Character-level White-Box Adversarial Attacks against Transformers via Attachable Subwords Substitution

TL;DR

This paper introduces a novel character-level white-box adversarial attack on transformer models that leverages subword substitutions guided by gradients, achieving high success rates while maintaining semantic integrity.

Contribution

It presents the first attack method exploiting subword substitutions at the character level, improving attack success and minimizing modifications compared to prior approaches.

Findings

Outperforms previous attack methods in success rate

Maintains semantic integrity of adversarial examples

Effective on both sentence-level and token-level tasks

Abstract

We propose the first character-level white-box adversarial attack method against transformer models. The intuition of our method comes from the observation that words are split into subtokens before being fed into the transformer models and the substitution between two close subtokens has a similar effect to the character modification. Our method mainly contains three steps. First, a gradient-based method is adopted to find the most vulnerable words in the sentence. Then we split the selected words into subtokens to replace the origin tokenization result from the transformer tokenizer. Finally, we utilize an adversarial loss to guide the substitution of attachable subtokens in which the Gumbel-softmax trick is introduced to ensure gradient propagation. Meanwhile, we introduce the visual and length constraint in the optimization process to achieve minimum character modifications. Extensive experiments on both sentence-level and token-level tasks demonstrate that our method could outperform the previous attack methods in terms of success rate and edit distance. Furthermore, human evaluation verifies our adversarial examples could preserve their origin labels.