Humanizing the Machine: Proxy Attacks to Mislead LLM Detectors

To compare the fine-tuning time, we set the DPO batch size to 8 and epoch to 5. We utilized LoRA for efficient fine-tuning. We also compare the inference time of text generation from HUMPA attacked LLM and that from the unattacked LLM. The inference time is of a single pass with a batch size of 1. The results are as follows:

We find that HUMPA is much more efficient than directly DPO fine-tuning attack the source model. The results indicate the efficiency of HUMPA. The inference time of HUMPA is slightly slower than that of the source model, but the sacrifice is not significant. We have included a section of "Efficiency" in the updated version.

4. (Q1) How sensitive is the HUMPA method to the choice of SLM used as the proxy attacker? Would using even smaller models such as Phi-3.5-mini-instruct still be effective?

Response: Thanks for the constructive suggestion. We fine-tuned a Llama2-13B, and a TinyLlama-1.1B[R1] as the SLM respectively. We use Roberta-large as the scoring detector and evaluate on the Roberta-base on the Writing dataset, the attack ratio $\alpha$ is set to 1.5. The results are as follows:

We find that different SLMs exhibit varying levels of effectiveness when attacking the LLM, with Llama2-13B being the most effective choice. This suggests that when selecting an SLM for such attacks, we need to consider its capability; stronger SLMs tend to demonstrate better attack performance.

To extend the HUMPA attack to a source LLM using an SLM from a different model family, we still need to obtain a humanized SLM, begin by sampling response pairs $(y_s, y_s^{'})$ from the SLM given prompt $x$, and assigning preference labels using a scoring detector to create a preference dataset. Then, we fine-tune the SLM with DPO to obtain a humanized SLM (as detailed in Section 3.3 of our paper).

To address scenarios where the LLM and SLM come from different model families with dissimilar vocabularies, we adopt the technique described in [R2].In this approach, we keep the humanized SLM frozen as the reward model while fine-tuning the source LLM. During the fine-tuning process of the source LLM, we sample response pairs $(y_{l}, y_l^{'})$ from the LLM, which are used as inputs for both the target LLM and the reward SLM. We perform DPO fine-tuning on Phi-3.5-mini-instruct using the scoring detector Roberta-large. We then apply this reward model to guide the fine-tuning [R2] of the source model Llama2-13B for 3 epochs. The performance of the unattacked source Llama2-13B and the attacked Llama2-13B by humanized Phi-3.5-mini, tested using Roberta-base on the Writing dataset, is as follows:

We find that the source model can be attacked by a humanized SLM from a different family. However, since this technique requires fine-tuning both the source LLM and the SLM, we did not include it in our paper. We leave systematic explorations on attacking LLMs from different model families without fine-tuning for future work to maintain our focus on the fragility of zero-shot detectors, the ease of efficiently attacking an LLM by fine-tuning only a small model, the equivalence between attacking the source LLM and attacking by an humanized SLM, and the preservation of the attacked LLM's generation utility.

[R1] Zhang, P., Zeng, G., Wang, T., & Lu, W. (2024). Tinyllama: An open-source small language model. arXiv preprint arXiv:2401.02385.

[R2] Gao, Z., Chang, J. D., Zhan, W., Oertell, O., Swamy, G., Brantley, K., ... & Sun, W. (2024). Rebel: Reinforcement learning via regressing relative rewards. arXiv preprint arXiv:2404.16767.

Dear reviewer SF6Q ,

Thank you for taking the time to review our work and providing constructive feedback. In the following, we aim to address your questions and concerns.

1. (W1) The HUMPA method itself is too straightforward and lacks novelty. Many previous works [R1, R2] in other fields share similar ideas.

Response: We highlight that our work introduces a lightweight strategy to attack LLM by leveraging a humanized SLM that can bypass detectors. This simple yet effective strategy involves 1) obtaining humanized SLM by DPO fine-tuning, and 2) attacking the LLM's next-token output distribution by the subtle SLM's logit offset for each token probability in the decoding phase. We find that many detectors are vulnerable, and HUMPA bypasses the detectors while preserving the generation utility.

In the updated version, we have included additional related works in Appendix B. The work in [R1] makes contribution in safety-aware decoding strategy to defend against LLM jailbreaks, and [R2] innovatively uses speculative sampling to transformer decoding to accelerate LLMs. While they share similar vision in the using an auxiliary model in decoding-time realignment, we need to claim that our method aims to fine-tune an SLM towards optimal reward until it reaches the same level of reward for the human process according to a scoring detector, and adapt the LLM to achieves the same expected reward. We show in terms of detection evasion, our attack strategy at decoding time achieves the same effect as directly attack the source model by DPO fine-tuning. We believe it is a theoretical contribution in the field of proxy fine-tuning an LLM, and provide insights into effortlessly bypassing the LLM detectors.

While we agree that the primary aim of our work is not to introduce a novel method for decoding-time realignment, we notice that the ICLR 2025 call for papers explicitly lists "alignment, fairness, safety, privacy, and societal considerations" as topics of interest. We believe our work aligns closely with this category, addressing important challenges in the safety and robustness of AI systems.

[R1] Xu, Zhangchen, et al. "Safedecoding: Defending against jailbreak attacks via safety-aware decoding." arXiv preprint arXiv:2402.08983 (2024).

[R2] Chen, Charlie, et al. "Accelerating large language model decoding with speculative sampling." arXiv preprint arXiv:2302.01318 (2023).

2. (W2) Experiment metrics are not explained and hard to follow.

Response: Thanks for the constructive comment, it helps improve our paper. Following prior works [R1], we employ the Area Under the Receiver Operating Characteristic Curve (AUROC) and the Area Under the Precision-Recall Curve (AUPRC) as primary metrics to evaluate the performance of each detector. To assess the utility and quality of the generated text, we utilize BERTScore and ROUGE-1/2/L metrics. We provide a detailed explanation of these metrics. To make it more clear, we have included a detailed explanation of these metrics in Appendix C of the updated version.

[R1] Bao, G., Zhao, Y., Teng, Z., Yang, L., & Zhang, Y. Fast-DetectGPT: Efficient Zero-Shot Detection of Machine-Generated Text via Conditional Probability Curvature. In ICLR 2024.

3. (W2 & Q2) Since the main purpose of applying SLM is to reduce time efficiency, you should also provide the time cost comparison between fine-tuning SLM and original LLM. How does the computational cost of HUMPA compare to directly fine-tuning the source model, especially for the largest models tested?

