MathAttack: Attacking Large Language Models Towards Math Solving Ability

TL;DR

This paper introduces MathAttack, a method for generating adversarial math word problems that preserve logical structure to evaluate and improve the robustness of large language models in math solving tasks.

Contribution

It proposes a novel attack method that maintains mathematical logic, introduces the RobustMath dataset for robustness evaluation, and demonstrates how adversarial samples can enhance LLM robustness.

Findings

Adversarial samples effectively attack LLMs' math solving ability.

Higher-accuracy LLMs are vulnerable to attacks from lower-accuracy models.

Using adversarial samples in training improves LLM robustness.

Abstract

With the boom of Large Language Models (LLMs), the research of solving Math Word Problem (MWP) has recently made great progress. However, there are few studies to examine the security of LLMs in math solving ability. Instead of attacking prompts in the use of LLMs, we propose a MathAttack model to attack MWP samples which are closer to the essence of security in solving math problems. Compared to traditional text adversarial attack, it is essential to preserve the mathematical logic of original MWPs during the attacking. To this end, we propose logical entity recognition to identify logical entries which are then frozen. Subsequently, the remaining text are attacked by adopting a word-level attacker. Furthermore, we propose a new dataset RobustMath to evaluate the robustness of LLMs in math solving ability. Extensive experiments on our RobustMath and two another math benchmark datasets GSM8K and MultiAirth show that MathAttack could effectively attack the math solving ability of LLMs. In the experiments, we observe that (1) Our adversarial samples from higher-accuracy LLMs are also effective for attacking LLMs with lower accuracy (e.g., transfer from larger to smaller-size LLMs, or from few-shot to zero-shot prompts); (2) Complex MWPs (such as more solving steps, longer text, more numbers) are more vulnerable to attack; (3) We can improve the robustness of LLMs by using our adversarial samples in few-shot prompts. Finally, we hope our practice and observation can serve as an important attempt towards enhancing the robustness of LLMs in math solving ability. We will release our code and dataset.