MINIMAL: Mining Models for Data Free Universal Adversarial Triggers
This addresses the vulnerability of NLP models to adversarial attacks by enabling attackers to craft effective triggers without access to large datasets, though it is incremental as it builds on existing trigger methods.
The paper tackles the problem of data-intensive universal adversarial trigger generation in NLP models by introducing MINIMAL, a data-free approach that mines triggers from models without requiring data samples, reducing accuracy on sentiment analysis from 93.6% to 9.6% and on natural language inference from 90.95% to less than 0.6%.
It is well known that natural language models are vulnerable to adversarial attacks, which are mostly input-specific in nature. Recently, it has been shown that there also exist input-agnostic attacks in NLP models, called universal adversarial triggers. However, existing methods to craft universal triggers are data intensive. They require large amounts of data samples to generate adversarial triggers, which are typically inaccessible by attackers. For instance, previous works take 3000 data samples per class for the SNLI dataset to generate adversarial triggers. In this paper, we present a novel data-free approach, MINIMAL, to mine input-agnostic adversarial triggers from models. Using the triggers produced with our data-free algorithm, we reduce the accuracy of Stanford Sentiment Treebank's positive class from 93.6% to 9.6%. Similarly, for the Stanford Natural Language Inference (SNLI), our single-word trigger reduces the accuracy of the entailment class from 90.95% to less than 0.6\%. Despite being completely data-free, we get equivalent accuracy drops as data-dependent methods.