Response: Thanks for the constructive suggestion. Fine-tuning the model with DPO requires a preference dataset, which is generated by sampling response pairs $(y_1, y_2)$ from the model. To directly fine-tune the source model, preference pairs are sampled from the source model itself. In contrast, HUMPA samples pairs from the SLM, as the SLM is the model that needs to be fine-tuned (refer to Section 3.3 for detail). Therefore, we compare the running time of HUMPA with prior work that samples pairs from the source model and apply DPO fine-tuning on the source model.

Dear reviewer wsFK ,

Thank you for taking the time to review our work and providing detailed feedback. In the following, we aim to address your questions and concerns.

1. (W1,Q1) No baselines: the work only compares the result between the original LLM and the original LLM with the proposed HUMPA added on top. As shown in the Detection Evasion Methods in the Related Works section, many baselines should be compared. What methodological improvement does this work offer over previous approaches to evading LLM detection?

Response: Thanks for the constructive suggestion, it helps to improve our paper. In Appendix G (Appendix H of revised paper), we evaluated our approach against the paraphrasing attack method DIPPER [R1] by comparing both the AUROC and the Fluency Win Rate. To show the effectiveness of detection evasion, we compare our method with two state-of-the-art paraphrasing evasion techniques: DIPPER Paraphrasing [R1] and Query-based Substitutions [R2]. Their performances on the WritingPrompts dataset are presented as follows.

We find that our method with $\alpha = 1.5$, achieves the best detection evasion performance, aligning with our analysis of $\alpha$ in Section 3.3. We have included the results in Table 8 of the updated paper.

The state-of-the-art fine-tuning approach is directly DPO fine-tuning the source model [R3] to evade detection. However, this approach is time-consuming when DPO fine-tuning a large model (e.g., 70B), and it is difficult to balance maintaining high-quality text generation with effective detection evasion. We claim our strategy is more efficient than that, and the utility of text generation is preserved. Therefore, in the "Utility Preserving" section (Section 4.4), we compare our method with theirs in terms of utility preservation. We have included an "Efficiency" section in the updated version, to show the efficiency of our approach compared to this method.

[R1] Krishna, K., Song, Y., Karpinska, M., Wieting, J., & Iyyer, M. (2024). Paraphrasing evades detectors of ai-generated text, but retrieval is an effective defense. Advances in Neural Information Processing Systems, 36.

[R2] Shi, Z., Wang, Y., Yin, F., Chen, X., Chang, K. W., & Hsieh, C. J. (2024). Red teaming language model detectors with language models. Transactions of the Association for Computational Linguistics, 12, 174-189.

[R3]. Nicks, C., Mitchell, E., Rafailov, R., Sharma, A., Manning, C. D., Finn, C., & Ermon, S. (2023). Language model detectors are easily optimized against. In ICLR 2024.

2. (W2.1) Attacker capability: does the attacker know the target LLM detector? Can the attacker query the target detector? Here, the reviewer wants to ask for the attacker's access to the detector.

Response: Thank you for the great question. In our work, we do not assume that the attacker needs to know the target LLM detector. To obtain the humanized SLM, the attacker performs DPO fine-tuning, which requires creating the preference dataset $\mathcal{D} = \{ (x, y^w, y^l) \}$. A scoring detector is needed to assign preference labels. Specifically, for each prompt $x$, we sample response pairs $(y_1, y_2)$ using the SLM, and determine preference labels by comparing the scoring detector's human-ness scores $s(x, y)$ on the responses: if $y_1 \succ y_2$, we assign $y^w = y_1$ and $y^l = y_2$; otherwise, we assign $y^w = y_2$ and $y^l = y_1$ (more details can be found in Section 3.3). In this process, the scoring detector does not need to be the target LLM detector. In our experiments, we use Fast-DetectGPT as the scoring detector because it is fast and accurate. After obtaining the fine-tuned SLM, we evaluate various detectors on texts generated by the attacked LLM. As stated in Section 4.2, "In our experiments, we use Fast-DetectGPT for scoring."

6. (W2.4) What is the threshold for evading LLM detection?

Response: Thank you for the great question. The Area Under the ROC Curve (AUROC) is calculated as the area under the ROC curve, quantifying the overall ability of a classifier to distinguish between the two classes. The ROC curve is generated by calculating the True Positive Rate (TPR) and False Positive Rate (FPR) at every possible threshold. This means it considers the full spectrum of threshold values from 0 to 1. Crucially, AUROC is independent of the specific decision threshold. Following prior work [R1], we did not manually set a threshold when calculating the AUROC.

It should be noted that in our theoretical analysis (Appendix A.1), we bring up the concept of a threshold to hypothesize that our scoring detector assigns labels to texts based on an implicit reward and a corresponding threshold. This concept is purely a theoretical construct and is not related to our evaluation process.

[R1]. Bao, G., Zhao, Y., Teng, Z., Yang, L., & Zhang, Y. Fast-DetectGPT: Efficient Zero-Shot Detection of Machine-Generated Text via Conditional Probability Curvature. In ICLR 2024.

7. (W2.4) Line 453 claims that HUMPA successfully evaded all detection methods across all source models. However, in Table 2 many detection scores are higher than 0.5.

Response: Thank you for the fair comment. We need to clarify that the performances in Table 2 does not represent the best detection evasion performance achievable by HUMPA. Instead, this table shows the AUROC performance of detectors when the utilities of text generated from HUMPA attacked LLM and the source LLM are constrained within a manually set budget of $\Delta S_{Bert}\leq 0.02$ and $\Delta \text{ROUGE-1} \leq 0.03$. We aim to show within this budget, how HUMPA performs in detection evasion, and how fragile for different detectors when attacked by HUMPA.

As we state in Section 3.3, the ratio $\alpha$ controls the intensity of the attack on the LLM, with larger values of $\alpha$ yielding higher rewards and better detection evasion, while smaller values keep the attacked LLM closer to the source LLM. Therefore, the effectiveness of detection evasion can be controlled by $\alpha$. For example, when evaluating the white-box detectors Likelihood, DetectGPT, and Fast-DetectGPT on texts generated by HUMPA attacked Llama2-13B for the WritingPrompts dataset, the AUROC of the detectors decrease as $\alpha$ increases

We demonstrated this effect in the "Analysis of $\alpha$" section (Section 4.4) and discussed it following Theorem 3.2, noting that a larger $\alpha$ leads to higher rewards and improved detection evasion. To address any confusion, we have added further details and analysis in the "More Analysis of $\alpha$ " section in Appendix G of the updated paper.

8. (W3) Poor writing, many typos or errors

Response: Thank you for your careful review and suggestions. We have corrected the typos and errors in the revised version of the paper.

9 (Q2). Why is LORA not considered?

