It is well known that natural language models are vulnerable to adversarial attacks, which are mostly input-specific in nature. Recently, it has been shown that there also exist input-agnostic attacks in NLP models, called universal adversarial triggers. However, existing methods to craft universal triggers are data intensive. They require large amounts of data samples to generate adversarial triggers, which are typically inaccessible by attackers. For instance, previous works take 3000 data samples per class for the SNLI dataset to generate adversarial triggers. In this paper, we present a novel data-free approach, MINIMAL, to mine input-agnostic adversarial triggers from models. Using the triggers produced with our data-free algorithm, we reduce the accuracy of Stanford Sentiment Treebank's positive class from 93.6% to 9.6%. Similarly, for the Stanford Natural Language Inference (SNLI), our single-word trigger reduces the accuracy of the entailment class from 90.95% to less than 0.6\%. Despite being completely data-free, we get equivalent accuracy drops as data-dependent methods.

翻译：众所周知,自然语言模型很容易受到对抗性攻击,而这种攻击大多是针对具体投入的。最近,人们发现,在NLP模型中,也有称为通用对抗触发器的输入-不可知性攻击。然而,现有的制造通用触发器的方法是数据密集的。它们需要大量的数据样本来产生对抗性触发器,而攻击者通常无法进入。例如,以前的工作为SNLI数据集每类取3000个数据样本,以产生对抗性触发器。在本文中,我们提出了一种全新的无数据方法,MINIMAL,即对模型中的地雷输入-不可知性对抗触发器。我们利用用无数据算法生成的触发器,将斯坦福感应树库的正值从93.6%降低到9.6%。同样,对斯坦福自然语言推断(Snastinfast)来说,我们的单字触发器降低了需要级的精确度,从90.95%降低到不到0.6 ⁇ 。尽管我们完全没有数据,但我们作为数据依赖方法,但我们得到同样的精确度下降。