Table of Contents
Fetching ...

GenoArmory: A Unified Evaluation Framework for Adversarial Attacks on Genomic Foundation Models

Haozheng Luo, Chenghao Qiu, Yimin Wang, Shang Wu, Jiahao Yu, Zhenyu Pan, Weian Mao, Haoyang Fang, Hao Xu, Han Liu, Binghui Wang, Yan Chen

TL;DR

GenoArmory tackles the safety and robustness of Genomic Foundation Models by delivering a unified benchmark that standardizes adversarial attacks and defenses across multiple GFMs. It introduces GenoAdv as a representative adversarial dataset, provides robust pipelines for red-teaming and defense evaluation, and delivers a reproducible framework with visualization to interpret perturbation effects in genomic sequences. Key findings show that generative GFMs (e.g., GenomeOcean) are more vulnerable than classification-focused GFMs, and that tokenization strategy (e.g., BPE vs. k-mer) and quantization materially influence attack efficacy and defense performance. The work significantly impacts the safe deployment of GFMs by enabling systematic assessment, fostering defense development, and promoting transparent, reproducible genomic AI research.

Abstract

We propose the first unified adversarial attack benchmark for Genomic Foundation Models (GFMs), named GenoArmory. Unlike existing GFM benchmarks, GenoArmory offers the first comprehensive evaluation framework to systematically assess the vulnerability of GFMs to adversarial attacks. Methodologically, we evaluate the adversarial robustness of five state-of-the-art GFMs using four widely adopted attack algorithms and three defense strategies. Importantly, our benchmark provides an accessible and comprehensive framework to analyze GFM vulnerabilities with respect to model architecture, quantization schemes, and training datasets. Additionally, we introduce GenoAdv, a new adversarial sample dataset designed to improve GFM safety. Empirically, classification models exhibit greater robustness to adversarial perturbations compared to generative models, highlighting the impact of task type on model vulnerability. Moreover, adversarial attacks frequently target biologically significant genomic regions, suggesting that these models effectively capture meaningful sequence features.

GenoArmory: A Unified Evaluation Framework for Adversarial Attacks on Genomic Foundation Models

TL;DR

GenoArmory tackles the safety and robustness of Genomic Foundation Models by delivering a unified benchmark that standardizes adversarial attacks and defenses across multiple GFMs. It introduces GenoAdv as a representative adversarial dataset, provides robust pipelines for red-teaming and defense evaluation, and delivers a reproducible framework with visualization to interpret perturbation effects in genomic sequences. Key findings show that generative GFMs (e.g., GenomeOcean) are more vulnerable than classification-focused GFMs, and that tokenization strategy (e.g., BPE vs. k-mer) and quantization materially influence attack efficacy and defense performance. The work significantly impacts the safe deployment of GFMs by enabling systematic assessment, fostering defense development, and promoting transparent, reproducible genomic AI research.

Abstract

We propose the first unified adversarial attack benchmark for Genomic Foundation Models (GFMs), named GenoArmory. Unlike existing GFM benchmarks, GenoArmory offers the first comprehensive evaluation framework to systematically assess the vulnerability of GFMs to adversarial attacks. Methodologically, we evaluate the adversarial robustness of five state-of-the-art GFMs using four widely adopted attack algorithms and three defense strategies. Importantly, our benchmark provides an accessible and comprehensive framework to analyze GFM vulnerabilities with respect to model architecture, quantization schemes, and training datasets. Additionally, we introduce GenoAdv, a new adversarial sample dataset designed to improve GFM safety. Empirically, classification models exhibit greater robustness to adversarial perturbations compared to generative models, highlighting the impact of task type on model vulnerability. Moreover, adversarial attacks frequently target biologically significant genomic regions, suggesting that these models effectively capture meaningful sequence features.
Paper Structure (41 sections, 3 equations, 6 figures, 24 tables)

This paper contains 41 sections, 3 equations, 6 figures, 24 tables.

Figures (6)

  • Figure 1: An overview of benchmarking adversarial attacks on GFMs
  • Figure 2: GenoArmory Framework. Our GenoArmory framework incorporates diverse adversarial attack and defense methods on GFMs. It also offers visualization tools to highlight important regions influencing model predictions and introduces a new adversarial dataset, GenoAdv.
  • Figure 3: Performance of Adversarial Attacks on Different Model Architectures. We assess the effectiveness of the evaluated adversarial attacks across diverse model architectures, including both transformer-based models (DNABERT-2, NT, NT2, GenomeOcean) and Hyena-based model (HyenaDNA). We use the Attack Success Rate (ASR) as the primary metric to evaluate the performance of the evaluated adversarial attacks. For each experiment, we rank the top five models based on their ASR, with ranks assigned from 1 to 5. A lower rank indicates better robustness, while a higher rank reflects greater vulnerability to attacks. Our results highlight how each model performs under attack, revealing differences in vulnerability and resilience across the architectures.
  • Figure 4: Examples of the visualization of GFMs with adversarial attacks. We present the results of the three tasks of the DNABERT-2 model under BertAttack. All subsequence changes occur at the subword tokenizer level using Byte Pair Encoding (BPE) sennrich2015neural. The visualization highlights which parts of the sequence are most significant for the model's classification performance. Specifically, we present the frequency with which the adversarial attack modifies the sequence. A higher frequency suggests that the subsequence plays a more important role in the model’s classification decisions.
  • Figure 5: Performance of the evaluated attacks on quantized models. We perform experiments to assess how quantization affects the effectiveness of adversarial attacks on target models. The table compares model performance before and after quantization under BertAttack and TextFooler attacks. Attack Success Rate (ASR) serves as the primary evaluation metric, with variance omitted as they are all $\le 2$%. The best results are highlighted in bold.
  • ...and 1 more figures