RAFT: Realistic Attacks to Fool Text Detectors

TL;DR

RAFT: a grammar error-free black-box attack against existing LLM detectors that exploits the transferability of LLM embeddings at the word-level while preserving the original text quality, and can be used to train adversarially robust detectors.

Abstract

Large language models (LLMs) have exhibited remarkable fluency across various tasks. However, their unethical applications, such as disseminating disinformation, have become a growing concern. Although recent works have proposed a number of LLM detection methods, their robustness and reliability remain unclear. In this paper, we present RAFT: a grammar error-free black-box attack against existing LLM detectors. In contrast to previous attacks for language models, our method exploits the transferability of LLM embeddings at the word-level while preserving the original text quality. We leverage an auxiliary embedding to greedily select candidate words to perturb against the target detector. Experiments reveal that our attack effectively compromises all detectors in the study across various domains by up to 99%, and are transferable across source models. Manual human evaluation studies show our attacks are realistic and indistinguishable from original human-written text. We also show that examples generated by RAFT can be used to train adversarially robust detectors. Our work shows that current LLM detectors are not adversarially robust, underscoring the urgent need for more resilient detection mechanisms.

Figures (7)

• Figure 1: RAFT can attack a sample text generated by GPT-3.5-turbo more effectively to subvert detection by DetectGPT than recent red teaming attack efforts shi2024red while preserving language fluency and semantic consistency. By enforcing grammatical consistency in the substituted words through POS correction, RAFT achieves significantly lower perplexity than attacks that do not enforce grammar. Qualitative evaluation also highlight RAFT's language fluency and semantic consistency with the original text. Red text represents substituted words with grammatical errors or semantic inconsistencies. Blue text represent error-free substitutions.
• Figure 2: Histograms show the distributions of different detection scores for human-written text, GPT-3.5-Turbo generated text, and RAFT-attacked GPT-3.5-Turbo text. The horizontal axis represents the raw output from the detector. The diagrams illustrate that our attack effectively shifts the distribution of generated data towards the negative region, fooling the detectors.
• Figure 3: Generated texts from LLMs and their respective attacks using shi2024red's query-based word substitution attack and RAFT (ours) using the RoBERTa-large proxy scoring model, evaluated against Log Rank, Ghostbuster, and Fast-DetectGPT detectors. RAFT demonstrates the greatest reduction in detection likelihood while maintaining grammatical correctness and semantic consistency with the original text. Red text represents substituted words with grammatical errors or semantic inconsistencies. Blue text represent error-free substitutions.
• Figure 4: Study on the impact of different mask percentages. We use OPT-2.7B and RoBERTa-large as proxy scoring models to attack Log Rank and Fast-DetectGPT detectors on the XSum dataset at 1%, 5%, 10%, 15%, and 20% masking rates while measuring detection performance and text quality in terms of AUROC and perplexity. The AUROC approaches 0 at around 10% with a moderate increase in perplexity. Masking percentages beyond 15% degrade text quality across both detectors.
• Figure 5: Comparison on the effects of POS tagging. On the left is unmodified text generated by GPT3.5-turbo; in the middle is RAFT attacked text but without POS consistency constraints; and on the right is RAFT attacked text with POS consistency. This example illustrates that POS tagging significantly enhances text quality both qualitatively and quantitatively as measured by perplexity, without compromising detection performance.