No Access, No Safety: Free Lunch Adversarial Attacks on Black-box NLP Models

1. The paper presentation is not good and paper writing is often informal. Specifically, it has the following drawbacks:

a) Some notations are not clearly/correctly defined. For example, Line 184 should be $\hat{y} \in$ instead of $\hat{y} =$; $o_{\hat{y_i}}$ in Eq 6 is not defined; $m$ represents the total number of labels in Line 185 but then is used as the number of substitute models in Theorem 1.

b) Some settings are not clearly stated. For example, Line 406 claims "Based on the analysis in Section 4.1, using two clusters yields the optimal attack performance." However, such analysis is missing in Section 4.1 and it is also not clearly stated that the cluster size is two in Section 4. Besides, the paper claims T5 is the embedding model for FLA but it is unknown which version of T5 is used and how the embedding is calculated. The definition of Cost metric is still confusing in Appendix.

c) Wrong citations. In the paper, Textbugger cites [1] (e.g. Line 102). However, [1] is the PWWS method and [2] should be the right citation for Textbugger.

d) The paper contains confusing sentences and lots of typos. For example, what is "eliciting strong responses" in Line 210? Line 514 is a problematic sentence; Transfer attack (e.g. Line 229) should be transfer-based attack; Line 321 should be Several ; Line 323 should be details; Section 5.4.3 should be "Attacks on LLMs"; Table 4 should be 3 models;

2. The effect of using multiple adversarial text generation methods in FLA is still unclear.

a) First, the paper does not clearly state what attack methods ($M_i$) are used in FLA for Section 5.2.

b) From Table 4, we can find that applying a single attack method in FLA is not always better than applying it directly. For example, using PSO with 7 substitution models in FLA achieves 34.12 ASR on SST5 (DistilBERT), lower than 45.14 in Table 1. Therefore, it is unclear if the superior performance of FLA in Table 1 is due to the ensemble effect of multiple attack methods.

3. Theorem 1 is not accurate for FLA. According to Lines 790-795, it in fact assumes using the adversarial texts from all substitution models for attacking the victim model and regards the attack succeeds if one of them succeeds. It is different from the workflow of FLA which selects only one for attacking the victim model based on the threshold. As also shown in Table 4, FLA variants (PSO-FLA and TextBug-FLA) using 3 models do not perform better than those using 1 model on the emotional task, which conflicts with Theorem 1.

4. Table 5 lacks adequate baselines. It only uses CT-GAT for comparison. But all previous adversarial attack baselines can be adapted under the transfer-based attack setting. They just need a substitution model with which they can get the necessary information. Then they can directly evaluate the generated adversarial texts from the substitution model on LLMs like GPT4o. So what is the performance of other adversarial attack methods when adapted to the transfer-based attack setting for Table 5?

[1] Ren et al. Generating natural language adversarial examples through probability weighted word saliency

[2] Li et al. TextBugger: Generating Adversarial Text Against Real-world Applications

• This paper makes no contribution to adversarial attack techniques. As stated in Section 4.3, it uses multiple attack methods to generate adversarial samples. Since specific methods are not indicated, I suspect that existing methods are used directly.
• The paper assumes a highly restricted scenario: the attacker cannot access the victim model. While it does not require access to the victim model, it does necessitate the iterative construction of Shadow Datasets and Substitute Models, which is not needed in existing query-based attacks. Therefore, defining the Cost solely as the number of queries to the victim model is unfair, as it overlooks the time spent during the iterative process.
• The evaluation is not comprehensive enough. The paper only evaluates the method on a sentiment analysis task, while the baselines (such as CT-GAT and HQA) often include more NLP tasks. To provide a more thorough evaluation of the proposed method, it should consider incorporating additional tasks.
• In Table 1, $*Sim*$ does not achieve the best performance across all experimental groups. It is well known that $*ASR*$ and Sim should have a trade-off relationship, and the $*ASR*$ of the proposed method may come at the expense of $*Sim*$, which could undermine the contribution of this paper.

• Other attacks in the experiments have very low success rates and high query costs, which is very strange. In particular, in the HQA paper, they show that HQA decreases the accuracy to a few percent with less than 1000 queries. In [1], TextBugger has more than 70% success rate with avg 300 queries on AGNews, substantially higher than the results in Table 7.
• Since FLA does not know the label of the data, it can not perform targeted adversarial attacks that change the prediction to a target label.
• FLA requires training many surrogate models, which is expensive. Also, it takes FLA similar to universal attacks.

[1] Li, Zongyi, et al. "Searching for an Effective Defender: Benchmarking Defense against Adversarial Word Substitution." Conference on Empirical Methods in Natural Language Processing (EMNLP). 2021.

While I generally like the paper's idea, I also have several major concerns:

• The claim "free lunch" is quite overstated. In fact, I would argue that obtaining the test set that's aligned with the distribution of the victim's training set is even more challenging (if not impossible) than either querying the model or obtaining knowledge of the model's architecture.
• Some details are hard to follow. For example, on Line 219: "approximates the distribution of the original training data", I'm not sure how a 2-class dataset follows the distribution of arbitrary original data.
• The clustering step is important, but the intuition and connection to why pseudo-labeling works is not rigorous. Plus, are there any assumptions on the clustering step w.r.t the decision boundaries of the victim's model?
• Evaluation on adversarial defenses is also limited. This state There are various different types of defenses, such as TMD, RanMASK, InfoBert, and AdvFooler, and adversarial training such as FreeLB or ASCC. In fact, I don't agree with this statement "training-free defense methods are more appropriate for FLA".

Nguyen et al. Textual manifold-based defense against natural language adversarial examples. EMNLP'22
Hoang et al. Fooling the Textual Fooler via Randomizing Latent Representations. ACL'24
Xu et al. 2023. Certified robustness to text adversarial attacks by randomized [MASK]. Computational Linguistics'23.
Wang et al. InfoBert: Improving robustness of language models from an information theoretic perspective. ICLR'21 \