Universal Adversarial Attacks with Natural Triggers for Text Classification
Liwei Song, Xinwei Yu, Hsuan-Tung Peng, Karthik Narasimhan
TL;DR
This work introduces Natural Universal Trigger Search (NUTS), a method to generate universal adversarial text triggers that are fluent and semantically meaningful by leveraging an adversarially regularized autoencoder (ARAE). The approach uses gradient-guided optimization with a Gumbel-softmax reparameterization and an L2-constrained noise space to produce triggers that maximize classifier loss while remaining natural (as measured by GPT-2 loss and grammar checks). Empirical results on SST and SNLI show substantial accuracy drops and triggers that humans rate as more natural than prior baselines, with notable transferability across models and datasets. The work highlights vulnerabilities in NLP models and emphasizes the need for defenses against harder-to-detect adversarial triggers, supported by a human-subject study and extensive defense-metric analyses.
Abstract
Recent work has demonstrated the vulnerability of modern text classifiers to universal adversarial attacks, which are input-agnostic sequences of words added to text processed by classifiers. Despite being successful, the word sequences produced in such attacks are often ungrammatical and can be easily distinguished from natural text. We develop adversarial attacks that appear closer to natural English phrases and yet confuse classification systems when added to benign inputs. We leverage an adversarially regularized autoencoder (ARAE) to generate triggers and propose a gradient-based search that aims to maximize the downstream classifier's prediction loss. Our attacks effectively reduce model accuracy on classification tasks while being less identifiable than prior models as per automatic detection metrics and human-subject studies. Our aim is to demonstrate that adversarial attacks can be made harder to detect than previously thought and to enable the development of appropriate defenses.