Overcoming Black-box Attack Inefficiency with Hybrid and Dynamic Select Algorithms
This work addresses the computational cost problem for researchers evaluating NLP model robustness, though it is incremental as it builds on existing selection algorithms.
The paper tackled the inefficiency of black-box adversarial text attacks on NLP models by proposing Hybrid and Dynamic Select algorithms, which reduced the number of required queries per attack by up to 25.82% on average across datasets and models while maintaining attack effectiveness.
Adversarial text attack research plays a crucial role in evaluating the robustness of NLP models. However, the increasing complexity of transformer-based architectures has dramatically raised the computational cost of attack testing, especially for researchers with limited resources (e.g., GPUs). Existing popular black-box attack methods often require a large number of queries, which can make them inefficient and impractical for researchers. To address these challenges, we propose two new attack selection strategies called Hybrid and Dynamic Select, which better combine the strengths of previous selection algorithms. Hybrid Select merges generalized BinarySelect techniques with GreedySelect by introducing a size threshold to decide which selection algorithm to use. Dynamic Select provides an alternative approach of combining the generalized Binary and GreedySelect by learning which lengths of texts each selection method should be applied to. This greatly reduces the number of queries needed while maintaining attack effectiveness (a limitation of BinarySelect). Across 4 datasets and 6 target models, our best method(sentence-level Hybrid Select) is able to reduce the number of required queries per attack up 25.82\% on average against both encoder models and LLMs, without losing the effectiveness of the attack.