Saved in:
Bibliographic Details
Main Authors: Ghosh, Shatarupa, Rusert, Jonathan
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2412.10617
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866929629932027904
author Ghosh, Shatarupa
Rusert, Jonathan
author_facet Ghosh, Shatarupa
Rusert, Jonathan
contents Adversarial text attack research is useful for testing the robustness of NLP models, however, the rise of transformers has greatly increased the time required to test attacks. Especially when researchers do not have access to adequate resources (e.g. GPUs). This can hinder attack research, as modifying one example for an attack can require hundreds of queries to a model, especially for black-box attacks. Often these attacks remove one token at a time to find the ideal one to change, requiring $n$ queries (the length of the text) right away. We propose a more efficient selection method called BinarySelect which combines binary search and attack selection methods to greatly reduce the number of queries needed to find a token. We find that BinarySelect only needs $\text{log}_2(n) * 2$ queries to find the first token compared to $n$ queries. We also test BinarySelect in an attack setting against 5 classifiers across 3 datasets and find a viable tradeoff between number of queries saved and attack effectiveness. For example, on the Yelp dataset, the number of queries is reduced by 32% (72 less) with a drop in attack effectiveness of only 5 points. We believe that BinarySelect can help future researchers study adversarial attacks and black-box problems more efficiently and opens the door for researchers with access to less resources.
format Preprint
id arxiv_https___arxiv_org_abs_2412_10617
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle BinarySelect to Improve Accessibility of Black-Box Attack Research
Ghosh, Shatarupa
Rusert, Jonathan
Cryptography and Security
Computation and Language
Adversarial text attack research is useful for testing the robustness of NLP models, however, the rise of transformers has greatly increased the time required to test attacks. Especially when researchers do not have access to adequate resources (e.g. GPUs). This can hinder attack research, as modifying one example for an attack can require hundreds of queries to a model, especially for black-box attacks. Often these attacks remove one token at a time to find the ideal one to change, requiring $n$ queries (the length of the text) right away. We propose a more efficient selection method called BinarySelect which combines binary search and attack selection methods to greatly reduce the number of queries needed to find a token. We find that BinarySelect only needs $\text{log}_2(n) * 2$ queries to find the first token compared to $n$ queries. We also test BinarySelect in an attack setting against 5 classifiers across 3 datasets and find a viable tradeoff between number of queries saved and attack effectiveness. For example, on the Yelp dataset, the number of queries is reduced by 32% (72 less) with a drop in attack effectiveness of only 5 points. We believe that BinarySelect can help future researchers study adversarial attacks and black-box problems more efficiently and opens the door for researchers with access to less resources.
title BinarySelect to Improve Accessibility of Black-Box Attack Research
topic Cryptography and Security
Computation and Language
url https://arxiv.org/abs/2412.10617