Selective Adversarial Attacks on LLM Benchmarks

Benchmarking outcomes increasingly govern trust, selection, and deployment of LLMs, yet these evaluations remain vulnerable to semantically equivalent adversarial perturbations. Prior work on adversarial robustness in NLP has emphasized text attacks that affect many models equally, leaving open the question of whether it is possible to selectively degrade or enhance performance while minimally affecting other models. We formalize this problem and study selective adversarial attacks on MMLU - a widely used benchmark designed to measure a language model's broad general knowledge and reasoning ability across different subjects. Using canonical attacks integrated into TextAttack framework, we introduce a protocol for selectivity assessment, develop a custom constraint to increase selectivity of attacks and propose a surrogate-LLM pipeline that generates selective perturbations. Empirically, we find that selective adversarial attacks exist and can materially alter relative rankings, challenging the fairness, reproducibility, and transparency of leaderboard-driven evaluation. Our results motivate perturbation-aware reporting and robustness diagnostics for LLM evaluation and demonstrate that even subtle edits can shift comparative judgments.

Key Contributions

• First formalization of selectivity in adversarial NLP attacks: perturbations that degrade a specific target LLM on benchmarks while minimally affecting non-target models
• Custom TextAttack selectivity constraint and surrogate-LLM white-box pipeline for generating selective adversarial perturbations without access to target model internals
• Empirical demonstration on MMLU that selective attacks materially alter relative leaderboard rankings, motivating perturbation-aware benchmark reporting

🛡️ Threat Analysis

Details

Similar Papers