RAFT: Realistic Attacks to Fool Text Detectors

Setup: Given a text passage ${\bf X}$ consisting of $N$ words $[x_{1},\dots,x_{N}]$, we consider a black-box detector $D({\bf X})\in[0,1]$ that predicts whether the input ${\bf X}$ is machine-generated or human-written. A higher $D({\bf X})$ score indicates a greater likelihood that ${\bf X}$ is machine-generated. We denote $\tau$ as the detection threshold, such that ${\bf X}$ is classified as machine-generated if $D({\bf X})\geq\tau$.

Adversarial Attack for LLM Detector: The goal of the attack is to perturb the input passage ${\bf X}$ into ${\bf X}^{\prime}$ such that $D({\bf X}^{\prime})$ incorrectly classifies ${\bf X}^{\prime}$ as human written, while ensuring that ${\bf X}^{\prime}$ remains indistinguishable from human-written text when manually reviewed. To preserve semantic similarity between ${\bf X}$ and ${\bf X}^{\prime}$, the number of words to be substituted is constrained to $k\%$ of ${\bf X}$. Additionally, to maintain grammatical correctness and fluency, ${\bf x}_{i}$ and ${\bf x}^{\prime}_{i}$ must have consistent part-of-speech (Brill, 1995). We formulate the attack on the LLM Detector ${\bf D}$ as a constrained minimization problem, with the objective to modify ${\bf X}$ such that $D({\bf X}^{\prime})\leq\tau$:

where $pos({\bf x}_{i})$ returns the part-of-speech label of any word ${\bf x}_{i}$ and $s(\cdot)$ is a word substitution generator that outputs $t$ candidates for ${\bf x}_{i}$ using the surrounding context in ${\bf X}$.

Finding Important Words for Substitution using a Proxy Task Embedding Objective: We capitalize on Freestone and Santu (2024)’s observations that LLMs share similar latent semantic spaces and perform similarly on semantic tasks. To effectively minimize $D({\bf X}^{\prime})$, we use a white-box LLM $M$ to perform a word-level task ${\bf F}$ that generates a score ${\bf f}_{i}$ for each word that acts as a proxy signal for selecting words to replace, where $M$ does not necessarily need to be the same source LLM model used to generate ${\bf X}$. We choose LLM embedding tasks correlated with identifying words that would alter the statistical properties of the machine-generated text, such as next-token generation and supervised LLM text detection. From ${\bf F}$, we choose

where ${\bf X}_{k}$ is the subset of ${\bf k}\%$ words in ${\bf X}$ to perturb from.

Constraints for Realistic Generation: To perturb words in ${\bf X}_{k}$ while ensuring that ${\bf X}$ remains indistinguishable to a human evaluator as machine-generated, we constrain the replacement words such that they must not induce grammatical errors and are semantically consistent with the original text. We use GPT-3.5-Turbo OpenAI (2024b) as our word substitution candidate generator by prompting it with the word to replace and its surrounding context using the following prompt:

Using an LLM for word substitution allows us to conveniently obtain context-compatible candidates in one step, instead of needing to compute candidates using word embeddings followed by an additional model to check context compatibility (Alzantot et al., 2018). After retrieving $t$ replacement candidates from GPT-3.5-Turbo, we filter out words that have inconsistent part-of-speech with the original word by using the NLTK library (Bird et al., 2009) and then select the candidate that minimizes $D$.

We set $k$ to 10% across all experiments to evaluate the effectiveness of our attack with a limited number of changes. We evaluate the effectiveness of using language modeling heads for next-token generation and supervised LLM detection tasks as proxy scoring models to optimally select words to substitute in ${\bf X}$. For next-token generation, we use the probability of the next token being $X_{i}$ from the language modeling head as the proxy objective. Intuitively, replacing tokens with the highest likelihood from the LLM allows us to alter the statistical properties of the machine-generated text most effectively. For LLM detection, we iteratively compute the importance of each word based on the decrease in detection score $D({\bf X})$ by assigning 0 to its corresponding tokens in the detector’s attention mask, and ranking the score changes in descending order, where the word that yields a higher absolute change in detector score is considered to be more important for detection.

