MINIMAL: Mining Models for Data Free Universal Adversarial Triggers

TL;DR

MINIMAL introduces a novel data-free method to mine universal adversarial triggers for NLP models, achieving significant accuracy drops comparable to data-dependent approaches, thus exposing vulnerabilities without requiring large datasets.

Contribution

The paper presents MINIMAL, a data-free algorithm for mining universal adversarial triggers, reducing reliance on large datasets for generating effective adversarial inputs.

Findings

Achieves 93.6% to 9.6% accuracy drop on SST positive class.

Reduces SNLI entailment accuracy from 90.95% to below 0.6%.

Matches the effectiveness of data-dependent methods without using data.

Abstract

It is well known that natural language models are vulnerable to adversarial attacks, which are mostly input-specific in nature. Recently, it has been shown that there also exist input-agnostic attacks in NLP models, called universal adversarial triggers. However, existing methods to craft universal triggers are data intensive. They require large amounts of data samples to generate adversarial triggers, which are typically inaccessible by attackers. For instance, previous works take 3000 data samples per class for the SNLI dataset to generate adversarial triggers. In this paper, we present a novel data-free approach, MINIMAL, to mine input-agnostic adversarial triggers from models. Using the triggers produced with our data-free algorithm, we reduce the accuracy of Stanford Sentiment Treebank's positive class from 93.6% to 9.6%. Similarly, for the Stanford Natural Language Inference (SNLI), our single-word trigger reduces the accuracy of the entailment class from 90.95% to less than 0.6\%. Despite being completely data-free, we get equivalent accuracy drops as data-dependent methods.