2.1 Adversarial examples in NLP

Searching for adversarial examples can be seen within wider efforts to investigate the robustness of ML models, that is their ability to maintain good performance when confronted with data instances unlike those seen in training: anomalous, rare, adversarial or edge cases. This effort is especially important for deep learning models, which are not inherently interpretable, making it harder to predict their behaviour at the design stage. The seminal work on the subject by Szegedy et al. Reference Szegedy, Zaremba, Sutskever, Bruna, Erhan, Goodfellow and Fergus(2013) demonstrated the low robustness of neural networks used to recognise images. The adversarial examples were prepared by adding specially prepared noise to the original image, which forced the change of the classifier’s decision even though the changes were barely perceptible visually and the original label remained valid.

Given the prevalence of neural networks in language processing, a lot of work has been done on investigating AEs in the context of NLP tasks (Zhang et al. Reference Zhang, Sheng, Alhazmi and Li2020b), but the transition from the domain of images to text is far from trivial. Firstly, it can be a challenge to make changes small enough to the text, such that the original label remains applicable—there is no equivalent of imperceptible noise in text. The problem has been approached on several levels: of characters, making alterations that will likely remain unnoticed by a reader (Gao et al. Reference Gao, Lanchantin, Soffa and Qi2018; Eger et al. Reference Eger, Şahin, Rücklé, Lee, Schulz, Mesgar, Swarnkar, Simpson and Gurevych2019); of words, replaced while preserving the meaning by relying on thesauri (Ren et al. Reference Ren, Deng, He and Che2019) or language models (Jin et al. Reference Jin, Jin, Zhou and Szolovits2020; Li et al. Reference Li, Ma, Guo, Xue and Qiu2020) and, finally, of sentences, by employing paraphrasing techniques (Iyyer et al. Reference Iyyer, Wieting, Gimpel and Zettlemoyer2018; Ribeiro, Singh, and Guestrin Reference Ribeiro, Singh and Guestrin2018). Secondly, the discrete nature of text means that methods based on exploring a feature space (e.g. guided by a gradient) might suggest points that do not correspond to real text. Most of the approaches solve this by only considering modifications on the text level, but there are other solutions, for example finding the optimal location in the embedding space followed by choosing its nearest neighbour that is a real word (Gong et al. Reference Gong, Wang, Li, Song and Ku2018), or generating text samples from a distribution described by continuous parameters (Guo et al. Reference Guo, Sablayrolles, Jégou and Kiela2021). Note that these solutions are evaluated on different datasets, making it hard to compare their performance. We are aware of only one previous attempt to establish a reusable benchmark (Yoo et al. Reference Yoo, Kim, Jang and Kwak2022), which relies on datasets for the classification of topics and sentiment.

Apart from AE generation, a public-facing text classifier may be subject to many other types of attacks, including manipulations to output desired value when a trigger word is used (Bagdasaryan and Shmatikov Reference Bagdasaryan and Shmatikov2022) or perform an arbitrary task chosen by the attacker (Neekhara et al. Reference Neekhara, Hussain, Dubnov and Koushanfar2019). Finally, verifying the trustworthiness of a model aimed for deployment should also take into account undesirable behaviours exhibited without adversarial actions, for example its response to modification of protected attributes, such as gender, in the input (Srivastava et al. Reference Srivastava, Lakkaraju, Bernagozzi and Valtorta2023).

2.2 Robustness of credibility assessment

The understanding that some deployment scenarios of NLP models justify expecting adversary actions predates the popularisation of deep neural networks, with the first considerations based on spam detection (Dalvi et al. Reference Dalvi, Domingos, Mausam and Verma2004). The work that followed was varied in the explored tasks, attack scenarios and approaches.

The first attempts to experimentally verify the robustness of misinformation detection were based on simple manual changes (Zhou et al. Reference Zhou, Guan, Bhat and Hsu2019). The approach of targeting a specific weakness and manually designing rules to exploit it has been particularly popular in attacking fact-checking solutions (Thorne et al. Reference Thorne, Vlachos, Christodoulopoulos and Mittal2019; Hidey et al. Reference Hidey, Chakrabarty, Alhindi, Varia, Krstovski, Diab and Muresan2020).

