Effectiveness of Static Text Adversarial Methods on Continuously Updating Models

Deep neural networks developed for natural language processing tasks have shown to be vulnerable to attacks, and a variety of text adversarial methods have been proposed so far for the purpose of enhancing the attack success rates and attack efficiency in such natural language processing applications. These methods have good attack success rates and efficiency, and can stably generate successful adversarial samples for a “static” victim model (i.e., a fixed model). In reality, as the training data are continually generated, the models will also be continuously updated. Whether the current adversarial attack methods can maintain their performance for these “dynamic” victim models is an open question. In this paper, we design a new task and investigate the performance of static text adversarial attack methods in continuously updating model scenarios. To standardize this task, we propose a comprehensive evaluation framework consisting of two novel experimental methods, three new metrics, and a lightweight dynamic baseline. This framework explicitly decouples the assessment of dynamic attack performance into direct effectiveness and iterative persistence. Extensive experiments on two victim models on three datasets show that a continuously updating model leads to a significant degradation in the performance of static adversarial attack methods. Moreover, the results demonstrate that our framework precisely characterizes the temporal variations of attack performance, confirming its effectiveness and necessity.