Datasets: We use three datasets to cover a variety of domains and use cases. We use 200 pairs of human-written and LLM-generated samples from each of the XSum (Narayan et al., 2018) and SQuAD (Rajpurkar et al., 2016) datasets generated by Bao et al. (2024) using GPT-3.5-turbo. Additionally, we use the ArXiV Paper Abstract dataset (Mao et al., 2024) which contains 350 abstracts generated using GPT-3.5-turbo from ICLR conference papers.

Metrics: We use the Area Under the Receiver Operating Characteristic Curve (AUROC) to summarize detection accuracy for our attack framework under various thresholds. We also measure the True Positive Rate at a 5% False Positive Rate (TPR at 5% FPR), as it is imperative in this context for human-written text to not be misclassified as machine-generated text. To measure text quality, we measure the perplexity of the attacked text against GPT-NEO-2.7B (Gao et al., 2021).

We use the language modeling heads of GPT-2 (Radford et al., 2019), OPT-2.7B (Zhang et al., 2022), GPT-NEO-2.7B (Gao et al., 2021), and GPT-J-6B (Wang and Komatsuzaki, 2021) for next-token generation, and the RoBERTa-base and RoBERTa-large supervised GPT-2 detector models (Solaiman et al., 2019) for LLM detection as proxy tasks to rank which words from the original text to substitute. We present results for OPT-2.7B and RoBERTa-large proxy scoring models in Table 1 and the rest in Table A.1.

We evaluate our attack against a variety of target detection methods:
Log Likelihood (Gehrmann et al., 2019) is a classical threshold-based zero-shot method where passages with higher log probability scores are more likely to have been generated by the target LLM.
Log Rank (Solaiman et al., 2019) is a classical threshold-based zero-shot method where passages with above average rank are more likely to have been generated by the target LLM.
DetectGPT (Mitchell et al., 2023) is a state-of-the-art zero-shot detector that leverages the likelihood of generated texts to perform thresholding for detecting machine-generated text.
Fast-DetectGPT (Bao et al., 2024) is a state-of-the-art detector that improves upon DetectGPT by introducing conditional probability curvature to underscore discrepancies in word choices between LLMs and humans to improve detection performance and computational speed.
Ghostbusters (Verma et al., 2024) is a state-of-the-art detector that uses probabilistic outputs from LLMs to construct features to train an optimal detection classifier.
Raidar (Mao et al., 2024) is a state-of-the-art detector that uses prompt rewriting and an output’s edit distance to gain additional context about the input.

We compare our attack method with DIPPER (Krishna et al., 2023), a paraphrase generation model using settings of 20 lexical diversity and 60 order diversity. This corresponds to about 20% lexical modification – the minimum modification we can set on this method. We also compare with Shi et al. (2024)’s query-based word substitution attack and limit the number of substituted words to be at most 10% to match our substitution frequency.

Tables 1 and 2 demonstrate that our attack effectively compromises all tested detectors while causing only a modest change in perplexity from the original machine-generated text. Using next-token generation with OPT-2.7B and LLM detection with RoBERTa-large as proxy scoring models for RAFT achieved lower AUROC across all datasets and target detectors when compared to the original text, and in most cases, lower than both DIPPER and Shi et al. (2024)’s query-based word substitution. Although DIPPER preserves the text quality better in terms of perplexity, its AUROC is significantly higher than RAFT and Shi et al. (2024)’s attack. The TPR at 5% FPR was 0 for almost all RAFT attacked text, which we present in Table A.2. For more insight, we present the ROC curve for our experiments in Figure 6. Between Shi et al. (2024)’s query-based attack and our method, RAFT consistently yields lower perplexity scores across all scenarios. Raidar stands out as the most robust detector against attacks, likely due to the unique edit distance of rewriting used in the approach. Qualitative results shown in Figures 1 and 3 highlight our method’s semantic consistency and language fluency. Additionally, cosine similarity calculations between the original and perturbed texts shown in Table 3 using state-of-the-art LLMs Mistral-7B-v0.3 Jiang et al. (2023) and Llama-3-8B Dubey et al. (2024) highlight their strong semantic similarity. We also show in Figure 2 that our attack effectively alters the distribution of detection likelihood scores, diverging from the distribution associated with the machine-generated text, thereby subverting detection.

