TLDR: A new research paper by Heather Lent highlights that NLP security is overwhelmingly English-centric, leaving language models (LMs) vulnerable through lower- and medium-resourced languages (LRLs/MRLs). The study extends adversarial attacks like TextFooler and Round-Trip Machine Translation to 70 languages, finding that smaller monolingual models are highly susceptible. While multilinguality helps, it doesn’t always guarantee improved security. The research underscores the critical need to prioritize LM security for LRLs and MRLs to protect all users from potential threats.
Language models (LMs) are becoming increasingly widespread, impacting millions of users daily. However, a critical security vulnerability exists within these models, particularly concerning languages that are not English. While much of the focus in Natural Language Processing (NLP) security has been on English, a new research paper highlights the urgent need to secure LMs for medium and lower-resourced languages (MRLs and LRLs).
The paper, titled “Beyond Weaponization: NLP Security for Medium and Lower-Resourced Languages in Their Own Right,” by Heather Lent of Aalborg University, argues that the “English first” approach in NLP security clashes with standard cybersecurity practices, which emphasize preparing for worst-case scenarios. The weakest links in LM security are often lower-resourced languages, which can be exploited by malicious actors.
Evidence suggests that multilinguality can be easily weaponized against LMs. For instance, LRLs have been successfully used to bypass safety filters in large language models like GPT-4 at a significantly higher rate compared to English. This means that if LRLs and MRLs can be used to circumvent LM defenses, the public remains vulnerable to various security threats, including phishing and misinformation campaigns, regardless of the language they speak.
The research investigates the security of LMs for 70 different languages, including 29 LRLs, 33 MRLs, and 8 high-resourced languages (HRLs). To do this, the study extends existing adversarial attacks to these languages. Adversarial attacks involve making small, often imperceptible, changes to inputs to trick a model into misclassifying or behaving unexpectedly. The paper examines two main attack methods: Multilingual TextFooler and Round-Trip Machine Translation (RT-MT).
Multilingual TextFooler is an adaptation of a popular black-box adversarial attack that typically works by replacing words with synonyms. The researchers adapted this method for a multilingual setting, even with the challenges of limited resources like stop word lists, POS taggers, and synonym embeddings for many LRLs and MRLs. The RT-MT attack, inspired by previous work, involves translating an input to a different language (Zulu in this case) and then back to the original language, creating a slightly corrupted version that serves as an adversarial sample.
The findings reveal that smaller monolingual models are generally the most vulnerable to these attacks. While larger monolingual models showed better security than the smallest multilingual models, they were still less secure than other larger multilingual LMs. This highlights that both model size and multilinguality play crucial roles in LM security. Interestingly, the study found that simply increasing multilinguality alone, through “moderately” multilingual models, does not consistently guarantee improved security, with results varying by language.
A human evaluation was conducted on a subset of languages to assess the quality of the adversarial samples generated by Multilingual TextFooler. Despite some limitations due to resource scarcity (leading to minor grammatical errors or linguistic noise), the evaluation confirmed that 93.75% of the adversarial samples remained faithful to their original meaning, making them viable for diagnosing model security.
Also Read:
- Unmasking the Flaw in LLM Prompt Injection Detection: A New Attack Evades State-of-the-Art Defenses
- Beyond ‘Emergence’: Understanding How LLM Safety Alignment Erodes
In conclusion, the paper emphasizes that monolingual LMs cannot be solely relied upon for LM security in MRL and LRL communities due to resource limitations preventing the creation of larger models. The inherent vulnerability of multilingual LMs, particularly through their weakest links—lower-resourced languages—poses significant societal risks. The authors advocate for increased efforts in NLP security research to prioritize and address the unique challenges of MRLs and LRLs, stressing that securing these languages is critical for enhancing NLP security for everyone. You can read the full research paper here.
