Reasoning Robustness of LLMs to Adversarial Typographical Errors
Large Language Models (LLMs) have demonstrated impressive capabilities in reasoning using Chain-of-Thought (CoT) prompting. However, CoT can be biased by users' instruction. In this work, we study the reasoning robustness of LLMs to typographical errors, which can naturally occur in users'...
Gespeichert in:
| Hauptverfasser: | , , , , , , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Gan, Esther Zhao, Yiran Cheng, Liying Mao, Yancan Goyal, Anirudh Kawaguchi, Kenji Kan, Min-Yen Shieh, Michael |
| description | Large Language Models (LLMs) have demonstrated impressive capabilities in
reasoning using Chain-of-Thought (CoT) prompting. However, CoT can be biased by
users' instruction. In this work, we study the reasoning robustness of LLMs to
typographical errors, which can naturally occur in users' queries. We design an
Adversarial Typo Attack ($\texttt{ATA}$) algorithm that iteratively samples
typos for words that are important to the query and selects the edit that is
most likely to succeed in attacking. It shows that LLMs are sensitive to
minimal adversarial typographical changes. Notably, with 1 character edit,
Mistral-7B-Instruct's accuracy drops from 43.7% to 38.6% on GSM8K, while with 8
character edits the performance further drops to 19.2%. To extend our
evaluation to larger and closed-source LLMs, we develop the $\texttt{R$^2$ATA}$
benchmark, which assesses models' $\underline{R}$easoning
$\underline{R}$obustness to $\underline{\texttt{ATA}}$. It includes adversarial
typographical questions derived from three widely used reasoning
datasets-GSM8K, BBH, and MMLU-by applying $\texttt{ATA}$ to open-source LLMs.
$\texttt{R$^2$ATA}$ demonstrates remarkable transferability and causes notable
performance drops across multiple super large and closed-source LLMs. |
| doi_str_mv | 10.48550/arxiv.2411.05345 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2411_05345</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2411_05345</sourcerecordid><originalsourceid>FETCH-arxiv_primary_2411_053453</originalsourceid><addsrcrecordid>eNpjYJA0NNAzsTA1NdBPLKrILNMzMjE01DMwNTYx5WRwCEpNLM7Py8xLVwjKTyotLslLLS5WyE9T8PHxLVYoyVdwTClLLSpOLMpMzFEIqSzITy9KLMjITAbyXIuK8ouKeRhY0xJzilN5oTQ3g7yba4izhy7YrviCoszcxKLKeJCd8WA7jQmrAAD_rjbP</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Reasoning Robustness of LLMs to Adversarial Typographical Errors</title><source>arXiv.org</source><creator>Gan, Esther ; Zhao, Yiran ; Cheng, Liying ; Mao, Yancan ; Goyal, Anirudh ; Kawaguchi, Kenji ; Kan, Min-Yen ; Shieh, Michael</creator><creatorcontrib>Gan, Esther ; Zhao, Yiran ; Cheng, Liying ; Mao, Yancan ; Goyal, Anirudh ; Kawaguchi, Kenji ; Kan, Min-Yen ; Shieh, Michael</creatorcontrib><description>Large Language Models (LLMs) have demonstrated impressive capabilities in
reasoning using Chain-of-Thought (CoT) prompting. However, CoT can be biased by
users' instruction. In this work, we study the reasoning robustness of LLMs to
typographical errors, which can naturally occur in users' queries. We design an
Adversarial Typo Attack ($\texttt{ATA}$) algorithm that iteratively samples
typos for words that are important to the query and selects the edit that is
most likely to succeed in attacking. It shows that LLMs are sensitive to
minimal adversarial typographical changes. Notably, with 1 character edit,
Mistral-7B-Instruct's accuracy drops from 43.7% to 38.6% on GSM8K, while with 8
character edits the performance further drops to 19.2%. To extend our
evaluation to larger and closed-source LLMs, we develop the $\texttt{R$^2$ATA}$
benchmark, which assesses models' $\underline{R}$easoning
$\underline{R}$obustness to $\underline{\texttt{ATA}}$. It includes adversarial
typographical questions derived from three widely used reasoning
datasets-GSM8K, BBH, and MMLU-by applying $\texttt{ATA}$ to open-source LLMs.
$\texttt{R$^2$ATA}$ demonstrates remarkable transferability and causes notable
performance drops across multiple super large and closed-source LLMs.</description><identifier>DOI: 10.48550/arxiv.2411.05345</identifier><language>eng</language><subject>Computer Science - Artificial Intelligence ; Computer Science - Computation and Language</subject><creationdate>2024-11</creationdate><rights>http://creativecommons.org/licenses/by/4.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,781,886</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2411.05345$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2411.05345$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Gan, Esther</creatorcontrib><creatorcontrib>Zhao, Yiran</creatorcontrib><creatorcontrib>Cheng, Liying</creatorcontrib><creatorcontrib>Mao, Yancan</creatorcontrib><creatorcontrib>Goyal, Anirudh</creatorcontrib><creatorcontrib>Kawaguchi, Kenji</creatorcontrib><creatorcontrib>Kan, Min-Yen</creatorcontrib><creatorcontrib>Shieh, Michael</creatorcontrib><title>Reasoning Robustness of LLMs to Adversarial Typographical Errors</title><description>Large Language Models (LLMs) have demonstrated impressive capabilities in
reasoning using Chain-of-Thought (CoT) prompting. However, CoT can be biased by
users' instruction. In this work, we study the reasoning robustness of LLMs to
typographical errors, which can naturally occur in users' queries. We design an
Adversarial Typo Attack ($\texttt{ATA}$) algorithm that iteratively samples
typos for words that are important to the query and selects the edit that is
most likely to succeed in attacking. It shows that LLMs are sensitive to
minimal adversarial typographical changes. Notably, with 1 character edit,
Mistral-7B-Instruct's accuracy drops from 43.7% to 38.6% on GSM8K, while with 8
character edits the performance further drops to 19.2%. To extend our
evaluation to larger and closed-source LLMs, we develop the $\texttt{R$^2$ATA}$
benchmark, which assesses models' $\underline{R}$easoning
$\underline{R}$obustness to $\underline{\texttt{ATA}}$. It includes adversarial
typographical questions derived from three widely used reasoning
datasets-GSM8K, BBH, and MMLU-by applying $\texttt{ATA}$ to open-source LLMs.