In the domain of social media analysis, Le et al. Reference Le, Wang and Lee(2020) have examined the possibility of changing the output of a text credibility classifier by concatenating it with adversarial text, for example added as a comment below the main text. The main solution was working in the white-box scenario, with the black-box variant made possible by training a surrogate classifier on the original training data.Footnote ^d It has also been shown that social media bot detection using AdaBoost is vulnerable to adversarial examples (Kantartopoulos et al. Reference Kantartopoulos, Pitropakis, Mylonas and Kylilis2020). Adversarial scenarios have also been considered with user-generated content classification for other tasks, for example hate speech or satire (Alsmadi et al. Reference Alsmadi, Ahmad, Nazzal, Alam, Al-Fuqaha, Khreishah and Algosaibi2022).

Fake news corpora have been used to verify the effectiveness of AE generation techniques, for example in the study introducing TextFooler (Jin et al. Reference Jin, Jin, Zhou and Szolovits2020). Interestingly, the study has shown that the classifier for fake news was significantly more resistant to attacks compared to those for other tasks, that is topic detection or sentiment analysis. This task also encouraged exploration of vulnerability to manually crafted modifications of input text (Jaime, Flores, and Hao Reference Jaime, Flores and Hao2022). In general, the fake news classification task has been a common subject of robustness assessment, involving both neural networks (Ali et al. Reference Ali, Khan, AlGhadhban, Alazmi, Alzamil, Al-utaibi and Qadir2021; Koenders et al. Reference Koenders, Filla, Schneider and Woloszyn2021) and non-neural classifiers (Brown et al. Reference Brown, Richardson, Smith, Dozier and King2020; Smith et al. Reference Smith, Brown, Dozier and King2021).

To sum up, while there have been several experiments examining the vulnerability of misinformation detection to adversarial attacks, virtually each of them has used a different dataset, a different classifier and a different attack technique, making it hard to draw conclusions and make comparisons. Our study is the first to analyse credibility assessment tasks and systematically evaluate their vulnerability to various attacks.

2.3 Resources for adversarial examples

The efforts of finding AEs are relatively new for NLP, and there exist multiple approaches to evaluation procedures and datasets. The variety of studies for the misinformation tasks is reflective of the whole domain—see the list of datasets used for evaluation provided by Zhang et al. Reference Zhang, Sheng, Alhazmi and Li(2020b). Hopefully, as the field matures, some standard practice measures will emerge, facilitating the comparison of approaches. We see BODEGA as a step in this direction.

Two types of existing efforts to bring the community together are worth mentioning. Firstly, some related shared tasks have been organised. The Build It Break It, The Language Edition task (Ettinger et al. Reference Ettinger, Rao, H. and Bender2017) covered sentiment analysis and question answering, addressed by both ’builders’ (building solutions) and ’breakers’ (finding adversarial examples). The low number of breaker teams—four for sentiment analysis and one for question answering—makes it difficult to draw conclusions, but the majority of deployed techniques involved manually inserted changes targeting suspected weaknesses of the classifiers. The FEVER 2.0 shared task (Thorne et al. Reference Thorne, Vlachos, Cocarascu, Christodoulopoulos and Mittal2018b), focusing on fact checking, had a ’Build-It’ and ’Break-It’ phases with a similar setup, except the adversarial examples were generated and annotated from scratch, with no correspondence to existing true examples, as in Build It Break It or BODEGA. The three valid submissions concentrated around manual introduction of issues known as challenging for automated fact checking, including multi-hop or temporal reasoning, ambiguous entities, arithmetic calculations and vague statements.

Secondly, two software packages were released to aid evaluation: TextAttack (Morris et al. Reference Morris, Lifland, Yoo, Grigsby, Jin and Qi2020) and OpenAttack (Zeng et al. Reference Zeng, Qi, Zhou, Zhang, Ma, Hou, Zang, Liu and Sun2021). They both provide a software skeleton for setting up the attack and implementations of several AE generation methods. A user can add the implementation of their own victims and attackers and perform the evaluation. BODEGA code has been developed based on OpenAttack by providing access to misinformation-specific datasets, classifiers and evaluation measures.

