Paraphrasing Adversarial Attack on LLM-as-a-Reviewer

The use of large language models (LLMs) in peer review systems has attracted growing attention, making it essential to examine their potential vulnerabilities. Prior attacks rely on prompt injection, which alters manuscript content and conflates injection susceptibility with evaluation robustness. We propose the Paraphrasing Adversarial Attack (PAA), a black-box optimization method that searches for paraphrased sequences yielding higher review scores while preserving semantic equivalence and linguistic naturalness. PAA leverages in-context learning, using previous paraphrases and their scores to guide candidate generation. Experiments across five ML and NLP conferences with three LLM reviewers and five attacking models show that PAA consistently increases review scores without changing the paper's claims. Human evaluation confirms that generated paraphrases maintain meaning and naturalness. We also find that attacked papers exhibit increased perplexity in reviews, offering a potential detection signal, and that paraphrasing submissions can partially mitigate attacks.

Key Contributions

• PAA: an in-context-learning-guided black-box iterative search over paraphrased abstracts that maximizes LLM reviewer scores while preserving semantic equivalence and linguistic naturalness
• Comprehensive evaluation across 5 ML/NLP conferences, 3 LLM reviewers, and 5 attacking models, revealing self-preference bias and cross-model transferability of adversarial paraphrases
• Identification of increased review perplexity as a detection signal for PAA-attacked submissions, and defensive paraphrasing as a partial mitigation

🛡️ Threat Analysis

Details

Similar Papers