Response: Thanks for the great question. Throughout our experiments, we utilized LoRA for fine-tuning. To clarify this in the paper, we have included the following statement in the "Implementation Details" section (in Section 4.1): "We apply Low-Rank Adaptation (LoRA) to fine-tune the SLM." Additionally, we have added a section of "Efficiency" (Section 4.4), where we compare the runtime of HUMPA with directly attacking the source model by DPO fine-tuning from prior work [R1]. Additionally, in Table 3 of the revised paper, we have updated the description of the table to explicitly state: "'Fine-tuning' represents DPO fine-tuning using LoRA."

[R1]. Nicks, C., Mitchell, E., Rafailov, R., Sharma, A., Manning, C. D., Finn, C., & Ermon, S. (2023). Language model detectors are easily optimized against. In ICLR 2024.

3. (W2.1) In this work, the authors seem to denote the white box (detector) as the detector's access to LLM logits, while the black box indicates no access to logits and directly detects based on the final produced text (However, it is not clearly explained in the paper).

Response: We thank the reviewer for pointing out this issue. However, it is worth noting that most of zero-shot detectors are usually composed of a surrogate model (also termed as 'scoring model' [R2]) and the source model. The surrogate model is used to compute AI-like scores for the text generated by the source model [R2, R3]. In Fast-DetectGPT [R2], it consists of a sampling model and a scoring model.

In the field of machine-generated text detection, white-box denote the surrogate model know the source model, and black-box denote the surrogate model does not know the source model [R1, R2, R3]. In our work, we followed the existing definition and described in the section of "The Settings" (Section 4.1) that "We evaluate the zero-shot methods in two settings, the white-box (source model is known) setting and black-box (source model is unknown) setting". Accordingly, we conducted experiments in both settings. Following [R2], in the white-box setting, we set the surrogate model in each detector to be identical to the source model, whereas in the black-box setting, the surrogate model differs from the source model.

This concept is different from the 'scoring detector' mentioned in our method in Section 3.3. To avoid any confusion, we have updated the terminology in our revised version by replacing the term 'scoring' model with 'surrogate' model when describing the detectors. Besides, we have included a more clear description of the white- and black-box settings

[R1] Yang, X., Pan, L., Zhao, X., Chen, H., Petzold, L., Wang, W. Y., & Cheng, W. (2023). A survey on detection of llms-generated content. arXiv preprint arXiv:2310.15654.

[R2] Bao, G., Zhao, Y., Teng, Z., Yang, L., & Zhang, Y. Fast-DetectGPT: Efficient Zero-Shot Detection of Machine-Generated Text via Conditional Probability Curvature. In ICLR 2024.

[R3] Yang, X., Cheng, W., Wu, Y., Petzold, L. R., Wang, W. Y., & Chen, H. DNA-GPT: Divergent N-Gram Analysis for Training-Free Detection of GPT-Generated Text. In ICLR 2024.

4. (W2.2) Is the HUMPA method required to know which detector it faces beforehand? The work seems to use the target LLM detection directly as the reward model for each attack. Specifically, no cross-detector experiment setting was provided. Reviewing the code, the DPO_MixBuilder class also conditions based on the target detector. Thus, it seems that generalizability is an issue. Can a HUMPA method leveraging a target LLM detector be applied to a different type of LLM detector?

Response: Thank you for the question. As mentioned in our previous response (Response 2), we do not assume that the attacker requires knowledge of the target LLM detector. In our experiments, we use Fast-DetectGPT as the scoring detector primarily due to its speed and accuracy. Some perturbation-based detectors are time-consuming and therefore not ideal choices for scoring. By using Fast-DetectGPT as the scoring detector to obtain the fine-tuned SLM, we evaluate all other detectors, with the results presented in Tables 1, 2, 3, 5, 6, 7, 10, and 11 (Tables 1, 2, 4, 5, 6, 7, 8, 10 and 11 in the updated paper).

In the code, the DPO_MixBuilder class includes more options for scoring detectors. We aim to provide these as interfaces for users who are interested in following our work. A clearer README file and detailed user guidance will be provided when we officially release the code.

5. (W2.3) The target LLM task required for HUMPA to work. Can HUMPA generalize to different text generation tasks?

Response: We thank the reviewer for constructive feedback. When tuning the SLM, the target task is not assumed to known. We tested HUMPA in a cross-task scenario: we fine-tuned the SLM Llama2-7B on the text completion task using the WritingPrompts dataset and attacked the Llama2-13B on the question-answering task using the PubMedQA dataset. We use Roberta-large for the scoring detector, and evaluate the AUROC of Roberta-base. The results are as follows

We find that HUMPA successfully attacks the LLM in this scenario, resulting in relative drops of 41.9% and 43.6%, respectively, for $\alpha=1.5$ and $\alpha=2.0$.

Dear Reviewer wsFK,

Thanks for follow-up, we address the questions as follows

1. What methodological improvement does this work offer over previous approaches to evading LLM detection?

Response: Thanks for the valuable question. In the field of detection evasion, most of previous approaches are paraphrasing methods, which directly modify the content of prompts or generated text. Each time the attack is launched, the prompts or generated text need to be processed by a paraphrasing model, limiting its long-term scalability.

An alternative research line focuses on adapting the source model [R1], enabling it to generate texts that evade detection. The fine-tuning is performed once, after which the generative model consistently exhibits the malicious behavior. The prior work [R1] employs DPO fine-tuning to adapt the source model. However, this approach becomes time-intensive when dealing with sufficiently large source LLMs (e.g., 70B parameters). To address this limitation, we propose a lightweight method to adapt the source LLM, enabling it to generate text that bypasses detectors. We formulate the detection evasion by assuming an implicit reward that a scoring detector bases its decision on. We aim to find a machine generative process by adapting the source LLM, such that a scoring detector is unable to distinguish the machine-generated texts from the human texts. To this end, our work fine tune an SLM towards optimal reward, aiming to reach the same level of reward for the human process according to a scoring detector. For detection evasion, the SLM was used to adapt the source LLM by shifting the logit distribution at the decoding phase to achieve the same expected reward as fine-tuning the LLM. Our empirical study demonstrates that our approach improves efficiency, enables the LLM to effectively evade detection, and preserves generation utility.

[R1] Nicks, C., Mitchell, E., Rafailov, R., Sharma, A., Manning, C. D., Finn, C., & Ermon, S. (2023). Language model detectors are easily optimized against. In ICLR 2024.

2.The papers not compared in the related works section.

Response: We thank the reviewer for constructive suggestions. In the revised version, we have included and compared the papers[R2,R3] in the related works section.