Figure 1. An overview of the evaluation of an adversarial attack using BODEGA. For each task, three datasets are available: development ( $X_{\text{dev}}$ ), training ( $X_{\text{train}}$ ), and attack ( $X_{\text{attack}}$ ). During an evaluation of an attack involving an Attacker and Victim models from the library of available models, the Attacker takes the text of the $i$ th instance from the attack dataset ( $x_i$ ), e.g. a news piece, and modifies it into an adversarial example ( $x_i^*$ ). The Victim model is used to assess the credibility of both the original ( $f(x_i)$ ) and modified text ( $f(x_i^*)$ ). The BODEGA score assesses the quality of an AE, checking the similarity between the original and modified sample ( $\text{sim}(x_i,x_i^*)$ ), as well as the change in the victim’s output ( $\text{diff}(f(x_i),f(x_i^*))$ ).

4.1 HN: hyperpartisan news

Solutions for news credibility assessment, sometimes equated with fake news detection, usually rely on one of three factors: (1) writing style (Horne and Adali Reference Horne and Adali2017; Przybyła, Reference Przybyła2020), (2) veracity of included claims (Vlachos and Riedel Reference Vlachos and Riedel2014; Graves Reference Graves2018) or (3) context of social and traditional media (Shu, Wang, and Liu Reference Shu, Wang and Liu2019; Liu and Wu Reference Liu and Wu2020).

In this task, we focus on the writing style. This means a whole news article is provided to a classifier, which has no ability to check facts against external sources, but has been trained on enough articles to recognise stylistic cues. The training data include numerous articles coming from sources with known credibility, allowing one to learn writing styles typical for credible and non-credible outlets.

Table 2. Examples of credible and non-credible content in each of the tasks: hyperpartisan news (HN), propaganda recognition (PR), fact checking (FC) and rumour detection (RD). See main text for references to data sources and labelling criteria

In BODEGA, we employ a corpus of news articles (Potthast et al. Reference Potthast, Kiesel, Reinartz, Bevendorff and Stein2018) used for the task of Hyperpartisan News Detection at SemEval-2019 (Kiesel et al. Reference Kiesel, Mestre, Shukla, Vincent, Adineh, Corney, Stein and Potthast2019). The credibility was assigned based on the overall bias of the source, assessed by journalists from BuzzFeed and MediaBiasFactCheck.com.Footnote ^e We use 1/10th of the training set (60,235 articles) and assign label $1$ (non-credible) to articles from sources annotated as hyperpartisan, both right- and left-wing.

See the first row of Table 2 for examples: credible from Albuquerque journal Footnote ^f and non-credible from Crooks and Liars.Footnote ^g

4.2 PR: propaganda recognition

The task of propaganda recognition involves detecting text passages, whose author tries to influence the reader by means other than objective presentation of the facts, for example by appealing to emotions or exploiting common fallacies (Smith Reference Smith1989). The usage of propaganda techniques does not necessarily imply falsehood, but in the context of journalism it is associated with manipulative, dishonest and hyperpartisan writing. In BODEGA, we use the corpus accompanying SemEval 2020 Task 11 (Detection of Propaganda Techniques in News Articles), with 14 propaganda techniques annotated in 371 newspaper articles by professional annotators (da San Martino et al. Reference da San Martino, Barrón-Cedeño, Wachsmuth, Petrov and Nakov2020).

Propaganda recognition is a fine-grained task, with SemEval data annotated on the token level, akin to a Named Entity Recognition task. In order to cast it as a text classification problem as others here, we split the text on sentence level and assign target label equal 1 to sentences overlapping with any propaganda instances and 0 to the rest. Because only the training subset is made publicly available,Footnote ^h we randomly extract 20 per cent of documents for attack and development subsets.

See the second row of Table 2 for examples—the credible fragment with no propaganda technique and the non-credible, annotated as including flag-waving.

4.3 FC: fact checking

Fact checking is the most advanced way human experts can verify credibility of a given text: by assessing the veracity of the claims it includes with respect to a knowledge base (drawing from memory, reliable sources and common sense). Implementing this workflow in AI systems as computational fact checking (Graves Reference Graves2018) is a promising direction for credibility assessment. However, it involves many challenges—choosing check-worthy statements (Nakov et al. Reference Nakov, Barrón-Cedeño, Da San Martino, Alam, Míguez, Caselli, Kutlu, Zaghouani, Li, Shaar, Mubarak, Nikolov and Kartal2022), finding reliable sources (Przybyła et al. Reference Przybyła, Borkowski and Kaczyński2022), extracting relevant passages (Karpukhin et al. Reference Karpukhin, Oguz, Min, Lewis, Wu, Edunov, Chen and Yih2020) etc. Here we focus on the claim verification stage. The input of the task is a pair of texts—target claim and relevant evidence—and the output label indicates whether the evidence supports the claim or refutes it. It essentially is Natural Language Inference (NLI) (MacCartney Reference MacCartney2009) in the domain of encyclopaedic knowledge and newsworthy events.

We use the dataFootnote ⁱ from FEVER shared task (Thorne et al. Reference Thorne, Vlachos, Cocarascu, Christodoulopoulos and Mittal2018a), aimed to evaluate fact-checking solutions through a manually created set of evidence-claim pairs. Each pair connects a one-sentence claim with a set of sentences from Wikipedia articles, including a label of SUPPORTS (the evidence justifies the claim), REFUTES (the evidence demonstrates the claim to be false) or NOT ENOUGH INFO (the evidence is not sufficient to verify the claim). For the purpose of BODEGA, we take the claims from the first two categories,Footnote ^j concatenating all the evidence text.Footnote ^k The labels for the test set are not openly available, so we use the development set in this role.

See the examples in the third row of Table 2: the credible instance, where combined evidence from two articles (titles underlined) supports the claim (after the arrow); and non-credible one, where the evidence refutes the claim.

4.4 RD: rumour detection

A rumour is an information spreading between people despite not having a reliable source. In the online misinformation context, the term is used to refer to content shared between users of social media that comes from an unreliable origin, for example an anonymous account. Not every rumour is untrue as some of them can be later confirmed by established sources. Rumours can be detected by a variety of signals (Al-Sarem et al. Reference Al-Sarem, Boulila, Al-Harby, Qadir and Alsaeedi2019), but here we focus on the textual content of the original post and follow-ups from other social media users.

In BODEGA we use the Augmented dataset of rumours and non-rumours for rumour detection (Han, Gao, and Ciravegna, Reference Han, Gao and Ciravegna2019), created from Twitter threads relevant to six real-world events (2013 Boston marathon bombings, 2014 Ottawa shooting, 2014 Sydney siege, 2015 Charlie Hebdo Attack, 2014 Ferguson unrest, 2015 Germanwings plane crash). The authors of the dataset started with the core threads annotated manually as rumours and non-rumours, then automatically augmented them with other threads based on textual similarity. We followed this by converting each thread to a flat feed of concatenated text fragments, including the initial post and subsequent responses. We set aside one of the events (Charlie Hebdo attack) for attack and development subsets, while others are included in the training subset.

See the last row of Table 2 for examples, both regarding the Charlie Hebdo shooting, but only the credible one is based on information from a credible source.

6.1 Semantic score

The first element used to measure meaning preservation is based on BLEURT (Sellam, Das, and Parikh Reference Sellam, Das and Parikh2020). BLEURT was designed to compute the similarity between a candidate and reference sentences in evaluating solutions for natural language generation tasks (e.g. machine translation). The underlying model is trained to return values between 1 (identical text) and 0 (no similarity).

BLEURT helps to properly assess semantic similarity; for example, replacing a single word with its close synonym will yield high score value, while using a completely different one will not. However, BLEURT is trained to interpret multi-word modifications (i.e. paraphrases) as well, leading to better correlation with human judgement than other popular measures, for example BLEU or BERTScore. This is possible thanks to fine-tuning using synthetic data covering various types of semantic differences, for example contradiction as understood in the NLI (Natural Language Inference) task. This is especially important for our usecase, helping to properly handle the situations where otherwise small modifications completely change the meaning of the text (e.g. a negation), rendering an AE unusable.