To validate that RAFT preserves text quality, we conducted a crowd-sourced human evaluation using Amazon Mechanical Turk (MTurk). We selected the first 100 pairs of human-written and GPT-3.5-Turbo-generated texts from the XSum, SQuAD, and Abstract datasets. After applying RAFT to the LLM-generated text, three MTurk workers evaluated each pair of original human-written and RAFT-modified texts, indicating their preference for one of them or expressing no preference. RAFT’s perturbations were deemed indistinguishable from human-written text if two or more annotators either preferred the perturbed text or were indifferent. To ensure English proficiency, we included a screening question using a text comparison task sourced from the ETS TOEFL website. Out of valid 396 responses, 185 preferred the human-written texts, 182 were indifferent, and 29 responses were excluded for rating both texts as low quality. A two-tailed binomial test yielded a p-value of 0.917 at $\alpha<0.05$, supporting the null hypothesis that the two texts are indistinguishable. The Fleiss’ kappa was 0.774, indicating strong agreement among annotators.

We perform ablation studies to evaluate the isolated effectiveness of the proxy scoring model (ranking) and the greedy selection of generated POS-consistent replacement words aimed at subverting detection (optimization). For brevity, we refer to these two methods as "ranking" and "optimization", respectively. As shown in Table 5, the study is conducted under four settings: neither ranking nor optimization, ranking only, optimization only, and both ranking and optimization. The results indicate that ranking is about as effective as optimization, significantly reducing AUROC when applied, supporting the idea that LLM embeddings are transferable. However, the effects of ranking and optimization are not necessarily additive.

We evaluate the effectiveness of replacing GPT-3.5-Turbo with a traditional Word2Vec embedding model Mikolov et al. (2013a). Specifically, we use the Word2Vec model trained on Google News corpus, which contains 1 billion words Mikolov et al. (2013b), to locally retrieve $t=10$ POS-consistent synonyms as word replacement candidates. We show in Table 4 that using a word embedding model instead of an LLM also produces effective results.

We evaluate the performance and text quality of RAFT across various masking percentages. Figure 4 shows that the AUROC stabilizes around 0 when the masking percentage reaches 10%, accompanied by a moderate increase in perplexity. Masking percentages exceeding 15% are unnecessary and lead to a significant degradation in text quality.

We study the effectiveness of RAFT under different source generation models. We evaluate its effectiveness on text generated using GPT-3.5-Turbo, Llama-3-70B (Touvron et al., 2023), and Mixtral-8x7B-Instruct (Jiang et al., 2024), which represent a set of LLMs of varying size, architecture, and trained corpora. We utilize the same generation parameters as those employed by Bao et al. (2024) for producing the GPT-3.5-turbo generated XSum and SQuAD datasets for Llama-3-70B and Mixtral-8x7B-Instruct. We show in Figure 7 that RAFT remains highly effective when next-token generation is used as a proxy task with OPT-2.7B, GPT-NEO-2.7B, GPT-J-6B embeddings model for subverting detection against Log Rank, RoBERTa-large, and Fast-DetectGPT detectors.

We study the transferability of RAFT-attacked text across various detectors. We evaluate the attacked text generated by using OPT-2.7B next-token generation and RoBERTa-large LLM detection proxy scoring tasks optimized against LogRank and DetectGPT detectors on GhostBuster and Fast-DetectGPT. The results, presented in Table A.3, show that the AUROC only decreases slightly, suggesting that our attack is highly transferable.

We present evidence that our attack not only effectively subverts detectors but can also enhance their robustness through adversarial training. As shown in Table 7, after the Raidar detector undergoes adversarial training on RAFT-attacked text, it consistently demonstrates a significant increase in detection performance under attack compared to the performance decrease observed before retraining. For the Abstract dataset, the AUROC for both attacked and non-attacked text samples increases, indicating that RAFT can enhance the robustness of existing detectors through adversarial training. We present this as an important direction for future research.