Few-shot Text Adversarial  Attack for Black-box Multi-task  Learning

Wenqiang Wang; Hao Lin; Yan XIAO; jiehongli; Xiaochun Cao

Few-shot Text Adversarial Attack for Black-box Multi-task Learning

Wenqiang Wang, Hao Lin, Yan XIAO, jiehongli, Xiaochun Cao

24 Sept 2024 (modified: 05 Feb 2025)Submitted to ICLR 2025EveryoneRevisionsBibTeXCC BY 4.0

Keywords: multi-task adversarial text attacks

Abstract: Current multi-task adversarial text attacks rely on white-box access to shared in- ternal features and assume a homogeneous multi-task learning framework. As a result, these attacks are less effective against practical scenarios involving black- box feedback APIs and heterogeneous multi-task learning. To bridge this gap, we introduce Cluster and Ensemble Mutil-task Text Adversarial Attack (CEMA), an effective black-box attack that exploits the transferability of adversarial texts. Specifically, we initially employ cluster-oriented substitute model training, as a plug-and-play framework, to simplify complex multi-task scenarios into more manageable text classification attacks and train the substitute model. Next, we generate multiple adversarial candidate examples by applying various adversarial text classification methods. Finally, we select the adversarial example that attacks the most substitute models as the final attack output. CEMA is evaluated on two primary multi-task objectives: text classification and translation. In the classifica- tion task, CEMA achieves attack success rates that exceed 60% while reducing the total number of queries to 100. For the text translation task, the BLEU scores of both victim texts and adversarial examples decrease to below 0.36 with 100 queries even including the commercial translation APIs, such as Baidu Translate and Ali Translate.

Supplementary Material: pdf

Primary Area: alignment, fairness, safety, privacy, and societal considerations

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.

Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2025/AuthorGuide.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Submission Number: 3898

Loading