Papers with victim models
Extracted BERT Model Leaks More Information than You Think! (2022.emnlp-main)
Copied to clipboard
| Challenge: | Existing pre-trained language models are vulnerable to model extraction attacks . model extraction can cause severe privacy leakage even when victim models are facilitated with state-of-the-art defensive strategies. |
| Approach: | They propose to launch an attribute-inference attack against an extracted BERT model to prevent privacy leakage. |
| Outcome: | The proposed attack can cause severe privacy leakage even when victim models are facilitated with state-of-the-art defensive strategies. |
Misleading Relation Classifiers by Substituting Words in Texts (2023.findings-acl)
Copied to clipboard
| Challenge: | Existing methods to generate adversarial examples for relation classification are vulnerable to adversarials. |
| Approach: | They propose a method that uses most important parts of speech to substitute words with synonyms or hyponyms to generate adversarial texts of high quality. |
| Outcome: | The proposed method can generate adversarial texts of high quality and most relationships can be correctly identified in the process of human evaluation. |
Student Surpasses Teacher: Imitation Attack for Black-Box NLP APIs (2022.coling-1)
Copied to clipboard
| Challenge: | Existing MLaaS models are vulnerable to imitation attacks, but none of the stolen models can outperform the original black-box APIs. |
| Approach: | They conduct unsupervised domain adaptation and multi-victim ensemble to show attackers could surpass victims. |
| Outcome: | The proposed model outperforms the original black-box models on transferred domains. |
TextVerifier: Robustness Verification for Textual Classifiers with Certifiable Guarantees (2023.findings-acl)
Copied to clipboard
| Challenge: | a textual classifier must withstand word-level alteration attacks due to inherent vulnerability. |
| Approach: | They propose a formal verification framework with certifiable guarantees on deep neural networks in natural language processing against word-level alteration attacks. |
| Outcome: | The proposed framework provides an approximation of the maximal safe radius with tight bounds . it yields an efficient speed edge and reliable anytime estimation . |
Multi-granularity Textual Adversarial Attack with Behavior Cloning (2021.emnlp-main)
Copied to clipboard
| Challenge: | Existing adversarial attack models are vulnerable to adversarials crafted by human-imperceptible perturbations. |
| Approach: | They propose a multi-granularity adversarial attack model that generates high-quality adversarials with fewer queries to victim models. |
| Outcome: | The proposed model generates high-quality adversarial samples with fewer queries to victim models compared to baseline models . the proposed model also reduces query times for black-box models that only output labels without confidence scores . |
Multi-target Backdoor Attacks for Code Pre-trained Models (2023.acl-long)
Copied to clipboard
| Challenge: | Existing work for backdoor attacks on neural code models insert triggers into task-specific data for code-related downstream tasks, limiting the scope of attacks. |
| Approach: | They propose task-agnostic backdoor attacks for code pre-trained models . they use two learning strategies to implant backdoors into code understanding and generation models - Poisoned Seq2Seq learning and token representation learning . |
| Outcome: | The proposed model is pre-trained with two learning strategies to support the multi-target attack of downstream code understanding and generation tasks. |
Word-level Textual Adversarial Attacking as Combinatorial Optimization (2020.acl-main)
Copied to clipboard
| Challenge: | Existing word-level attack models are far from perfect because of unsuitable search space reduction methods and inefficient optimization algorithms. |
| Approach: | They propose a novel adversarial adversarialist model that incorporates word substitution and particle swarm optimization to solve two problems separately. |
| Outcome: | The proposed model achieves much higher success rates and crafts more high-quality adversarial examples as compared to baseline methods. |
NatLogAttack: A Framework for Attacking Natural Language Inference Models with Natural Logic (2023.acl-long)
Copied to clipboard
| Challenge: | Despite the recent advances in distributed representation and neural networks, it remains an open question whether the models perform real reasoning to reach their conclusions or rely on spurious correlations. |
| Approach: | They propose to use logic formalism to perform systematic attacks centring around natural logic to generate better adversarial examples with fewer visits to the victim models. |
| Outcome: | The proposed framework generates better adversarial examples with fewer visits to the victim models. |
A Black-Box Attack on Code Models via Representation Nearest Neighbor Search (2023.findings-emnlp)
Copied to clipboard
| Challenge: | Existing methods for generating adversarial code examples face challenges such as limted availability of substitute variables and the creation of adversarials with noticeable perturbations. |
| Approach: | They propose a search seed based on historical attacks to find adversarial substitutes . they employ a pre-trained variable name encoder to map the search seed to a continuous vector space . |
| Outcome: | The proposed approach outperforms baseline methods in terms of ASR and QT. |
RedCoder: Automated Multi-Turn Red Teaming for Code LLMs (2026.acl-long)
Copied to clipboard
Wenjie Jacky Mo, Qin Liu, Xiaofei Wen, Dongwon Jung, Hadi Askari, Wenxuan Zhou, Zhe Zhao, Muhao Chen
| Challenge: | Existing red-teaming approaches for code generation rely on extensive human effort and are prone to generating malicious code under adversarial environments. |
| Approach: | They propose a red-teaming agent that engages victim models in multi-turn conversations to elicit vulnerable code. |
| Outcome: | Experiments show that RedCoder outperforms red-teaming methods in inducing vulnerabilities in code generation. |
XVD: Cross-Vocabulary Differentiable Training for Generative Adversarial Attacks (2024.lrec-main)
Copied to clipboard
| Challenge: | Existing approaches to create adversarial examples using tokens are not sufficient to ensure other desirable properties such as similarity to non-adversarial examples, linguistic fluency, and so forth. |
| Approach: | They propose a method which leverages a set of pretrained language models to promote similarity to non-adversarial examples, linguistic fluency, and so forth. |
| Outcome: | The proposed approach outperforms existing methods and is competitive with token-based approaches. |