Why are there fewer papers after 2023?

[bupt01]

I noticed a conspicuous gap in the representation of papers from 2023. I'm intrigued by this observation and would appreciate insights into the reasons behind it. Additionally, I'm curious to ascertain whether adversarial attack research, particularly in the realm of computer vision (CV), is more prominently featured in top-tier conferences compared to its counterpart in natural language processing (NLP) in terms of quantity?

[Opdoop]

Hi @bupt01, I have some preliminary insight. First, historically, adversarial attacks originated in Computer Vision (CV) and were later popularized in other modalities, hence there is more accumulated work and deeper research in the CV field. Secondly, from the perspective of problem definition, textual adversarial attack poses a different kind of challenge. In CV, adversarial attacks can be analyzed from the perspectives of optimization and training, namely searching for adversarial gradients. However, in text, adversarial attacks only borrow a similar concept, with the actual attacks conducted at the discrete token level, primarily through searching within a predefined word space to find suitable replacement words that fit constraints as perturbations. Therefore, the main issue with adversarial attacks in text can be seen as a combinatorial optimization problem, on how to efficiently search within a predefined space. This definition of adversarial attacks, I believe, is fundamentally different from the noise obtained through adversarial gradients initially in CV, and is not the same kind of problem. Additionally, early work in text focused on various specific downstream tasks, but more recent efforts on adversarial attacks involve Large Language Models (LLMs), and you could look into papers related to LLM safety.

[yangalan123]

Thanks for the great answers! @Opdoop The combinatorial nature of textual adversarial attack (manipulating discrete tokens rather than continuous features) sets it apart from other related works in the CV/ML domain. This is hard to solve and in past years, various methods have been proposed so it is not easy to come up with new attack or defense methods. As we now live in the era of LLM and LLM has its new problem (or, at least the problem formulation is very different from the standard classification formulation we see before 2022) in AI safety/LLM safety, people traditionally work in adversarial attacks may shift their interests. Therefore, there are fewer new papers coming out these days in the TAAD domain.

As the only main contributor for this repo, I once considered including some new research like adversarial alignment, which has a very close formulation to papers here. However, I finally decided to leave it to the LLM safety/alignment community to keep this repo compact and focused. Not sure in the future how many people would still be interested in, whether a super-intelligent agent makes mistakes in weird-looking adversarial text samples, but I will still maintain this repo at the best I can.

[bupt01]

Thank you all, I feel like I've learned a lot from it.