Don't Search for a Search Method -- Simple Heuristics Suffice for Adversarial Text Attacks
This work highlights that current benchmark tasks for black-box adversarial text attacks are too easy and constraints too strict, which is a problem for researchers in NLP security, making it incremental by questioning existing methodologies.
The paper tackled the problem of adversarial text attacks on NLP models by comparing optimization-based methods with simple heuristics, finding that simple heuristics achieved high success rates (nearly full in unconstrained setups) with far fewer queries (an order of magnitude less) without improving with optimization in constrained setups.
Recently more attention has been given to adversarial attacks on neural networks for natural language processing (NLP). A central research topic has been the investigation of search algorithms and search constraints, accompanied by benchmark algorithms and tasks. We implement an algorithm inspired by zeroth order optimization-based attacks and compare with the benchmark results in the TextAttack framework. Surprisingly, we find that optimization-based methods do not yield any improvement in a constrained setup and slightly benefit from approximate gradient information only in unconstrained setups where search spaces are larger. In contrast, simple heuristics exploiting nearest neighbors without querying the target function yield substantial success rates in constrained setups, and nearly full success rate in unconstrained setups, at an order of magnitude fewer queries. We conclude from these results that current TextAttack benchmark tasks are too easy and constraints are too strict, preventing meaningful research on black-box adversarial text attacks.