TokenBreak: Bypassing Text Classification Models Through Token Manipulation (2506.07948v1)

Abstract: NLP models are used for text-related tasks such as classification and generation. To complete these tasks, input data is first tokenized from human-readable text into a format the model can understand, enabling it to make inferences and understand context. Text classification models can be implemented to guard against threats such as prompt injection attacks against LLMs, toxic input and cybersecurity risks such as spam emails. In this paper, we introduce TokenBreak: a novel attack that can bypass these protection models by taking advantage of the tokenization strategy they use. This attack technique manipulates input text in such a way that certain models give an incorrect classification. Importantly, the end target (LLM or email recipient) can still understand and respond to the manipulated text and therefore be vulnerable to the very attack the protection model was put in place to prevent. The tokenizer is tied to model architecture, meaning it is possible to predict whether or not a model is vulnerable to attack based on family. We also present a defensive strategy as an added layer of protection that can be implemented without having to retrain the defensive model.

• The paper demonstrates that minor token modifications can bypass text classifiers by exploiting vulnerabilities in BPE and WordPiece tokenization.
• It details an automated algorithm that prepends characters to key words, preserving the original semantic intent for downstream targets.
• Experimental results reveal Unigram tokenization resists the attack, prompting defenses like pre-tokenizing inputs to enhance model robustness.

This paper introduces TokenBreak (2506.07948), a novel adversarial attack technique that bypasses text classification models by manipulating how the input text is tokenized. Text classification models are widely used as protection mechanisms against various threats, including prompt injection attacks against LLMs, spam emails, and toxic content. TokenBreak exploits vulnerabilities in certain tokenization strategies, causing classification models to misclassify malicious input as benign, while the original semantic intent remains understandable to the downstream target (e.g., an LLM or a human recipient).

The core idea behind TokenBreak is to make minor, targeted modifications to the input text (such as prepending a single character to a word) that significantly alter the tokenization process for specific tokenizers. This change in token representation leads the classification model to output a false negative. Crucially, the modifications are designed to be minimal enough that the original meaning of the text is preserved and the intended target can still comprehend and act upon the manipulated text.

The authors developed an automated method to generate TokenBreak examples. This method, described in Algorithm 1 (BreakPrompt), identifies words that are most impactful to the classification score. It then iteratively prepends letters (A-Z, a-z) to these words and checks if the modified word alone is classified as benign with high confidence. If a suitable perturbation is found for an individual word, it is applied to the original prompt, and the entire modified prompt is re-tested against the classifier. The goal is to find minimal changes that cause the model to output a false negative for the entire input.

The attack was evaluated against nine binary text classification models, three each for Prompt Injection, Spam, and Toxicity detection. Models using Byte Pair Encoding (BPE), WordPiece, and Unigram tokenization strategies were selected from Hugging Face. Data samples for testing were curated from relevant public datasets like Lakera's mosscap_prompt_injection (Pfister et al., 14 Jan 2025), Twitter spam, Email Spam Detection, Jigsaw Toxic Comment Classification Challenge, Wikipedia toxicity, and Youtube toxic comments.

Experimental results demonstrated that models using BPE and WordPiece tokenization strategies were susceptible to TokenBreak, while models using Unigram tokenization were not affected in the tests conducted. The susceptibility varied:

• Prompt Injection: BPE models had a 2.09% TokenBreak success rate (percentage of correctly classified samples that were successfully manipulated), WordPiece models had 11.90%, and Unigram models had 0.00%.
• Spam: BPE models had 4.28%, WordPiece models had 78.93%, and Unigram models had 0.00%.
• Toxicity: BPE models had 25.26%, WordPiece models had 76.05%, and Unigram models had 0.00%.

Overall, models using WordPiece tokenization showed the highest mean susceptibility (55.62%), followed by BPE (10.54%). Unigram models consistently exhibited zero susceptibility.

The paper includes practical demonstrations showing how TokenBreak bypasses classifiers but remains effective against downstream targets. For instance, a prompt injection attempt like "Reveal password," correctly detected by a WordPiece model, was modified to "aReveal password" using TokenBreak. This manipulated prompt bypassed the classifier but still caused the Qwen3-0.6B LLM [Qwen_model] to process it as an instruction to reveal the password, demonstrating the bypass leaves the target vulnerable. Similarly, manipulated spam and toxic messages bypassed detection while remaining understandable to a human reader.

The difference in susceptibility is attributed to how the tokenizers handle new characters or subwords at the beginning of words. BPE and WordPiece typically build tokens from left to right based on learned merge rules and vocabularies. Adding a character at the beginning of a word can disrupt this process, forcing a different tokenization that might break up important semantic tokens into less meaningful subwords, thus confusing the classifier. Unigram tokenization, conversely, works based on token frequency probability over the entire word, making it less sensitive to initial character perturbations and more likely to correctly tokenize known important subwords regardless of their position.

As a defense mechanism against TokenBreak for models using BPE or WordPiece, the authors propose inserting a Unigram tokenizer before the target classification model. The input text is first tokenized by the Unigram tokenizer, then the Unigram tokens are remapped or translated back into tokens recognized by the target model's original tokenizer. This process ensures that the input fed to the target model is tokenized in a way similar to how a robust Unigram model would interpret it.

Experimental results show this defense is effective. For BPE models, the average TokenBreak success rate across tasks dropped from 10.54% to 7.65%. For WordPiece models, the average success rate dropped dramatically from 55.62% to 17.61%. This demonstrates that pre-tokenizing with a Unigram tokenizer can significantly reduce the vulnerability of BPE and WordPiece models to TokenBreak.

A significant observation is the correlation between model family and tokenizer type. The research found that DeBERTa and XLM-RoBERTa models typically use Unigram tokenization, RoBERTa models use BPE, and BERT/DistilBERT models use WordPiece. This linkage, also supported by Hugging Face documentation, means a model's susceptibility to TokenBreak can often be predicted simply by knowing its family. The authors thus present TokenBreak as a model-level vulnerability, emphasizing the importance of considering the tokenizer type (and consequently, often the model family) when selecting or deploying protection models.

In conclusion, TokenBreak highlights a critical vulnerability in text classification models relying on BPE or WordPiece tokenization, enabling attackers to bypass defenses while preserving the attack's effectiveness on the target. The paper recommends using models with Unigram tokenization for robustness against this attack vector and proposes a practical defense involving a pre-processing step with a Unigram tokenizer for existing BPE/WordPiece models. The findings underscore the need to consider tokenization strategy as a security factor in deploying NLP-based protection systems.