SCALA: Towards Imperceptible and Efficient Black-box Textual Adversarial Perturbations

By Siqi Sun, Achim D. Brucker, Jia Hu, Xiaowei Huang, and Wenjie Ruan.

Deep learning models are intrinsically susceptible to textual adversarial attacks on social media, where the perturbed text can trigger aberrant behaviours of victim models and threaten security and privacy. In this paper, we present a novel word-level attack called SCALA: a Synonym-based desCending And repLace-back Ascending mechanism. Our focus is on the efficient production of adversarial examples, with a particular emphasis on minimizing human perceptibility while ensuring the visual resemblance and semantic correctness. The merits of our attacking solution lie in being: (i) imperceptible it keeps a very low word perturbation rate based on the Hamming (L0-norm) distance, thus achieving heightened deceptiveness validated through human evaluations; (ii) efficient our tensor-based parallelization strategy ensures the attacking efficiency compared with baselines; (iii) effective it surpasses seven state-of-the-art attacks on five target models in terms of reducing after-attack accuracy; (iv) practical black-box score-based setting ensures that the adversary only needs to query target models for confidence scores; and (v) transferable our attack shows competitive transferability on the generated adversarial examples. We release our code SCALA via https://github.com/TrustAI/SCALA.

Keywords:
Perturbation methods;Closed box;Computational modeling;Semantics;Safety;Robustness;Predictive models;Hamming distances;Visualization;Computer vision;Model vulnerability;Natural Language Processing;adversarial attacks;black-box setting;word-level perturbations

Please cite this work as follows:
S. Sun, A. D. Brucker, J. Hu, X. Huang, and W. Ruan, “SCALA: Towards imperceptible and efficient black-box textual adversarial perturbations,” IEEE Transactions on Information Forensics and Security, pp. 1–1, 2025, doi: 10.1109/TIFS.2025.3629604.

BibTeX

@Article{ sun.ea:scala:2025,
  author   = {Siqi Sun and Achim D. Brucker and Jia Hu and Xiaowei Huang
              and Wenjie Ruan},
  journal  = {IEEE Transactions on Information Forensics and Security},
  title    = {{SCALA}: Towards Imperceptible and Efficient Black-box
              Textual Adversarial Perturbations},
  year     = {2025},
  volume   = {},
  areas    = {security},
  number   = {},
  pages    = {1--1},
  keywords = {Perturbation methods;Closed box;Computational
              modeling;Semantics;Safety;Robustness;Predictive models;Hamming
              distances;Visualization;Computer vision;Model
              vulnerability;Natural Language Processing;adversarial
              attacks;black-box setting;word-level perturbations},
  doi      = {10.1109/TIFS.2025.3629604},
  abstract = {Deep learning models are intrinsically susceptible to textual
              adversarial attacks on social media, where the perturbed text
              can trigger aberrant behaviours of victim models and threaten
              security and privacy. In this paper, we present a novel
              word-level attack called SCALA: a Synonym-based desCending And
              repLace-back Ascending mechanism. Our focus is on the
              efficient production of adversarial examples, with a
              particular emphasis on minimizing human perceptibility while
              ensuring the visual resemblance and semantic correctness. The
              merits of our attacking solution lie in being: (i)
              imperceptible  it keeps a very low word perturbation rate
              based on the Hamming (L0-norm) distance, thus achieving
              heightened deceptiveness validated through human evaluations;
              (ii) efficient  our tensor-based parallelization strategy
              ensures the attacking efficiency compared with baselines;
              (iii) effective  it surpasses seven state-of-the-art
              attacks on five target models in terms of reducing
              after-attack accuracy; (iv) practical  black-box
              score-based setting ensures that the adversary only needs to
              query target models for confidence scores; and (v)
              transferable  our attack shows competitive transferability
              on the generated adversarial examples. We release our code
              SCALA via https://github.com/TrustAI/SCALA.},
}

[ DOI | BibTeX | EndNote | RIS | Word ]