In BODEGA, we use the pyTorch implementation of BLEURT,Footnote ^l choosing the recommendedFootnote ^m BLEURT-20 variant. Since the score is only calibrated to the 0-1 range, other numbers can be produced as well. Thus, our semantic score is equal to BLEURT (clipped to 0-1 if necessary). Finally, since BLEURT is a sentence-level measure and our tasks involve longer text fragments,Footnote ⁿ we (1) split the text into sentencesFootnote ^o using LAMBO (Przybyła, 2022), (2) find the pairs of sentences from the original and modified text that are most similar using Levenshtein distance and (3) compute semantic similarities between sentence pairs, returning its average as semantic score.

6.2 Character score

Levenshtein distance is used to express how different one string of characters is from another. Specifically, it computes the minimum number of elementary modifications (character additions, removals, replacements) it would take to transform one sequence into another (Levenshtein Reference Levenshtein1966).

Levenshtein is a simple measure that does not take into account the meaning of the words. However, it is helpful to properly assess modifications that rely on graphical resemblance. For example, one family of adversarial attacks relies on replacing individual characters in text (e.g. call to ca $||$ ), altering the attacked classifier’s output. The low value of Levenshtein distance in this case represents the fact that such modification may be imperceptible for a human reader.

In order to turn Levenshtein distance $lev\_{dist}(a,b)$ into a character similarity score, we compute the following:

\begin{equation*} \text{Char}\_{\text{score}}(a, b) = 1 - \frac {lev\_{dist}(a, b)}{\max(|a|, |b|)} \end{equation*}

$\text{Char}\_{\text{score}}$ is between 0 and 1, with higher values corresponding to larger similarity, with $\text{Char}\_{\text{score}}(a, b) = 1$ if $a$ and $b$ are the same and $\text{Char}\_{\text{score}}(a, b) = 0$ if they have no common characters at all.

6.3 BODEGA score

The BODEGA score for a pair of original text $x_i$ and modified text $x^*_i$ is defined as follows:

\begin{align*} \text{BODEGA}\_{\text{score}}(x_i,x^*_i)& = \text{Con}\_{\text{score}}(x_i,x^*_i) \times \\ \text{Sem}\_{\text{score}}&(x_i,x^*_i) \times \text{Char}\_{\text{score}}(x_i,x^*_i), \end{align*}

where $\text{Sem}\_{\text{score}}(x_i,x^*_i)$ is semantic score; $\text{Char}\_{\text{score}}(x_i,x^*_i)$ is character score; and $\text{Con}\_{\text{score}}(x_i,x^*_i)$ is confusion score, which takes value $1$ when an adversarial example is produced and succeeds in changing the victim’s decision (i.e. $f(x_i)\neq f(x^*_i)$ ) and $0$ otherwise.

The overall attack success measure is computed as an average over BODEGA scores for all instances in the attack set available in a given scenario (targeted or untargeted). The success measure reaches 0 when the AEs bear no similarity to the originals, or they were not created at all. The value of 1 corresponds to the situation, unachievable in practice, when AEs change the victim model’s output with immeasurably small perturbation.

Many adversarial attack methods include tokenisation that does not preserve the word case or spacing between them. Our implementation of the scoring disregards such discrepancies between input and output, as they are not part of the intended adversarial modifications.

Apart from BODEGA score, expressing the overall success, the intermediate measures can paint a fuller picture of the strengths and weaknesses of a particular solution:

• • Confusion score—in how many of the test cases the victim’s decision was changed,

• • Semantic score—an average over the cases with changed decision,

• • Character score—an average over the cases with changed decision.

We also report the number of queries made to the victim, averaged over all instances.

7.1 BiLSTM

The recurrent network is implemented using the following layers:

• • An embedding layer, representing each token as vector of length 32,

• • Two LSTM (Hochreiter and Schmidhuber Reference Hochreiter and Schmidhuber1997) layers (forwards and backwards), using hidden representation of length 128, returned from the edge cells and concatenated as document representation of length 256,

• • A dense linear layer, computing two scores representing the two classes, normalised to probabilities through softmax.