$\texttt{R$^2$ATA}$ demonstrates remarkable transferability and causes notable
performance drops across multiple super large and closed-source LLMs.</description><subject>Computer Science - Artificial Intelligence</subject><subject>Computer Science - Computation and Language</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNpjYJA0NNAzsTA1NdBPLKrILNMzMjE01DMwNTYx5WRwCEpNLM7Py8xLVwjKTyotLslLLS5WyE9T8PHxLVYoyVdwTClLLSpOLMpMzFEIqSzITy9KLMjITAbyXIuK8ouKeRhY0xJzilN5oTQ3g7yba4izhy7YrviCoszcxKLKeJCd8WA7jQmrAAD_rjbP</recordid><startdate>20241108</startdate><enddate>20241108</enddate><creator>Gan, Esther</creator><creator>Zhao, Yiran</creator><creator>Cheng, Liying</creator><creator>Mao, Yancan</creator><creator>Goyal, Anirudh</creator><creator>Kawaguchi, Kenji</creator><creator>Kan, Min-Yen</creator><creator>Shieh, Michael</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20241108</creationdate><title>Reasoning Robustness of LLMs to Adversarial Typographical Errors</title><author>Gan, Esther ; Zhao, Yiran ; Cheng, Liying ; Mao, Yancan ; Goyal, Anirudh ; Kawaguchi, Kenji ; Kan, Min-Yen ; Shieh, Michael</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-arxiv_primary_2411_053453</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Computer Science - Artificial Intelligence</topic><topic>Computer Science - Computation and Language</topic><toplevel>online_resources</toplevel><creatorcontrib>Gan, Esther</creatorcontrib><creatorcontrib>Zhao, Yiran</creatorcontrib><creatorcontrib>Cheng, Liying</creatorcontrib><creatorcontrib>Mao, Yancan</creatorcontrib><creatorcontrib>Goyal, Anirudh</creatorcontrib><creatorcontrib>Kawaguchi, Kenji</creatorcontrib><creatorcontrib>Kan, Min-Yen</creatorcontrib><creatorcontrib>Shieh, Michael</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Gan, Esther</au><au>Zhao, Yiran</au><au>Cheng, Liying</au><au>Mao, Yancan</au><au>Goyal, Anirudh</au><au>Kawaguchi, Kenji</au><au>Kan, Min-Yen</au><au>Shieh, Michael</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Reasoning Robustness of LLMs to Adversarial Typographical Errors</atitle><date>2024-11-08</date><risdate>2024</risdate><abstract>Large Language Models (LLMs) have demonstrated impressive capabilities in
reasoning using Chain-of-Thought (CoT) prompting. However, CoT can be biased by
users' instruction. In this work, we study the reasoning robustness of LLMs to
typographical errors, which can naturally occur in users' queries. We design an
Adversarial Typo Attack ($\texttt{ATA}$) algorithm that iteratively samples
typos for words that are important to the query and selects the edit that is
most likely to succeed in attacking. It shows that LLMs are sensitive to
minimal adversarial typographical changes. Notably, with 1 character edit,
Mistral-7B-Instruct's accuracy drops from 43.7% to 38.6% on GSM8K, while with 8
character edits the performance further drops to 19.2%. To extend our
evaluation to larger and closed-source LLMs, we develop the $\texttt{R$^2$ATA}$
benchmark, which assesses models' $\underline{R}$easoning
$\underline{R}$obustness to $\underline{\texttt{ATA}}$. It includes adversarial
typographical questions derived from three widely used reasoning
datasets-GSM8K, BBH, and MMLU-by applying $\texttt{ATA}$ to open-source LLMs.
$\texttt{R$^2$ATA}$ demonstrates remarkable transferability and causes notable
performance drops across multiple super large and closed-source LLMs.</abstract><doi>10.48550/arxiv.2411.05345</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.2411.05345 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_2411_05345 |
| source | arXiv.org |
| subjects | Computer Science - Artificial Intelligence Computer Science - Computation and Language |
| title | Reasoning Robustness of LLMs to Adversarial Typographical Errors |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-17T07%3A49%3A42IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Reasoning%20Robustness%20of%20LLMs%20to%20Adversarial%20Typographical%20Errors&rft.au=Gan,%20Esther&rft.date=2024-11-08&rft_id=info:doi/10.48550/arxiv.2411.05345&rft_dat=%3Carxiv_GOX%3E2411_05345%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |