- The paper presents a two-agent adversarial rewriting framework that generates semantic-preserving rewrites to exploit vulnerabilities in black-box NLP pipelines.
- It employs iterative prompt optimization and strict constraint validation, achieving up to 40.34% evasion on modern systems and exposing nearly complete vulnerability in legacy pipelines.
- Experimental results underscore the importance of architectural design decisions, with adaptive optimization and text simplification defense offering measurable improvements.
Agentic Adversarial Rewriting Reveals Architectural Vulnerabilities in Black-Box NLP Pipelines
Introduction and Motivation
This work addresses the adversarial robustness of multi-component NLP pipelines, focusing specifically on evidence-based misinformation detection systems operating under production-realistic constraints: strict black-box access (binary-only feedback), no gradient access, and tight query budgets. Unlike monolithic classifiers, these multi-stage systems pose significant new challenges for adversarial attacks, since effective exploitation must disrupt both retrieval as well as inferential components, and must do so within a narrow query regime and with no visibility into model internals.
Conventional token-level adversarial methods are shown to be largely ineffective in this setting. The authors propose an agentic adversarial rewriting framework, leveraging a two-agent LLM-based system that operates in a semantic perturbation space, generating meaning-preserving rewrites of input claims. These rewrites aim to induce misclassification by the target pipeline, all while adhering to strict semantic equivalence and linguistic coherence constraints.
Figure 1: High-level overview of the agentic adversarial rewriting framework, including the iterative attack loop and a worked example demonstrating the progression toward a successful adversarial evasion.
Framework Design and Methodology
The core framework adopts a two-agent architecture: an Attacker Agent produces candidate rewrites of the original claim, while a Prompt Optimization Agent refines the attack strategy using minimal binary feedback from the pipeline and analysis of prior failed attempts. Constraint validation modules ensure that generated rewrites remain semantically faithful and linguistically viable.
Key components include:
This setup is formulated as a constrained optimization over the input space of natural language, where feasible perturbations form a semantically and linguistically admissible neighborhood around the original claim.
Experimental Results: Empirical Vulnerability Spectrum
Experiments were conducted against four evidence-based misinformation detection pipelines spanning a spectrum from legacy lexical retrieval to modern LLM-based RAG architectures. Evaluation was performed on the LIAR-New dataset, with attacks mandated to preserve semantic fidelity under human-calibrated constraints.
Notable quantitative outcomes include:
Additionally, analysis of successful adversarial rewrites revealed four main exploitation patterns: hedging/ambiguity injection, structural elaboration, linguistic complexity escalation, and syntactic restructuring. These patterns can selectively degrade performance at different pipeline stages (retrieval versus inference), contingent on architectural particulars.
Defense Evaluation and Theoretical Implications
Inspired by observed exploitation patterns, a pattern-informed defense—text simplification—was evaluated. This defense, operationally realized via LLM-based input normalization, reduces attack success on modern pipelines by up to 65.18%. The resultant protection, however, remains bounded by underlying architectural weaknesses: lexical-retrieval systems benefit least, while inference-stage vulnerabilities are most effectively mitigated by complexity normalization.
These findings have immediate implications: architectural choices governing evidence retrieval mechanisms, stage coupling, and baseline accuracy directly modulate the attainable attack surface. For robust deployment, multi-stage NLP systems must go beyond surface-level string matching, tightly couple retrieval and inferential steps, and implement dynamic consistency checks or semantic validation at every inter-component boundary.
Limitations and Future Directions
Despite strong empirical performance, the presented framework has limitations. Semantic equivalence assessment partially relies on LLM-based checks subject to model family bias; only one dataset and problem domain were evaluated; and no explicit cross-pipeline transferability analysis was performed. Further, causal attribution of exploitation patterns requires controlled ablation. Future work should extend this methodology to other NLP pipeline domains (e.g., RAG-based QA, tool-augmented LLM agents) and explore ensemble or multi-mechanism defenses that combine text simplification, input perturbation detection, and pipeline consistency enforcement.
Conclusion
This paper formalizes and systematically interrogates the adversarial robustness of black-box, multi-component NLP pipelines under production-realistic threat models. The agentic adversarial rewriting framework demonstrates that semantic-level adaptive text attacks pose serious risks to deployed multi-stage systems, achieving strong evasion rates even under tight query budgets and minimal feedback. Crucially, exploitation effectiveness is strongly modulated by pipeline architectural choices. The presented results motivate integration of adversarial evaluation, input complexity normalization, and holistic pipeline hardening as standard best practices in the ongoing deployment of NLP-based decision systems.