The input is tokenised using BERT uncased tokeniser (see below). The maximum allowed input length is 512, with padding as necessary. For each of the tasks, a model instance is trained from scratch for 10 epochs by using Adam optimiser (Kingma and Ba Reference Kingma and Ba2015), a learning rate of 0.001 and batches of 32 examples each. The implementation uses PyTorch.

7.2 BERT

As a baseline pretrained language model, we use BERT in the base variant (Devlin et al. Reference Devlin, Chang, Lee and Toutanova2018). The model is fine-tuned for sequence classification using Adam optimiser with linear weight decay (Loshchilov and Hutter Reference Loshchilov and Hutter2019), starting from 0.00005, for 5 epochs. We use maximum input length of 512 characters and a batch size of 16. The training is implemented using the Hugging Face Transformers library (Wolf et al. Reference Wolf, Debut, Sanh, Chaumond, Delangue, Moi, Cistac, Rault, Louf, Funtowicz, Davison, Shleifer, von Platen, Ma, Jernite, Plu, Xu, Scao, Gugger, Drame, Lhoest and Rush2020) (bert-base-uncased model).

7.3 Gemma

In order to assess the vulnerability of the large language models to AEs, we include Gemma (Gemma Team and Google DeepMind 2024). Gemma is a recent generative language model, derived from Google’s Gemini models and following the same design principles as the GPT family (Radford et al. Reference Radford, Wu, Child, Luan, Amodei and Sutskever2018). We include both the smaller variant with 2 billion parameters, as well as the full 7-billion model, loaded through Hugging Face Transformers. They have been evaluated in multiple benchmarks and the latter has shown the best performance among the openly available large language models (Gemma Team and Google DeepMind 2024).

The fine-tuning was performed using the same procedure as for BERT. However, in order to keep the computing requirements under control, we applied parameter-efficient fine-tuning (Lialin, Deshpande, and Rumshisky Reference Lialin, Deshpande and Rumshisky2023). Namely, we used QLoRA optimisation (Dettmers et al. Reference Dettmers, Pagnoni, Holtzman and Zettlemoyer2023), based on Low Rank Adaptation (LoRA) (Hu et al. Reference Hu, Shen, Wallis, Allen-Zhu, Li, Wang, Wang and Chen2021) with reduced numerical precision. These are implemented using the Hugging Face’s libraries peft and bitsandbytes, respectively.

8.1 Classification performance

Table 3 shows the performance of the victim classifiers, computed as F-score over the test data (combined development and attack subsets). As expected, BERT easily outperforms a neural network trained from scratch. The credibility assessment tasks are subtle and the amount of data available for training severely limits the performance. Thus, the BERT model has an advantage by relying on knowledge gathered during pretraining. This is demonstrated by the performance gap being the largest for the dataset with the least data available (propaganda detection) and the smallest for the most abundant corpus (hyperpartisan news). The Gemma models perform even better than BERT in all tasks. However, the improvement is not as spectacular (a few per cent) and GEMMA7B does not provide uniformly better results than the 2 billion model.

Table 3. Performance of the victim classifiers, expressed as F-score over the attack subset

9.1 Q1: attack methods

Table 4 compares the performance of the untargeted attack methods in various tasks, averaged over victim models.

Table 4. The results of adversarial attacks, averaged over all victim classifiers, in four misinformation detection tasks (untargeted). Evaluation measures include BODEGA score, confusion score, semantic score, character score and number of queries to the attacked model per example. The best score in each task is in boldface

The hyperpartisan news detection task is relatively easy for generating AEs. BERT-ATTACK achieves the best BODEGA score of 0.56, which is possible due to changing the decision on 90 per cent of the instances while preserving high similarity, both in terms of semantics and characters. However, DeepWordBug (a character-level method) provides the best results in terms of semantic similarity, changing less than 1 per cent of characters on average. The only drawback of this method is that it works in 25 per cent of the cases, failing to change the victim’s decision in the remaining ones.

The propaganda recognition task significantly differs from the previous task in terms of text length, including individual sentences rather than full articles. As a result, every word is more important and it becomes much harder to make the changes imperceptible, resulting in lower character similarity scores. This setup appears to favour the Genetic method, obtaining the best BODEGA score: 0.49. This approach performs well across the board, but it comes at a high cost in terms of model queries. Even for the short sentences in propaganda recognition, a victim model is queried over 800 times, compared to less than 150 for all other methods.

