volume":"2022","author":"Han","year":"2022","journal-title":"Secur. Commun. Netw."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Omar, M., and Zaiqan, M.M. (2024). Investigating the Limitations of Adversarial Training for Language Models in Realistic Spam Filter Deployment Scenarios. Redefining Security with Cyber AI, IGI Global.","DOI":"10.4018\/979-8-3693-6517-5"},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"11948","DOI":"10.1007\/s10489-021-02800-w","article-title":"Fine-Tuning More Stable Neural Text Classifiers for Defending Word Level Adversarial Attacks","volume":"52","author":"Wu","year":"2022","journal-title":"Appl. Intell."},{"key":"ref_32","first-page":"101829","article-title":"A Hybrid Approach for Adversarial Attack Detection Based on Sentiment Analysis Model Using Machine Learning","volume":"58","author":"Amin","year":"2024","journal-title":"Eng. Sci. Technol. Int. J."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"3898","DOI":"10.1109\/ACCESS.2022.3146405","article-title":"Adversarial Machine Learning in Text Processing: A Literature Survey","volume":"10","author":"Alsmadi","year":"2022","journal-title":"IEEE Access"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Mozes, M., Bartolo, M., Stenetorp, P., Kleinberg, B., and Griffin, L.D. (2021, January 7\u201311). Contrasting Human- and Machine-Generated Word-Level Adversarial Examples for Text Classification. Proceedings of the 2021 Conference on Empirical Methods in Natural Language Processing (EMNLP 2021), Online and Punta Cana, Dominican Republic.","DOI":"10.18653\/v1\/2021.emnlp-main.651"},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Pruthi, A., Mangat, F.D., and Liang, V.D. (August, January 28). Combating Adversarial Misspellings with Robust Word Recognition. Proceedings of the 57th Annual Meeting of the Association for Computational Linguistics (ACL 2019), Florence, Italy.","DOI":"10.18653\/v1\/P19-1561"},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"119501","DOI":"10.1016\/j.ins.2023.119501","article-title":"Masking and Purifying Inputs for Blocking Textual Adversarial Attacks","volume":"648","author":"Zhang","year":"2023","journal-title":"Inf. Sci."},{"key":"ref_37","first-page":"289","article-title":"Defense Against Adversarial Attacks via Textual Embeddings Based on Semantic Associative Field","volume":"36","author":"Zhang","year":"2023","journal-title":"Neural Comput. Appl."},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"126787","DOI":"10.1016\/j.neucom.2023.126787","article-title":"Evading text based emotion detection mechanism via adversarial attacks","volume":"558","author":"Bajaj","year":"2023","journal-title":"Neurocomputing"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Cheng, Y., Jiang, L., Macherey, W., and Eisenstein, J. (2020, January 5\u201310). AdvAug: Robust Adversarial Augmentation for Neural Machine Translation. Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics (ACL 2020), Online.","DOI":"10.18653\/v1\/2020.acl-main.529"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Omar, M., Choi, S., Nyang, D., and Mohaisen, D. (2022, January 23). Quantifying the Performance of Adversarial Training on Language Models with Distribution Shifts. Proceedings of the 1st Workshop on Cybersecurity and Social Sciences (CySSS), Nagasaki, Japan.","DOI":"10.1145\/3494108.3522764"},{"key":"ref_41","unstructured":"Wang, X., Jin, H., Yang, Y., and He, K. (2021, January 27\u201330). Natural Language Adversarial Defense through Synonym Encoding. Proceedings of the 37th Conference on Uncertainty in Artificial Intelligence (UAI 2021), Virtual Event."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Zhou, Y., Zheng, X., Hsieh, C.-J., Chang, K.-W., and Huang, X. (2021, January 1\u20136). Defense Against Synonym Substitution-Based Adversarial Attacks via Dirichlet Neighborhood Ensemble. Proceedings of the 59th Annual Meeting of the Association for Computational Linguistics (ACL 2021), Online.","DOI":"10.18653\/v1\/2021.acl-long.426"},{"key":"ref_43","unstructured":"Wang, X., Xiong, Y., and He, K. (2022, January 1\u20135). Detecting Textual Adversarial Examples through Randomized Substitution and Vote. Proceedings of the 38th Conference on Uncertainty in Artificial Intelligence (UAI 2022), Online."},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Zhou, Y., Jiang, J.-Y., Chang, K.-W., and Wang, W. (2019, January 3\u20137). Learning to Discriminate Perturbations for Blocking Adversarial Attacks in Text Classification. Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP 2019), Hong Kong, China.","DOI":"10.18653\/v1\/D19-1496"},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Mozes, M., Stenetorp, P., Kleinberg, B., and Griffin, L.D. (2021, January 19\u201323). Frequency-Guided Word Substitutions for Detecting Textual Adversarial Examples. Proceedings of the 16th Conference of the European Chapter of the Association for Computational Linguistics (EACL 2021), Online.","DOI":"10.18653\/v1\/2021.eacl-main.13"},{"key":"ref_46","unstructured":"Zhang, X., Zhao, J., and LeCun, Y. (2015, January 7\u201312). Character-Level Convolutional Networks for Text Classification. Proceedings of the 28th Conference on Neural Information Processing Systems (NeurIPS 2015), Montreal, QC, Canada."},{"key":"ref_47","unstructured":"Maas, A.L., Daly, R.E., Pham, P.T., Huang, D., Ng, A.Y., and Potts, C. (2011, January 19\u201324). Learning Word Vectors for Sentiment Analysis. Proceedings of the 49th Annual Meeting of the Association for Computational Linguistics: Human Language Technologies (ACL-HLT 2011), Portland, OR, USA."},{"key":"ref_48","doi-asserted-by":"crossref","unstructured":"Ren, J., Zheng, H., Chen, C., Chen, B., Yang, J., Liu, T., and Chen, X. (August, January 28). Generating Natural Language Adversarial Examples through Probability Weighted Word Saliency. Proceedings of the 57th Annual Meeting of the Association for Computational Linguistics (ACL 2019), Florence, Italy.","DOI":"10.18653\/v1\/P19-1103"},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Jin, D., Jin, Z., Zhou, J.T., and Szolovits, P. (2020, January 7\u201312). Is BERT Really Robust? A Strong Baseline for Natural Language Attack on Text Classification and Entailment. Proceedings of the 34th AAAI Conference on Artificial Intelligence (AAAI 2020), New York, NY, USA.","DOI":"10.1609\/aaai.v34i05.6311"},{"key":"ref_50","doi-asserted-by":"crossref","unstructured":"Garg, S., and Ramakrishnan, M.K. (2020, January 16\u201320). BAE: BERT-Based Adversarial Examples for Text Classification. Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing (EMNLP 2020), Online.","DOI":"10.18653\/v1\/2020.emnlp-main.498"},{"key":"ref_51","doi-asserted-by":"crossref","unstructured":"Morris, J.X., Lifland, E., Yoo, J.Y., Grigsby, J., Jin, D., and Qi, Y. (2020, January 16\u201320). TextAttack: A Framework for Adversarial Attacks, Data Augmentation, and Adversarial Training in NLP. Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing (EMNLP 2020), Online.","DOI":"10.18653\/v1\/2020.emnlp-demos.16"},{"key":"ref_52","doi-asserted-by":"crossref","first-page":"1735","DOI":"10.1162\/neco.1997.9.8.1735","article-title":"Long Short-Term Memory","volume":"9","author":"Hochreiter","year":"1997","journal-title":"Neural Comput."},{"key":"ref_53","doi-asserted-by":"crossref","unstructured":"Sang, S., and Li, L. (2024). A Novel Variant of LSTM Stock Prediction Method Incorporating Attention Mechanism. Mathematics, 12.","DOI":"10.3390\/math12070945"},{"key":"ref_54","doi-asserted-by":"crossref","unstructured":"Kim, Y. (2014, January 25\u201329). Convolutional Neural Networks for Sentence Classification. Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP 2014), Doha, Qatar.","DOI":"10.3115\/v1\/D14-1181"},{"key":"ref_55","doi-asserted-by":"crossref","unstructured":"Elbatarny, L., Do, R., Gangai, N., Ahmed, F., Chhabra, S., and Simpson, A. (2023). Applying Natural Language Processing to Single-Report Prediction of Metastatic Disease Response Using the OR-RADS Lexicon. Cancers, 15.","DOI":"10.3390\/cancers15204909"},{"key":"ref_56","first-page":"127","article-title":"Adaptive Gradient-Based Word Saliency for Adversarial Text Attacks","volume":"512","author":"Chen","year":"2024","journal-title":"Neurocomputing"},{"key":"ref_57","first-page":"157","article-title":"TextFirewall: Omni-Defending Against Adversarial Texts in Sentiment Classification","volume":"9","author":"Wang","year":"2021","journal-title":"IEEE Access"}],"container-title":["Computers"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-431X\/14\/8\/315\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:21:58Z","timestamp":1760034118000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-431X\/14\/8\/315"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,2]]},"references-count":57,"journal-issue":{"issue":"8","published-online":{"date-parts":[[2025,8]]}},"alternative-id":["computers14080315"],"URL":"https:\/\/doi.org\/10.3390\/computers14080315","relation":{},"ISSN":["2073-431X"],"issn-type":[{"value":"2073-431X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,8,2]]}}}