ML Security PapersSelf-Disguise Attack: Induce the LLM to disguise itself for AIGT detection evasion
Yinghan Zhou , Juan Wen , Wanli Peng , Zhengxian Wu , Ziwei Zhang , Yiming Xue
Published on arXiv
2508.15848
Output Integrity Attack
OWASP ML Top 10 — ML09
Key Finding
SDA reduces average detection accuracy of various AIGT classifiers across outputs from three different LLMs while maintaining text quality, without requiring fine-tuning.
Self-Disguise Attack (SDA)
Novel technique introduced
AI-generated text (AIGT) detection evasion aims to reduce the detection probability of AIGT, helping to identify weaknesses in detectors and enhance their effectiveness and reliability in practical applications. Although existing evasion methods perform well, they suffer from high computational costs and text quality degradation. To address these challenges, we propose Self-Disguise Attack (SDA), a novel approach that enables Large Language Models (LLM) to actively disguise its output, reducing the likelihood of detection by classifiers. The SDA comprises two main components: the adversarial feature extractor and the retrieval-based context examples optimizer. The former generates disguise features that enable LLMs to understand how to produce more human-like text. The latter retrieves the most relevant examples from an external knowledge base as in-context examples, further enhancing the self-disguise ability of LLMs and mitigating the impact of the disguise process on the diversity of the generated text. The SDA directly employs prompts containing disguise features and optimized context examples to guide the LLM in generating detection-resistant text, thereby reducing resource consumption. Experimental results demonstrate that the SDA effectively reduces the average detection accuracy of various AIGT detectors across texts generated by three different LLMs, while maintaining the quality of AIGT.
Key Contributions
- Adversarial feature extractor that uses an iterative adversarial process among a feature generator, text generator, and proxy detector to surface disguise features distinguishing AIGT from human-written text.
- Retrieval-based context examples optimizer (RAG-inspired) that selects top-k detection-resistant examples to preserve text diversity while guiding detection evasion.
- SDA reduces detection accuracy of multiple AIGT detectors across three LLMs without fine-tuning and with lower computational cost than prior methods.
🛡️ Threat Analysis
SDA is an evasion attack against AIGT (AI-generated text) detection systems — it undermines output integrity and provenance verification by making LLM-generated text undetectable. Attacking AIGT detectors is a direct ML09 threat against content authenticity systems.