[R2] Humanizing Machine-Generated Content: Evading AI-Text Detection through Adversarial Attack

[R3] Red teaming language model detectors with language models

Dear reviewer oRJ8,

We appreciate your insightful comments and provide our response as follows:

1. The experimental setup lacks latest strong baselines, such as the more robust detector "binoculars [R1]". (This detector is easy to replicate and very fast.)

Response: We thank the reviewer for the constructive suggestion. We have included an additional experiment to evaluate Binoculars[R1] as a detection method for all the models and datasets (Table 1, 2, 4, 5, 6, 7, 8, 10, 11 in the updated paper), and test its results when the generation utilities of texts produced by HUMPA and the source model are within the budget of $\Delta S_{Bert} \leq 0.02$ and $\Delta \text{Rouge-1} \leq 0.03$. The results suggest that Binoculars experiences a greater performance drop when evaluated on texts generated by the attacked Mixtral-8x7B, with the highest relative decrease reaching 95.03% on OpenWebText.

[R1] Hans, A., Schwarzschild, A., Cherepanova, V., Kazemi, H., Saha, A., Goldblum, M., ... & Goldstein, T. Spotting LLMs With Binoculars: Zero-Shot Detection of Machine-Generated Text. In Forty-first International Conference on Machine Learning.

2. Cross-model detection evasion deserves more focus, as disciplines and languages remain constant, while LLMs continue to evolve.

Response: Thanks for the insightful suggestion. While we agree that the LLMs continue to evolve, in our experiments we applied the HUMPA strategy to attack models released at different times. Specifically, we attacked Llama2-13B (released in July 2023) using Llama2-7B, Mixtral-8x7B (released in December 2023) using Mistral-7B, and Llama3-70B (released in April 2024) using Llama3-8B.

To extend the HUMPA attack to a source LLM using an SLM from a different model family, we still need to obtain a humanized SLM, begin by sampling response pairs $(y_s, y_s^{'})$ from the SLM given prompt $x$, and assigning preference labels using a scoring detector to create a preference dataset. Then, we fine-tune the SLM with DPO to obtain a humanized SLM (as detailed in Section 3.3 of our paper).

To address scenarios where the LLM and SLM come from different model families with dissimilar vocabularies, we adopt the technique described in [R2]. In this approach, we keep the humanized SLM frozen as the reward model while fine-tuning the source LLM. During the fine-tuning process of the source LLM, we sample response pairs $(y_l, y_l^{'})$ from the LLM, which are used as inputs for both the target LLM and the reward SLM. We perform DPO fine-tuning on Phi-3.5-mini-instruct using the scoring detector Roberta-large. We then apply this reward model to guide the fine-tuning [R2] of the source model Llama2-13B for 3 epochs. The performance of the unattacked source Llama2-13B and the attacked Llama2-13B by humanized Phi-3.5-mini, tested using Roberta-base on the WritingPrompts dataset, is as follows:

We find that the source model can be attacked by a humanized SLM from a different family. However, since this technique requires fine-tuning both the source LLM and the SLM, we did not include it in our paper. We leave systematic explorations on attacking LLMs from different model families without fine-tuning for future work to maintain our focus on the fragility of zero-shot detectors, the ease of attacking an LLM by fine-tuning only a small model, the equivalence between attacking the source LLM and attacking by an humanized SLM, and the preservation of the attacked LLM's generation utility.

[R2] Gao, Z., Chang, J. D., Zhan, W., Oertell, O., Swamy, G., Brantley, K., ... & Sun, W. (2024). Rebel: Reinforcement learning via regressing relative rewards. arXiv preprint arXiv:2404.16767.

Thank you for addressing all my questions and providing additional details regarding your experiments, especially the new results on Binoculars. As the rebuttal has addressed some of my concerns, I will raise my rating to 6 accordingly.

3. This paper does not compare with previous methods on evading machine-generated text detection, the only comparison is on the fluency part rather than effectiveness.

Response: Thanks for the constructive suggestion, it helps to improve our paper. In Appendix G: "More Analysis of $\alpha$", we evaluated our approach against the paraphrasing attack method DIPPER [R1] by comparing both the AUROC and the Fluency Win Rate. To show the effectiveness of detection evasion, we compare our method with two state-of-the-art paraphrasing evasion techniques: DIPPER Paraphrasing [R1] and Query-based Substitutions [R2]. Their performances on the WritingPrompts dataset are presented as follows.

We find that our method with $\alpha = 1.5$, achieves the best detection evasion performance, aligning with our analysis of $\alpha$ in Section 3.3. We have included the results in Table 8 of the updated paper.

The state-of-the-art fine-tuning approach is directly DPO fine-tuning the source model (Nicks et al., 2024) to evade detection. However, this approach is time-consuming when DPO fine-tuning a large model (e.g., 70B), and it is difficult to balance maintaining high-quality text generation with effective detection evasion. We claim our strategy is more efficient than that, and the utility of text generation is preserved. Therefore, in the "Utility Preserving" section (Section 4.4), we compare our method with theirs in terms of utility preservation. We have included an "Efficiency" section in the updated version, to show the efficiency of our approach compared to this method.

[R1] Krishna, K., Song, Y., Karpinska, M., Wieting, J., & Iyyer, M. (2024). Paraphrasing evades detectors of ai-generated text, but retrieval is an effective defense. Advances in Neural Information Processing Systems, 36.

[R2] Shi, Z., Wang, Y., Yin, F., Chen, X., Chang, K. W., & Hsieh, C. J. (2024). Red teaming language model detectors with language models. Transactions of the Association for Computational Linguistics, 12, 174-189.

4. The provided theorems do not seem to be closely connected with the proposed method. For example, thoerem 1 just proves the existence of the optimal $\beta$, and this theorem seems applicable to a wide range of tasks that uses DPO. Yet, it is unclear how significant it is to the evasion of AI-generated text detection and how this can be achieved through proxy-tuning.

Response: We thank the reviewer for pointing out the possible confusion in our theoretical presentation, and address the concern below:

Theorem 3.1 is indeed a general result for models fine-tuned with DPO, though it is phrased under the specific scenario where we train the model on labels generated according to the Bradley-Terry model and the human-ness score. We have changed the theorem into a lemma to highlight its preliminary nature.

On the other hand, Theorem 3.2 is the main theoretical result pertaining to our method, as it states that our attack model HUMPA defined in Equation 4 is equivalent to a large attack model fine-tuned on the DPO objective. This does not directly state anything about the performance of the fine-tuned model, but combining the two theorems gives us the desired theoretical conclusion: our proxy-attacked model can achieve an expected reward on par with human-generated texts. For clarification, we reorganized the post-theorem discussion into a paragraph on the effect of $\alpha$ and a separate Corollary 3.3 to address the combined result of both our theorems.

