## TextAttack

TextAttack is a Python framework for adversarial attacks, data augmentation, and model training in NLP.

### Poetry

We use poetry for dependency pinning

In [None]:
# Install Poetry
!curl -sSL https://install.python-poetry.org | python3 -
import os
os.environ['PATH'] = '/root/.local/bin' + ':' + os.environ['PATH']
!which poetry

[36mRetrieving Poetry metadata[0m

# Welcome to [36mPoetry[0m!

This will download and install the latest version of [36mPoetry[0m,
a dependency and package manager for Python.

It will add the `poetry` command to [36mPoetry[0m's bin directory, located at:

[33m/root/.local/bin[0m

You can uninstall at any time by executing this script with the --uninstall option,
and these changes will be reverted.

Installing [36mPoetry[0m ([36m2.1.1[0m)
[1A[2KInstalling [36mPoetry[0m ([1m2.1.1[0m): [33mCreating environment[0m
[1A[2KInstalling [36mPoetry[0m ([1m2.1.1[0m): [33mInstalling Poetry[0m
[1A[2KInstalling [36mPoetry[0m ([1m2.1.1[0m): [33mCreating script[0m
[1A[2KInstalling [36mPoetry[0m ([1m2.1.1[0m): [33mDone[0m

[36mPoetry[0m ([1m2.1.1[0m) is installed now. Great!

To get started you need [36mPoetry[0m's bin directory ([33m/root/.local/bin[0m) in your `PATH`
environment variable.

Add `export PATH="[33m/root/.local/bin[0m:$PATH"` to yo

In [None]:
!mkdir textattack-example
%cd textattack-example
!poetry init --no-interaction
!poetry config virtualenvs.create false
!poetry add textattack
%cd ..

/content/textattack-example
[30;43mSkipping virtualenv creation, as specified in config file.[39;49m
Using version [39;1m^0.3.10[39;22m for [36mtextattack[39m

[34mUpdating dependencies[39m
[2K[34mResolving dependencies...[39m [39;2m(60.8s)[39;22m

[39;1mPackage operations[39;22m: [34m34[39m installs, [34m22[39m updates, [34m0[39m removals

  [34;1m-[39;22m [39mDowngrading [39m[36mnvidia-nvjitlink-cu12[39m[39m ([39m[39;1m12.5.82[39;22m[39m -> [39m[39;1m12.4.127[39;22m[39m)[39m: [34mPending...[39m
[1A[0J  [34;1m-[39;22m [39mDowngrading [39m[36mnvidia-nvjitlink-cu12[39m[39m ([39m[39;1m12.5.82[39;22m[39m -> [39m[39;1m12.4.127[39;22m[39m)[39m: [34mDownloading...[39m [39;1m0%[39;22m
[1A[0J  [34;1m-[39;22m [39mDowngrading [39m[36mnvidia-nvjitlink-cu12[39m[39m ([39m[39;1m12.5.82[39;22m[39m -> [39m[39;1m12.4.127[39;22m[39m)[39m: [34mDownloading...[39m [39;1m70%[39;22m
[1A[0J  [34;1m-[39;22m [39mDowngrading 

### Check that the CLI is installed

In this step we will make sure the CLI is installed

In [None]:
!which textattack

/usr/local/bin/textattack


### Run attack (fails)

we run the following attack: TextFooler against BERT fine-tuned on SST-2

In [None]:
!textattack attack --model bert-base-uncased-sst2 --recipe textfooler --num-examples 10

[34;1mtextattack[0m: Updating TextAttack package dependencies.
[34;1mtextattack[0m: Downloading NLTK required packages.
[nltk_data] Downloading package averaged_perceptron_tagger to
[nltk_data]     /root/nltk_data...
[nltk_data]   Unzipping taggers/averaged_perceptron_tagger.zip.
[nltk_data] Downloading package stopwords to /root/nltk_data...
[nltk_data]   Unzipping corpora/stopwords.zip.
[nltk_data] Downloading package omw to /root/nltk_data...
[nltk_data] Downloading package universal_tagset to /root/nltk_data...
[nltk_data]   Unzipping taggers/universal_tagset.zip.
[nltk_data] Downloading package wordnet to /root/nltk_data...
[nltk_data] Downloading package punkt to /root/nltk_data...
[nltk_data]   Unzipping tokenizers/punkt.zip.
2025-03-21 16:31:07.876575: I tensorflow/core/util/port.cc:153] oneDNN custom operations are on. You may see slightly different numerical results due to floating-point round-off errors from different computation orders. To turn them off, set the environ

### Run attack v2

we run seq2sick (black-box) against T5 fine-tuned for English-German translation.


#### What is seq2sick?

Seq2Sick is an adversarial attack method designed for sequence-to-sequence (seq2seq) models, which are commonly used in tasks like machine translation, text summarization, and speech-to-text. The goal of the Seq2Sick attack is to subtly modify input sequences (adversarial perturbations) to cause the model to produce incorrect or undesired outputs, while keeping the input perturbation minimal and imperceptible.

