Current adversarial attack algorithms, where an adversary changes a text to fool a victim model, have been repeatedly shown to be effective against text classifiers. These attacks, however, generally assume that the victim model is monolingual and cannot be used to target multilingual victim models, a significant limitation given the increased use of these models. For this reason, in this work we propose an approach to fine-tune a multilingual paraphrase model with an adversarial objective so that it becomes able to generate effective adversarial examples against multilingual classifiers. The training objective incorporates a set of pre-trained models to ensure text quality and language consistency of the generated text. In addition, all the models are suitably connected to the generator by vocabulary-mapping matrices, allowing for full end-to-end differentiability of the overall training pipeline. The experimental validation over two multilingual datasets and five languages has shown the effectiveness of the proposed approach compared to existing baselines, particularly in terms of query efficiency. We also provide a detailed analysis of the generated attacks and discuss limitations and opportunities for future research.

翻译：当前的对抗攻击算法已被反复证明对文本分类器有效，其中攻击者通过修改文本以欺骗受害者模型。然而，这些攻击通常假设受害者模型是单语言的，因此无法用于针对多语言受害者模型——鉴于这类模型使用日益广泛，这一局限性尤为显著。为此，本文提出一种方法：通过对抗目标微调多语言释义模型，使其能够针对多语言分类器生成有效的对抗样本。训练目标结合了一组预训练模型，以确保生成文本的文本质量和语言一致性。此外，所有模型均通过词汇映射矩阵与生成器适当连接，使得整个训练管线实现完全端到端可微分。在多语言数据集和五种语言上的实验验证表明，与现有基线相比，所提方法具有有效性，尤其在查询效率方面表现突出。我们还对生成的攻击进行了详细分析，并讨论了当前局限及未来研究方向。