Adversarial text attack research is useful for testing the robustness of NLP models, however, the rise of transformers has greatly increased the time required to test attacks. Especially when researchers do not have access to adequate resources (e.g. GPUs). This can hinder attack research, as modifying one example for an attack can require hundreds of queries to a model, especially for black-box attacks. Often these attacks remove one token at a time to find the ideal one to change, requiring $n$ queries (the length of the text) right away. We propose a more efficient selection method called BinarySelect which combines binary search and attack selection methods to greatly reduce the number of queries needed to find a token. We find that BinarySelect only needs $\text{log}_2(n) * 2$ queries to find the first token compared to $n$ queries. We also test BinarySelect in an attack setting against 5 classifiers across 3 datasets and find a viable tradeoff between number of queries saved and attack effectiveness. For example, on the Yelp dataset, the number of queries is reduced by 32% (72 less) with a drop in attack effectiveness of only 5 points. We believe that BinarySelect can help future researchers study adversarial attacks and black-box problems more efficiently and opens the door for researchers with access to less resources.

翻译：对抗性文本攻击研究对于测试自然语言处理模型的鲁棒性具有重要价值，然而Transformer架构的兴起显著增加了攻击测试所需的时间。当研究者缺乏充足计算资源（例如GPU）时尤为突出。这可能会阻碍攻击研究的发展，因为针对单个样本的攻击优化通常需要对模型进行数百次查询，在黑盒攻击场景下更是如此。现有方法通常逐词元移除以确定最佳修改位置，仅此步骤就需要立即执行$n$次查询（即文本长度）。本文提出一种名为BinarySelect的高效选择方法，该方法融合二分搜索与攻击选择策略，可大幅降低定位待修改词元所需的查询次数。我们发现BinarySelect仅需$\text{log}_2(n) * 2$次查询即可定位首个词元，而传统方法需要$n$次查询。我们在3个数据集上对5个分类器进行攻击实验，结果表明该方法在查询次数缩减与攻击效能之间实现了有效平衡。以Yelp数据集为例，查询次数减少32%（降低72次），而攻击效能仅下降5个百分点。我们相信BinarySelect能够帮助未来研究者更高效地研究对抗攻击与黑盒问题，并为资源受限的研究者开启新的研究可能。