Table of Contents
Fetching ...

DECEIVE-AFC: Adversarial Claim Attacks against Search-Enabled LLM-based Fact-Checking Systems

Haoran Ou, Kangjie Chen, Gelei Deng, Hangcheng Liu, Jie Zhang, Tianwei Zhang, Kwok-Yan Lam

TL;DR

The paper addresses the vulnerability of search-enabled LLM-based fact-checking systems to adversarial claim attacks. It introduces DECEIVE-AFC, an agent-based, black-box framework that crafts semantically preserved adversarial claims by targeting search query generation, evidence retrieval, and LLM reasoning, while enforcing validity constraints. Experiments across multiple real-world AFC systems show substantial degradation in verification accuracy (e.g., from 78.7% to 53.7%) and strong cross-system transferability, driven by disruptions in evidence use and reasoning rather than superficial perturbations. The work also proposes mitigation strategies, including adversarial-aware fine-tuning and intermediate retrieval validation, to bolster the robustness and trustworthiness of open-web, LLM-based fact-checking pipelines.

Abstract

Fact-checking systems with search-enabled large language models (LLMs) have shown strong potential for verifying claims by dynamically retrieving external evidence. However, the robustness of such systems against adversarial attack remains insufficiently understood. In this work, we study adversarial claim attacks against search-enabled LLM-based fact-checking systems under a realistic input-only threat model. We propose DECEIVE-AFC, an agent-based adversarial attack framework that integrates novel claim-level attack strategies and adversarial claim validity evaluation principles. DECEIVE-AFC systematically explores adversarial attack trajectories that disrupt search behavior, evidence retrieval, and LLM-based reasoning without relying on access to evidence sources or model internals. Extensive evaluations on benchmark datasets and real-world systems demonstrate that our attacks substantially degrade verification performance, reducing accuracy from 78.7% to 53.7%, and significantly outperform existing claim-based attack baselines with strong cross-system transferability.

DECEIVE-AFC: Adversarial Claim Attacks against Search-Enabled LLM-based Fact-Checking Systems

TL;DR

The paper addresses the vulnerability of search-enabled LLM-based fact-checking systems to adversarial claim attacks. It introduces DECEIVE-AFC, an agent-based, black-box framework that crafts semantically preserved adversarial claims by targeting search query generation, evidence retrieval, and LLM reasoning, while enforcing validity constraints. Experiments across multiple real-world AFC systems show substantial degradation in verification accuracy (e.g., from 78.7% to 53.7%) and strong cross-system transferability, driven by disruptions in evidence use and reasoning rather than superficial perturbations. The work also proposes mitigation strategies, including adversarial-aware fine-tuning and intermediate retrieval validation, to bolster the robustness and trustworthiness of open-web, LLM-based fact-checking pipelines.

Abstract

Fact-checking systems with search-enabled large language models (LLMs) have shown strong potential for verifying claims by dynamically retrieving external evidence. However, the robustness of such systems against adversarial attack remains insufficiently understood. In this work, we study adversarial claim attacks against search-enabled LLM-based fact-checking systems under a realistic input-only threat model. We propose DECEIVE-AFC, an agent-based adversarial attack framework that integrates novel claim-level attack strategies and adversarial claim validity evaluation principles. DECEIVE-AFC systematically explores adversarial attack trajectories that disrupt search behavior, evidence retrieval, and LLM-based reasoning without relying on access to evidence sources or model internals. Extensive evaluations on benchmark datasets and real-world systems demonstrate that our attacks substantially degrade verification performance, reducing accuracy from 78.7% to 53.7%, and significantly outperform existing claim-based attack baselines with strong cross-system transferability.
Paper Structure (23 sections, 1 equation, 4 figures, 4 tables)

This paper contains 23 sections, 1 equation, 4 figures, 4 tables.

Figures (4)

  • Figure 1: Comparison between traditional DNN-based AFC systems and search-enabled LLM-based AFC systems.
  • Figure 2: Overview of DECEIVE-AFC.
  • Figure 3: Outcome analysis of successful (left) and failed (right) adversarial optimizations.
  • Figure 4: Impact of the maximum number of refinement rounds on ASR (left) and cost(right).