Key Details of Seq2Sick:
Focus on Seq2Seq Models:

Seq2Seq models consist of an encoder (to process input) and a decoder (to generate output). Seq2Sick manipulates the input to mislead the decoder.
Adversarial Objective:

The attack maximizes the divergence between the model's output on the original input and the perturbed input.
Ensures that the perturbations are small and not easily noticeable (e.g., minor changes to characters or words).
Optimization-Based Attack:

Seq2Sick uses an optimization process to find minimal perturbations that maximize the model's output error.
Often implemented using Projected Gradient Descent (PGD) or other adversarial optimization methods.
Applications:

Target tasks like machine translation, where small changes to the input could result in translations that are semantically incorrect or misleading.
Demonstrates vulnerabilities in seq2seq systems, highlighting the need for robust defenses.
Example:
Imagine using a seq2seq model for machine translation (e.g., English to Spanish). The original input might be:

"I love programming."

The Seq2Sick attack might modify it slightly to:

"I love proggramming."

#### Output explanation



In [None]:
!textattack attack --model t5-en-de --recipe seq2sick --num-examples 100

2025-03-21 16:34:28.997963: I tensorflow/core/util/port.cc:153] oneDNN custom operations are on. You may see slightly different numerical results due to floating-point round-off errors from different computation orders. To turn them off, set the environment variable `TF_ENABLE_ONEDNN_OPTS=0`.
2025-03-21 16:34:29.016358: E external/local_xla/xla/stream_executor/cuda/cuda_fft.cc:477] Unable to register cuFFT factory: Attempting to register factory for plugin cuFFT when one has already been registered
E0000 00:00:1742574869.038219    2797 cuda_dnn.cc:8310] Unable to register cuDNN factory: Attempting to register factory for plugin cuDNN when one has already been registered
E0000 00:00:1742574869.044989    2797 cuda_blas.cc:1418] Unable to register cuBLAS factory: Attempting to register factory for plugin cuBLAS when one has already been registered
2025-03-21 16:34:29.067548: I tensorflow/core/platform/cpu_feature_guard.cc:210] This TensorFlow binary is optimized to use available CPU instr

## Attack a LLaMa model

### Install dependencies

In [None]:
%cd textattack-example/
!poetry add transformers torch
!poetry add numpy==1.25.2
%cd ..

/content/textattack-example
[30;43mSkipping virtualenv creation, as specified in config file.[39;49m
The following packages are already present in the pyproject.toml and will be skipped:

  - [36mtransformers[39m
  - [36mtorch[39m

If you want to update it to the latest compatible version, you can use `poetry update package`.
If you prefer to upgrade it to the latest available version, you can use `poetry add package@latest`.

Nothing to add.
Found existing installation: numpy 1.25.2
Uninstalling numpy-1.25.2:
  Successfully uninstalled numpy-1.25.2
[30;43mSkipping virtualenv creation, as specified in config file.[39;49m

[34mUpdating dependencies[39m
[2K[34mResolving dependencies...[39m [39;2m(0.8s)[39;22m

[39;1mPackage operations[39;22m: [34m1[39m install, [34m0[39m updates, [34m0[39m removals

  [34;1m-[39;22m [39mInstalling [39m[36mnumpy[39m[39m ([39m[39;1m1.25.2[39;22m[39m)[39m: [34mPending...[39m
[1A[0J  [34;1m-[39;22m [39mInstalling [3

### Load LLaMa model

We load the model using the transformers library

In [None]:
!pip show numpy

from transformers import AutoTokenizer, AutoModelForCausalLM

# Load tokenizer and model
tokenizer = AutoTokenizer.from_pretrained("huggyllama/llama-7b")
model = AutoModelForCausalLM.from_pretrained("huggyllama/llama-7b")

Name: numpy
Version: 1.25.2
Summary: Fundamental package for array computing in Python
Home-page: https://www.numpy.org
Author: Travis E. Oliphant et al.
Author-email: 
License: BSD-3-Clause
Location: /usr/local/lib/python3.11/dist-packages
Requires: 
Required-by: accelerate, albucore, albumentations, ale-py, arviz, astropy, autograd, bert-score, bigframes, blis, blosc2, bokeh, Bottleneck, bqplot, chex, clarabel, cmdstanpy, contourpy, cudf-cu12, cufflinks, cuml-cu12, cupy-cuda12x, cuvs-cu12, cvxpy, cyipopt, dask-cuda, dask-cudf-cu12, datascience, datasets, db-dtypes, diffusers, dm-tree, dopamine_rl, flax, folium, geemap, geopandas, gym, gymnasium, h5py, hdbscan, highspy, holoviews, hyperopt, imageio, imbalanced-learn, jax, jaxlib, keras, keras-hub, lemminflect, librosa, lightgbm, matplotlib, matplotlib-venn, missingno, mizani, ml-dtypes, mlxtend, moviepy, music21, nibabel, numba, numexpr, nx-cugraph-cu12, opencv-contrib-python, opencv-python, opencv-python-headless, optax, orbax-checkp

RuntimeError: Failed to import transformers.models.auto.tokenization_auto because of the following error (look up to see its traceback):
Failed to import transformers.generation.utils because of the following error (look up to see its traceback):
No module named 'numpy.char'