Stumbling Blocks: Stress Testing the Robustness of Machine-Generated Text Detectors Under Attacks

TL;DR

Stumbling Blocks investigates the robustness of eight machine-generated text detectors against twelve realistic attack types, including editing, paraphrasing, prompting, and co-generating. The attacker model assumes no detector knowledge and limited generator access with budgets quantifying perturbation strength. Across all detectors, vulnerabilities are widespread, with an average performance drop of $35\%$ under attack, while watermarking and model-based detectors show comparatively stronger resilience. The work also proposes simple defense patches and a robustness leaderboard to guide future detector design and evaluation, emphasizing the need for robust, multi-faceted detection strategies.

Abstract

The widespread use of large language models (LLMs) is increasing the demand for methods that detect machine-generated text to prevent misuse. The goal of our study is to stress test the detectors' robustness to malicious attacks under realistic scenarios. We comprehensively study the robustness of popular machine-generated text detectors under attacks from diverse categories: editing, paraphrasing, prompting, and co-generating. Our attacks assume limited access to the generator LLMs, and we compare the performance of detectors on different attacks under different budget levels. Our experiments reveal that almost none of the existing detectors remain robust under all the attacks, and all detectors exhibit different loopholes. Averaging all detectors, the performance drops by 35% across all attacks. Further, we investigate the reasons behind these defects and propose initial out-of-the-box patches to improve robustness.

Figures (28)

• Figure 1: Pipeline of the study. The attacks are carried out on the machine-generated texts before, during, or after generation. Each attack is applied with different perturbation levels, denoted as budgets (§\ref{['budget']}).
• Figure 2: Performance drop of the detectors under the editing attacks. We show the mixed setting for typo insertion, and the zero-width whitespace setting (ZWS for short) for format character editing. The budget on the x-axis is the edit distance at character level ($\uparrow$ a larger number represents a stronger attack). The color of dashed lines indicates the category of detectors.
• Figure 3: Illustration of the distribution of the metric value of the metric-based detectors before the attack, after the attack, and after patching (an out-of-the-box defense we proposed in §\ref{['patch']}). The red dotted lines are the optimal decision boundaries.
• Figure 4: Performance drop of the detectors under the paraphrasing attacks. We use BERTScore (A2B) as the budget in the figure.'A2B' means we compute BERTScore between unattacked MGTs and attacked MGTs. $\downarrow$ Smaller BERTScore value means a larger budget on the attack. Note that Inter Sent (sub-figure 5)'s x-limit interval is twice the previous.
• Figure 5: Performance drop of the detectors under the co-generation attacks. We use MAUVE (M2H) as the budget to evaluate the text quality in the figure.'M2H' means we compute MAUVE between HWTs and attacked MGTs. The vertically dotted red line is the score w.o. attack. $\downarrow$ Smaller MAUVE (M2H) value means a larger budget on the attack.