For instance, when evaluating the white-box detectors Likelihood, DetectGPT, and Fast-DetectGPT on texts generated by HUMPA attacked Llama2-13B for the WritingPrompts dataset, the AUROC of the detectors decrease as $\alpha$ increases

We find that, at the same attack ratio, although Fast-DetectGPT shows better detection performance than Likelihood and DetectGPT. DetectGPT experiences greater relative drops, showing it more robust to attacks compared to Fast-DetectGPT and Likelihood. We demonstrated this effect in the "Analysis of $\alpha$" section (Section 4.4) and discussed it following Theorem 3.2, noting that "a larger $\alpha$ leads to higher rewards and improved detection evasion, while a smaller $\alpha$ keeps $M'$ closer to the reference model $M^{ref}$". We study this effect in the "Analysis of $\alpha$" section (Section 4.4). To clarify the confusion, we have included more details and analysis in the section of "More Analysis of $\alpha$" in Appendix G of the updated paper.

Since each detector is built with a distinct architecture and mechanism, their vulnerabilities to attacks differ as well. Enhancing the robustness of detectors has consistently been a key focus in this field [R1]. Our work also reveals that different detectors exhibit varying levels of vulnerability. Besides, we highlight it in the Ethics Statement: "This study aims to encourage the broader research community to focus on developing more robust detection methods."

[R1] Zhang, Y. F., Zhang, Z., Wang, L., Tan, T., & Jin, R. (2023). Assaying on the robustness of zero-shot machine-generated text detectors. arXiv preprint arXiv:2312.12918.

Dear reviewer pAX3,

Thank you for your careful reading and suggestions. We answer the questions below:

1. The novelty of this paper on the technical side might be limited. The general idea of first tune a smaller model and then manipulate the sampling process of the larger model has been widely applied in previous works, such as Proxy-tuning [R1], EFT [R2], and DeRa [R3] (not cited). The papers method is generally a combination of DeRa, EFT and Proxy-tuning. The main innovation of this paper is its application to the problem of evading machine-generated text detection. However, this cannot fully support the method's novelty.

Response: We highlight that our work introduces a lightweight strategy to attack LLM by leveraging a humanized SLM that can bypass detectors. This simple yet effective strategy involves 1) obtaining humanized SLM by DPO fine-tuning, and 2) attacking the LLM's next-token output distribution by the subtle SLM's logit offset for each token probability in the decoding phase. We find that many detectors are vulnerable, and HUMPA bypasses the detectors while preserving the generation utility.

In the updated version, we have included additional related works in Appendix B. While Proxy-tuning [R1], EFT [R2], and DeRa [R3] (we cited it in the revised version) share similar vision in proxy fine-tuning, we need to claim that our method aims to fine-tune an SLM towards optimal reward until it reaches the same level of reward for the human process according to a scoring detector, and adapt the LLM to achieves the same expected reward. We show in terms of detection evasion, our attack strategy at decoding time achieves the same effect as directly attack the source model by DPO fine-tuning. We believe it is a theoretical contribution in the field of proxy fine-tuning an LLM, and provide insights into effortlessly bypassing the LLM detectors.

We have included additional related works in Appendix B of the updated version. However, while we agree that the primary aim of our work is not to introduce a novel method for proxy fine-tuning, we notice that the ICLR 2025 call for papers explicitly lists "alignment, fairness, safety, privacy, and societal considerations" as topics of interest. We believe our work aligns closely with this category, addressing important challenges in the safety and robustness of AI systems.

[R1] Liu, A., Han, X., Wang, Y., Tsvetkov, Y., Choi, Y., & Smith, N. A. (2024). Tuning language models by proxy. arXiv preprint arXiv:2401.08565.

[R2] Mitchell, E., Rafailov, R., Sharma, A., Finn, C., & Manning, C. D. (2023). An emulator for fine-tuning large language models using small language models. arXiv preprint arXiv:2310.12962.

[R3] Liu, T., Guo, S., Bianco, L., Calandriello, D., Berthet, Q., Llinares, F., ... & Blondel, M. (2024). Decoding-time Realignment of Language Models. arXiv preprint arXiv:2402.02992.

2. The improvement of the method over previous works seems marginal. According to the experimental results, the effectiveness of the proposed method is unstable. For example, in table 1-white-box, Likelihood, DetectGPT and Fast-DetectGPT's performances are only slightly degraded. This raises doubts on how the proposed method really advanced the field.

Response: Thanks for the great question. It is important to note that the performances in Table 1,2,3,5,6,7 (updated to Tables 1, 2, 4, 5, 6, 7, 10, and 11 in the revised paper) do not represent the best detection evasion performance achievable by HUMPA. Instead, these tables show the AUROC performance of detectors when the utilities of text generated from HUMPA attacked LLM and the source LLM are constrained within a manually set budget of $\Delta S_{Bert}\leq 0.02$ and $\Delta \text{ROUGE-1} \leq 0.03$. We aim to show within this budget, how HUMPA performs in detection evasion, and how fragile for different detectors when attacked by HUMPA.

As we state in Section 3.3, the ratio $\alpha$ controls the intensity of the attack on the LLM, with larger values of $\alpha$ yielding higher rewards and better detection evasion, while smaller values keep the attacked LLM closer to the source LLM. Therefore, the effectiveness of detection evasion can be controlled by $\alpha$.

Dear authors, thanks for your rebuttal. I have raised my score to 5. While some of my concerns are addressed by your response, I still have the following concerns.

• Regarding novelty, I still feel this paper offers limited new insights to the community. It is already well-established that DPO can be used to effective attack LLM-generated text detectors (Nicks et al., 2024). The paper's primary contribution lies in replacing the full attack model's DPO with another efficient fine-tuning method called proxy-tuning. However, it is not surprising that this straightforward combination yields performance gains, as proxy-tuning can be applied to any task utilizing full parameter DPO. My main concern is that this work may not significantly advance understanding or provide valuable insights for the AI-generated text attack/defense community, potentially undermining its claim to novelty.

• Regarding the new experiments, I am concerned that whether the larger choice of $\alpha$ can degrade text utility. Current experiments in the rebuttal improves attack effectiveness by enlarging $\alpha$, but evidently it will harm text utility. Therefore, please consider adding the metric of text utility for reference (especially in my point #3. Please add the text utility metric for your method with different choices of $\alpha$ as well as all baselines.).

• Could you elaborate on how your scoring detector generalizes to texts with OOD themes or styles that are not covered in the training set?