Fact checking resembles the propaganda recognition in terms of relatively short text fragments, but the best-performing method is BERT-ATTACK. As for hyperpartisan news, DeepWordBug achieves high similarity, but succeeds in finding an AE relatively rarely—26 per cent of times.

Finally, the rumour detection task in the untargeted scenario appears to be the hardest problem to attack. Here the best methods reach BODEGA score of 0.25, indicating low usability, mostly due to low confusion rates—barely above 60 per cent . This may be because rumour threads consist of numerous posts, each having some indication on the credibility of the news, forcing an attacker to make many modifications to change the victim’s decision. The text of Twitter messages is also far from regular language, making the challenge harder for methods using models pretrained on well-formed text (e.g. BERT-ATTACK). It has to be noted however that this setup is equally problematic to the meaning preservation measurement (semantic score), thus suggesting these results should be taken cautiously.

Regarding the performance of the included attack methods, we can observe the following:

• • Approaches relying on local changes (e.g. BERT-ATTACK, DeepWordBug) work better than global rephrasers (SCPN), because they are able to deliver more candidates for AEs and thus have more chances for success.

• • Character-replacing solutions (e.g. DeepWordBug) maintain high similarity, both in semantic and Levenstain measures, but suffer in terms of confusion rate. Clearly, sometimes changing a whole word is necessary to trigger a decision change.

• • Methods relying on language models for meaning representation (esp. BERT-ATTACK) obtain better results than those relying on GloVe (Genetic) or WordNet (PWWS). This is likely because the older methods are not context-sensitive, resulting in less appropriate replacements, visible as reduced semantic scores.

• • Solutions performing a very extensive search (esp. Genetic) find good AEs only for short text: propaganda and fact-checking. They become unfeasible for longer content, for example news.

• • Even solutions with apparently similar designs (BAE and BERT-ATTACK) can deliver vastly different performance due to smaller details in their implementation.

9.2 Q2: victim size and vulnerability

Figure 2. Classification performance (F1 score) and vulnerability to targeted attacks (BODEGA score) of models according to their size (parameter count, logarithmic scale), for different tasks.

Fig. 2 plots the performance and vulnerability to targeted attacks (BODEGA score of the most successful method) of models of increasing size: BiLSTM, BERT, GEMMA2B, GEMMA7B. We can see that while the classification scores almost universally improve with larger models (albeit with diminishing returns), the robustness assessment paints a more complex picture.

BiLSTM, which is by far the smallest model, is also clearly the most vulnerable to attacks. However, the results for the large pretrained models are surprising: the smallest of them (BERT) appears to be the most robust, except for one task (HN). This effect is the strongest for the FC task, where the best attacker on the GEMMA7B model achieves a score 27% higher than in the attack against BERT. For two of the tasks (FC and RD), this pattern holds even within the same model family, with the smaller GEMMA model showing lower vulnerability.

Overall, new and more accurate language models are not less vulnerable to attacks, as one would hope. In the application scenarios involving adversarial actors, such as credibility assessment, smaller solutions may thus be a more appropriate choice. This observation is a contribution to the wider question of vulnerability of LLMs to adversarial actions (Yao et al. Reference Yao, Duan, Xu, Cai, Sun and Zhang2024; Goto, Ono, and Morita Reference Goto, Ono and Morita2024). While this is a new research area, preliminary results are concordant with ours, namely showing larger models as not necessarily increasing robustness over the smaller predecessors (Liu et al. Reference Liu, Cong, Zhao, Backes, Shen and Zhang2024). Our results do not explain why the robustness does not increase with model size as classification performance does, and we leave this problem as an interesting question for future research.

9.3 Q3: number of queries

Figure 3. Results of the targeted attacks (y axis, BODEGA score) plotted against the number of queries necessary (x axis, logarithmic) for various attack methods (symbols) and tasks (colours).

