White-to-Black: Efficient Distillation of Black-Box Adversarial Attacks
This work addresses the need for efficient black-box adversarial attacks in NLP, offering a practical tool for security testing, though it is incremental as it builds on existing white-box methods.
The paper tackled the problem of generating adversarial examples more efficiently by distilling knowledge from white-box attacks into a neural network, achieving a 19x-39x speedup in generation time and successfully attacking the Google Perspective API with a 42% label flip rate while maintaining human accuracy.
Adversarial examples are important for understanding the behavior of neural models, and can improve their robustness through adversarial training. Recent work in natural language processing generated adversarial examples by assuming white-box access to the attacked model, and optimizing the input directly against it (Ebrahimi et al., 2018). In this work, we show that the knowledge implicit in the optimization procedure can be distilled into another more efficient neural network. We train a model to emulate the behavior of a white-box attack and show that it generalizes well across examples. Moreover, it reduces adversarial example generation time by 19x-39x. We also show that our approach transfers to a black-box setting, by attacking The Google Perspective API and exposing its vulnerability. Our attack flips the API-predicted label in 42\% of the generated examples, while humans maintain high-accuracy in predicting the gold label.