1. Regarding novelty

Response: We thank the reviewer for the comments. The state-of-the-art work in (Nicks et al., 2024) employs the strategy of fine-tuning the source model directly for detection evasion. While our proxy fine-tuning methodology is straightforward, we aim to improve the efficiency of directly fine-tuning to attack the large models. Furthermore, our theory demonstrates that our attacking strategy at decoding time achieves the same evasion effectiveness as directly attacking the source model through DPO fine-tuning, which theoretically justifies the use of the proxy approach. We believe the key focus in evasion detection should be to inspire the community to develop robust models against threats. Addressing this robustness challenge is crucial not only for ensuring the reliability of detection systems, but also for building trust in the technology among stakeholders. From this standpoint, our work is both valuable and relevant, as it addresses the foundational challenges and contributes to advancing the field.

2. Whether the larger choice of $\alpha$ can degrade text utility. Adding the metric of text utility for reference.

Response: Thanks for the pointing out this issue. In our experiments, we indeed found that with the increase of $\alpha$, the utility decreases (refer to the Table in point #3). This is within expectations and in line with our discussion after Theorem 3.2 (Section 3.3), where larger $\alpha$ leads to higher reward and better detection evasion, while smaller $\alpha$ keeps $M'$ closer to the reference model $M^{ref}$. Hence, $\alpha$ governs the trade-off between evasion performance and generation quality, and an adversary should choose an appropriate $\alpha$ to balance the attack effect and text quality, e.g. find a maximum $\alpha$ that keeps the generated text within a given quality budget (maximum decrease in quality). In the revised manuscript, we have included the utility scores of all methods in Table 8 and further discussed the trade-off between evasion performance and utility in Appendix G.

3. Elaborate on how scoring detector generalizes to texts with OOD themes or styles that are not covered in the training set.

Response: Thank you for this thoughtful question. To elaborate, since HUMPA generates its attacks based on the LLM (when $\alpha=0$ the attacker is exact the same as pre-trained LLM), the generation utility is mostly dependent on $\alpha$ and largely independent of the dataset used for DPO training: with a reasonable $\alpha$, the attacked generation should have high quality regardless of training data.

Second, in terms of the effectiveness of detection evasion, consider the distribution shift term in Equation (4):

which captures the SLM's reference-to-attacker shift. It is reasonable to hypothesize that this shift involves correcting some text generation "habits'' of the machine to be more human-like (e.g. excluding fancy, impractical words that are not often used in daily life). Furthermore, it is not far-fetched to assume that these habitual corrections are mostly context-free, i.e. they do not generally depend on the specific textual theme or style. Therefore, with a reasonable training preference dataset, the SLM should be able to capture these general habitual corrections, and through HUMPA apply these corrections on LLM-generated texts to evade detection, even in environment with different distributions.

Dear authors, thank you for your rebuttal. I have carefully read your rebuttal and new revised manuscript. While the new follow-up response solves some of my concerns, I remain concerned on the novelty of this paper. I'm still feeling this paper to be a straightfoward combination of proxy-tuning and DPO for a low-fruit downstream task (i.e., AI-generated text detection), missing much fresh insights/understandings into this field (this point is similar to Reviewer wsFK), making it not enough for ICLR. Therefore, I decide to keep my rating and I sincerely thank the authors again for answering my questions.

10. (S13) Discuss the trade-offs between efficiency gains and potential performance differences

Response: Thanks for the constructive suggestion. We fine-tune Llama2-7B on the OpenWebText dataset with a batch size of 8 and 5 epochs, using RoBERTa-large as the scoring detector. We varying the size of training data and record the fine-tuning runtime. Evaluation is conducted using the RoBERTa-base detector on text generated by the attacked Llama2-13B model with $\alpha=1.5$. The results are presented below

We find that performance gains increase with the size of the training dataset, while efficiency gains decrease as the training dataset size grows. It suggests that there is a trade-off between efficiency and performance: a larger training size improves performance but at the cost of reduced efficiency gains. Therefore, practitioners need to balance these factors according to their specific priorities. If an adversary prioritizes performance gains, a larger training dataset may be preferable. On the contrary, if efficiency or fine-tuning time is more critical, a smaller training size provides a better balance. We have included a section of "Sensitivity of Training Sizes" in the updated paper.

11.(S5) Suggest or conduct additional experiments that could test the boundaries of the attack's effectiveness across a wider range of scenarios or detectors

Response: We thank the reviewer for the fair question. A practical approach to exploring the boundaries of the attack's effectiveness across a wider range of detectors would involve collecting text generated by the attacked LLMs, fine-tuned against several strong detectors, as negative samples. Human-written texts could then be collected as positive samples. Using this data, we can train a binary classifier to distinguish between machine-generated and human-written texts. However, this method may not fully capture the attack's effectiveness. The attacked model generates "polluted" texts with varying levels of $\alpha$, which impacts the quality of the generated text. As a result, this approach may be ineffective in reaching the real boundary of the attack, given that the intensity of the attack $\alpha$ may vary during the text generation process by the LLM.

12. (Q8) Can we apply such attacks in truly black-box settings, e.g., GPTZero or CopyLeaks?

Response: Thank you for the constructive question. We fine-tuned a Llama2-7B model on the WritingPrompts dataset using GPTZero as the scoring detector, with DPO fine-tuning conducted at $\beta=0.1$. We then evaluated GPTZero on texts generated by the attacked Llama2-13B model. The results are as follows

We find that GPTZero can also be bypassed. We agree that conducting more evaluations on commercial detectors, such as GPTZero, would be more comprehensive. However, we did not perform systematic experiments for that due to funding constraints.

13. (S11) Discuss the relative strengths and weaknesses of their approach compared to existing methods.

Response: Thank you for the constructive suggestion. The primary advantage of HUMPA lies in its efficiency in fine-tuning a smaller model instead of a larger one and its ability to transfer modifications to the larger model to evade detection. This approach preserves the utility of the generated text. In contrast, existing methods rely on directly fine-tuning the LLM using techniques like DPO [R1]. However, this approach is not only expensive for large models (e.g., 70B) but also yield ineffective or low-quality results when applied solely to smaller models for evasion attacks.

A potential weakness of HUMPA, as pointed out by the reviewer in Q1, S9 and addressed in our updated paper, is its reliance on a strong scoring detector to obtain an effective attack model. In the updated paper, we discuss it in our'' Analysis of Scoring Detector'' section that this gap may be unbridgeable due to the lack of high-quality preference data from weak scoring detectors.