Fig. 3 illustrates the number of queries necessary to perform attacks with various levels of success. Primarily, we can see the results are grouped according to the task being attacked. The tasks involving long text (HN and RD) both require many queries: for each attacked example, from several hundred to several thousand attempts are needed to find an adversarial variant. These two tasks differ in terms of success, with hyperpartisan news obtaining some of the highest BODEGA scores and rumour detection: the lowest. The tasks involving shorter text (FC and PR) have similarly high success rate, but good attacks require much less queries: from just over 100 (FC) to less than 60 (PR).

In terms of attack methods, BERT-ATTACK clearly achieves the best BODEGA score for most tasks. However, it requires many queries—even though not as many as the Genetic approach. Among the methods that work with less queries, often with little cost in terms of performance loss, we can distinguish TextFooler and DeepWordBug.

9.4 Q4: targeting

Table 5 compares targeted and untargeted scenarios in terms of performance—the best BODEGA score and the number of queries needed to achieve it. Interestingly, the individual score differences can be quite high, but the pattern depends on the classification task. The targeted task is always harder for news bias assessment (except BERT) and fact checking. The untargeted one is always much more challenging for propaganda recognition and rumour detection.

Table 5. A comparison of the results—highest BODEGA score and corresponding number of queries—in the untargeted (U) and targeted (T) scenario for various tasks and victims. The better values (higher BODEGA scores and lower number of queries) are highlighted

9.5 Manual analysis

In order to better understand how a successful attack might look like, we manually analyse some of them. This allows us observe what types of adversarial modifications are the weakest point of the classifier, as well as verify if attack success scoring using automatic measures is aligned with the human judgement.

For that purpose, we select 20 instances with the highest BODEGA score from the untargeted interactions between a relatively strong attacker (BERT-ATTACK) and a relatively weak victim (BiLSTM), within all tasks. Next, we label the AEs according to the degree they differ from the original text:Footnote ^p

1. 1. Synonymous: the text is identical in meaning to the original.

2. 2. Typographic: change of individual characters, for example resembling sloppy punctuation or typos, likely imperceptible.

3. 3. Grammatical: change of the syntax of the sentence, for example replacing a verb with a noun with the same root, possibly making the text grammatically incorrect,

4. 4. Semantic-small: changes affecting the overall meaning of the text, but to a limited degree, unlikely to affect the credibility label,

5. 5. Semantic-large: significant changes in the meaning of the text, indicating the original credibility may not apply,

6. 6. Local: changes of any degree higher than Synonymous, but present only in a few non-crucial sentences of a longer text, leaving others to carry the original meaning (applies to tasks with many sentences, i.e. RD and HN).

The changes labelled as Semantic-large indicate attack failure, while others denote success with varying visibility of the modification.

Table 6 shows the quantitative results of the manual analysis, while Table 7 includes some examples. Generally, a large majority of these attacks (82.5 per cent ) were successful in maintaining the original meaning, confirming the high BODEGA score assigned to them. However, significant differences between the tasks are visible.

Table 6. Number of AEs using different modifications among the best 20 instances (according to BODEGA score) in each task, using BiLSTM as victim and BERT-ATTACK as attacker

Consistently with the results of automatic analysis, rumour detection appears to be the most robust, resulting in many attacks changing the original meaning. Even though oftentimes only a word or two is changed, it affects the meaning of the whole Twitter thread, since the follow-up messages do not repeat the content, but often deviate from the topic (see EX4 in Table 7). The opposite happens for hyperpartisan news: a singular change does not affect the overall message, as the news article are typically redundant and maintain their sentiment throughout (see EX6). As a result, the HR task is one of the most vulnerable to attacks.

Table 7. Some examples of adversarial modifications that were successful (i.e. resulted in changed classifier decision), performed by BERT-ATTACK against BiLSTM, including identifier (mentions in text), task and type of modification. Changes are highlighted in boldface

It is also interesting to compare the two tasks with shorter text: fact checking and propaganda recognition. While the FC classifier shows a large vulnerability to typographic changes (esp. in punctuation, see EX2), many of the changes performed by the attackers affect important aspects of the content (e.g. names or numbers, see EX5), making the AE futile. The propaganda recognition, on the other hand, appears to rely on stylistic features, allowing the AE generation while preserving full synonymy (see EX1) or just introducing grammatical issues (see EX3).