[R1]. Nicks, C., Mitchell, E., Rafailov, R., Sharma, A., Manning, C. D., Finn, C., & Ermon, S. (2023). Language model detectors are easily optimized against. In ICLR 2024.

8. (W6, S10) Include comparisons with other state-of-the-art attack methods on the same datasets and detectors.

Response: We thank the reviewer for the constructive suggestion. To show the effectiveness of detection evasion, we compare our method with two state-of-the-art paraphrasing evasion techniques: DIPPER Paraphrasing [R1] and Query-based Substitutions [R2]. Their performances on the WritingPrompts dataset are presented as follows.

We find that our method with $\alpha = 1.5$, achieves the best detection evasion performance, aligning with our analysis of $\alpha$ in Section 3.3. We have included the results in Table 8 of the updated paper.

[R1] Krishna, K., Song, Y., Karpinska, M., Wieting, J., & Iyyer, M. (2024). Paraphrasing evades detectors of ai-generated text, but retrieval is an effective defense. Advances in Neural Information Processing Systems, 36.

[R2] Shi, Z., Wang, Y., Yin, F., Chen, X., Chang, K. W., & Hsieh, C. J. (2024). Red teaming language model detectors with language models. Transactions of the Association for Computational Linguistics, 12, 174-189.

9. (W7, Q4, S12) Provide assessment of the efficiency of using an SLM, particularly in comparison to tuning the source LLM with DPO. How efficient is the attack compared with tuning source LLMs with DPO? Provide quantitative comparisons of computational efficiency between their method and direct fine-tuning of the source LLM.

Response: Thanks for the constructive suggestion. Fine-tuning the model with DPO requires a preference dataset, which is generated by sampling response pairs $(y_1, y_2)$ from the model. To directly fine-tune the source model, preference pairs are sampled from the source model itself. In contrast, HUMPA samples pairs from the SLM, as the SLM is the model that needs to be fine-tuned (refer to Section 3.3 for detail). Therefore, we compare the running time of HUMPA with prior work that samples pairs from the source model and apply DPO fine-tuning on the source model. To compare the fine-tuning time, we set the DPO batch size to 8 and epoch to 5. We utilized LoRA for efficient fine-tuning. We also compare the inference time of text generation from HUMPA attacked LLM and that from the unattacked LLM. The inference time is of a single pass with a batch size of 1. The results are as follows:

We find that HUMPA is much more efficient than directly DPO fine-tuning attack the source model. The results indicate the efficiency of HUMPA. The inference time of HUMPA is slightly slower than that of the source model, but the sacrifice is not significant. We have included a section of "Efficiency" in the updated version.

6. (W4, Q6, Q7, S8) The paper relies on Fast-DetectGPT for scoring in every white-box experiment, which doesn’t seem appropriate or fully aligned with the paper’s methodology. Will these attacks still perform well using only the target detector or less well-calibrated detectors? What if we stick to the same model, i.e., to use the scoring of LRR to attack LRR? Is there any transferability across detectors? For example, can we use the scoring from LRR to attack DetectGPT or Fast-DetectGPT? Perform additional experiments using different detectors for scoring in the white-box setting.

Response: Thanks for raising this thoughtful question. We use the white-box LRR as the scoring detector to fine-tune a Llama2-7B model and evaluate the AUROC performance of LRR, DetectGPT, and Fast-DetectGPT in the white-box on texts generated by the attacked model under varying levels of $\alpha$.The results are as follows:

If we use Fast-DetectGPT as the scoring detector, the results are

We find that when LRR is used as the scoring detector, the attacked Llama2-13B model exhibits a relative drop of 3.67% on LRR and a 19.35% drop on Fast-DetectGPT even when $\alpha=2.0$. In contrast, when Fast-DetectGPT is used for scoring, the relative drop increases to 100% on LRR and 60.61% on Fast-DetectGPT for $\alpha=2.0$

While our paper does not assume which specific scoring detector the attacker must choose, adversaries can opt for any well-calibrated detector for this purpose. To address this issue, we have included a section of "Analysis of Scoring Detector" in Appendix J of the updated paper.

7. (W5, Q3, W1) Why do many of the white-box attacks have low performance? [also mentioned in W1:]…This explains why the paper uses Fast-DetectGPT as the scoring detector in all white-box settings, why black-box settings show better attack performance (NEO might be stronger with better calibration).

Response: Thanks for the insightful questions. Many white-box detectors are less fragile than their black-box counterparts. This may be because, in the white-box setting, the surrogate model is assumed to be identical to the source model. In other words, the surrogate model has more knowledge of the source model compared to the black-box setting, making the detectors more robust against attacks than in the black-box scenario. When selecting the scoring detectors, we prioritized Fast-DetectGPT due to its speed and accuracy, allowing it to efficiently score hundreds of text pairs.

4. (W2, S4) Given the constraints on both the detector and the training data, the attack is very likely to be limited in scope. While the paper presents some interesting results suggesting generalizability, we should expect that it won’t extend broadly in practice. Discuss potential limitations on the generalizability of the approach more explicitly.

Response: Thanks for the suggestion. Theoretically, a weak detector yields relatively low reward for human-generated texts, while machine-generated texts are given relatively high reward, resulting in a reduced gap between the two. Hence an attacker can more easily bypass the detector and overfit to the weak scoring detector. Therefore at deployment, when faced with a strong target detector, the attacker's performance will suffer. Empirically, we have found that using LRR as the scoring detector does not yield a comparable relative drop in AUROC compared to using Fast-DetectGPT, as shown in Appendix J: Analysis of Scoring Detector. To summarize, our attackers trained on a weak scoring detector cannot perform well in the face of a strong target detector, though we surmise this gap may be simply due to the lack of high-quality human-machine labels without access to strong scoring detectors and may hence be unavoidable.

5. (W3, Q5, S6, S7) The paper uses models that are very close in architecture and scale (e.g., Llama2-13B vs. Llama2-7B). It’s unclear whether a smaller model from a different family could yield similar attack results. Can we use smaller models with different architecture to attack? Conduct experiments using smaller models from different architectural families as the proxy attacker.Discuss the potential impact of model architecture and size differences on the attack's effectiveness

Response: Thanks for the insightful comments. In our work, we primarily consider the LLM and SLM share the same vocabulary. To study the sensitivity of model size, we fine-tuned a Llama2-13B, a Llama2-7B and a TinyLlama-1.1B [R1] as the SLM respectively. We use Roberta-large as the scoring detector and evaluate on the Roberta-base on the Writing dataset, the attack ratio $\alpha$ is set to 1.5. The results are as follows:

We find that different SLMs exhibit varying levels of effectiveness when attacking the LLM, with Llama2-13B being the most effective choice. This suggests that when selecting an SLM for such attacks, we need to consider its capability; stronger SLMs tend to demonstrate better evasion performance.

In the decoding-time of next-token sampling, the logarithm adding between the encoded logits from the LLM and SLM (in Equation 5) requires the LLM and the SLM share the same tokenizer. Therefore, we only consider the same family of architectures which share the same vocabulary. To address scenarios where the LLM and SLM come from different model families with dissimilar vocabularies, we can adopt the technique described in [R2]. In this approach, we keep the humanized SLM frozen as the reward model while fine-tuning the source LLM. During the fine-tuning process of the source LLM, we sample response pairs $(y_l, y_l^{'})$ from the LLM, which are used as inputs for both the target LLM and the reward SLM. We perform DPO fine-tuning on Phi-3.5-mini-instruct using the scoring detector Roberta-large. We then apply this reward model to guide the fine-tuning [R2] of the source model Llama2-13B for 3 epochs. The performance of the unattacked source Llama2-13B and the attacked Llama2-13B by humanized Phi-3.5-mini, tested using Roberta-base on the Writing dataset, is as follows:

We find that the source model can be attacked by a humanized SLM from a different family. However, since this technique requires fine-tuning both the source LLM and the SLM, we did not include it in our paper. We leave systematic explorations on attacking LLMs from different model families without fine-tuning for future work to maintain our focus on the fragility of zero-shot detectors, the ease of efficiently attacking an LLM by fine-tuning only a small model, the equivalence between attacking the source LLM and attacking by an humanized SLM, and the preservation of generation utility.

[R1] Zhang, P., Zeng, G., Wang, T., & Lu, W. (2024). Tinyllama: An open-source small language model. arXiv preprint arXiv:2401.02385.

[R2] Gao, Z., Chang, J. D., Zhan, W., Oertell, O., Swamy, G., Brantley, K., ... & Sun, W. (2024). Rebel: Reinforcement learning via regressing relative rewards. arXiv preprint arXiv:2404.16767.

Dear reviewer BPF1 ,

Thank you for taking the time to review our work and providing detailed feedback. In the following, we aim to address your questions and concerns.

1. (W1, Q1, Q2, S1, S2) Please specify the assumptions underlying the theorems, and discuss the practical implications of these assumptions not being fully met in real-world scenarios, especially as pertaining to the following questions: What if the detector's score does not accurately reflect the human-ness of texts? What if the detector does not give higher rewards to more human text, or the source LLM generates texts with similar rewards as human texts? For the proposed attacks, are there any requirements on the scale of the reward difference?

Response: We thank the reviewer for the great questions. First, as the reviewer correctly points out, it is natural to assume that a detector cannot fully reflect the human-ness of texts. Crucially, in this case human-generated texts do not achieve optimal rewards according to the detector. When trained according to such a detector, one cannot expect a proxy attacker to produce texts that completely resemble human texts. In fact, this is part of Assumption A.1 for Lemma (Theorem) 3.1:

Assumption 1. The human text generation process $H$ does not achieve optimal reward according to the detector $D$.

This gap signifies the effectiveness of the detector in that, generally, the smaller this gap is, the larger the reward and the more optimal human-generated texts are according to the detector, and hence the more aligned the detector is to human-generated texts. Note that a possible confusion here is that this assumption means human-like texts will receive a smaller reward than the best possible reward, which may be unintuitive. The second assumption we made is that:

Assumption 2. The detector gives higher rewards to human texts than texts generated by pre-trained LLM, which is what an effective detector should be able to achieve.

These two gaps (pre-trained LM < human < detector’s optimal) are all that is needed for our result to hold. Intuitively, by fine-tuning the LM with DPO, we can increase the expected reward of LM to a comparable level as humans, but not so much as to overfit to the detector and suffer a loss in quality. A contradiction to these assumptions would suggest, respectively, that the detector is perfectly aligned with human-ness of texts, or that the pre-trained LLM is already capable of evading the detector, nullifying the need for an attacker.

The “optimal” $\beta$ in Lemma 3.1 achieves the exact same expected reward as the human-generated process, which is a sweet spot in theoretical analysis. However, as per our discussion after the lemma, in reality $\beta$ controls the trade-off between quality (similarity to teacher) and performance (ability to evade detection), which also effectively prevents overfitting to the detector.

In light of this question, we have restated Assumption A.1 to emphasize the two expected reward gaps in the revised paper.

2. (W1, S3) Theorem 3.2 essentially shows that the student model is just a less optimized (in terms of utility) version of the teacher, which doesn’t necessarily make it "good quality". Provide additional empirical evidence or analysis to support the theoretical claims, especially regarding quality preservation in Theorem 3.2.

Response: Thanks for the constructive suggestion. While it is difficult to quantify the quality of attacker-generated texts, note that as the attack ratio $\alpha$ goes from $0$ to $\infty$, the model $M’$ gradually and continuously shifts away from the reference teacher model $M$ with increased evasion performance, which means with a small $\alpha$ the quality will be largely preserved.

Practically, we mainly demonstrate the quality of our attacker texts in Table 1, where the generation utilities of texts produced by HUMPA and the source model are within the budget of $\Delta S_{Bert}\leq 0.02$ and $\Delta \text{ROUGE-1} \leq 0.03$. This suggests that HUMPA is capable of detecting evasion without a significant loss in utility.

3. (Q1, S9) What happens to the attacker if the detector's score does not accurately reflect the human-ness of texts? Analyze and discuss how the choice of scoring detector impacts the attack's performance.

Response: Thanks for the great question. Continuing on our discussion of Assumption 1, the weaker the detector is, the lower its reward is for human-generated texts, and the easier it is for an attacker to bypass the detector. However, since the scoring detector is often different from the target detector, this will result in a relatively weaker attacker according to the (stronger) target detector, which will decrease the attacker’s performance. We show this empirically in the Response 6, and include a section of "Analysis of Scoring Detector" in Appendix J.

Thanks to the authors for the follow-up. Although what I meant (for my first point about GPTzero) is to discuss the attack's practical implications considering commercial APIs/tools, the current results look good.

Dear reviewer BPF1,

Thanks for following up and providing constructive suggestions.

In the revised manuscript, we have included the utility of all methods in Table 8 (refer to the Table in Response 8) and discussed the trade-off between evasion performance and utility in Appendix G. Additionally, we have included the GPTZero results in Table 9 and have discussed it in Appendix G. We would like to follow up to see if we address your concerns or if you have further questions. We sincerely appreciate your insightful comments and constructive suggestions during the rebuttal.