Adversarial Identifier Renaming
- Adversarial identifier renaming is the targeted modification of program identifiers, preserving syntax and semantics to mislead code models.
- It employs search techniques, genetic algorithms, and AST-based transformations to introduce minimal yet natural changes that significantly alter model predictions.
- Robust defenses such as adversarial training, causal suppression, and naturalness-based purification are being developed to counter these attacks while maintaining code integrity.
Searching arXiv for the cited works and closely related identifier-renaming research. Adversarial identifier renaming is the deliberate, semantics-preserving modification of identifier names—such as variables, functions, classes, or other user-defined symbols—to change a model’s prediction, evade a detector, or induce a misleading interpretation without altering underlying program behavior. In the contemporary literature, it is treated not as arbitrary obfuscation but as a constrained perturbation channel: the modified code is expected to remain functionally equivalent, syntactically correct and compilable, small in edit magnitude, and natural-looking to humans. The topic now spans neural code comprehension, LLM-generated code detection, code-language-model security, deobfuscation, and adjacent robustness work on entity renaming in question answering (Yin et al., 17 Jul 2025, Gao et al., 2022, Mu et al., 28 Apr 2025, Lorenzo, 5 Apr 2026, Siro et al., 2023).
1. Definition and threat model
In code-oriented work, adversarial identifier renaming is usually framed as a black-box or query-based attack in which the adversary can modify identifier tokens while preserving syntax and semantics. The perturbation is often restricted to variables, parameters, methods, and classes, and it is commonly combined with collision checks or AST-based rewriting so that dataflow and control flow are not changed by accidental rebinding. One representative threat model assumes that the adversary can query a detector model , observe predicted probabilities, and manipulate code via Tree-sitter and hand-crafted transformation rules, but cannot access gradients or internal parameters (Yin et al., 17 Jul 2025).
The central rationale is that identifier names carry a dual role. They are useful semantic cues, because names such as sort, sum, user, or password often correlate with program intent, but they are also a source of spurious shortcuts, because a model may overfit to lexical regularities that are only contingently correlated with the label. This duality is explicit in the causal account developed for code comprehension: naming information contributes both a misleading direct path and a helpful indirect path through combined structural-semantic representations , while non-naming information supports a robust path (Gao et al., 2022).
A recurring misconception is that identifier renaming merely “removes information.” The recent obfuscation literature distinguishes plain renaming from adversarial renaming. In the latter, names are not simply shortened or anonymized; they are replaced with semantically meaningful but misleading names in the new context, producing what one study terms semantic mis-framing. This distinction is central to the versus tiers used for human–LLM comprehension studies, where removes semantic cues and injects incorrect ones (Le et al., 30 Jun 2026).
2. Attack construction and search procedures
The technical literature has converged on a small set of reusable design patterns: identify influential identifiers, choose natural replacements, preserve scope and semantics, and search efficiently over the resulting discrete space. Earlier attacks such as ALERT, MOAA, MHM, WIR-Random, and Beam-Attack emphasize identifier substitution, often with greedy, genetic, or sampling-based search; later work integrates identifier renaming with structural transformations or naturalness-aware evaluation (Tian et al., 2023, Mu et al., 28 Apr 2025).
| Method family | Core mechanism | Main constraints |
|---|---|---|
| MIST | Multi-objective genetic algorithm over identifier and structure transformations | Semantic distance, edit distance, syntax and functional equivalence by construction |
| CODA | Code-difference-guided reference selection, then EST + IRT | Reference-derived candidate pool, collision avoidance, semantic similarity |
| ALERT / MOAA / MHM / WIR / Beam-Attack | Identifier substitution via greedy, GA, MCMC, ranking, or beam search | Semantics-preserving renaming, varying naturalness control |
| EP-Shield setting | Evaluates identifier-substitution attacks rather than generating them | Naturalness-aware detection and purification |
A particularly explicit formulation appears in MIST, the adversarial generator used for CodeGPTSensor+. For a candidate 0, it minimizes three objectives simultaneously: adversarial loss 1, semantic distance 2, and edit distance 3. The identifier-selection stage computes an importance score
4
where 5 masks all occurrences of identifier 6 with <UNK>. Sampling then prioritizes identifiers with larger 7, directly targeting the names on which the detector depends most. Replacement names are produced by masking the target identifier with CodeT5’s <extra_id_0>, generating top-8 candidates with 9, and sampling a valid, non-colliding name from that set (Yin et al., 17 Jul 2025).
CODA constrains the search space differently. Rather than selecting from “all valid identifier names,” it constructs a reference-conditioned candidate pool. If 0 is the identifier set of the target program and 1 is the identifier set drawn from similar reference inputs in the second-most probable class, the identifier-renaming space is reduced to
2
Pairs 3 are ranked by FastText cosine similarity, and renamings are applied iteratively with model queries used only to test success. CODA also pairs renaming with equivalent structure transformations over loops, branches, calculations, and constants, thereby shrinking the search space while preserving naturalness and semantics (Tian et al., 2023).
This suggests that adversarial identifier renaming is best understood as constrained search over a semantics-preserving manifold rather than as random lexical corruption. The strongest attacks do not maximize perturbation size; they optimize for small, plausible, targeted changes.
3. Effects on code understanding, detection, and comprehension
The empirical picture is consistent across tasks: many code models are highly sensitive to identifier names. In one function-naming example, renaming only the parameter arr to f changes the prediction of NCS from "sort" to "open" with no semantic change to the program. Across transformed test sets produced by random semantics-preserving renaming, average F1 drops by approximately 4 in function naming, and substantial degradation also appears in defect detection and code classification (Gao et al., 2022).
The same vulnerability appears in provenance detection for LLM-generated code. A motivating example for CodeGPTSensor+ shows that extremely mild edits such as renaming j to n, or changing for to while, are sufficient to flip CodeGPTSensor from “LLM-generated” to “human-written” with 5 confidence. On adversarial test sets generated by MIST, the original detector collapses: on HMCorp-Java-adv, CodeGPTSensor has Accuracy 6 and F1 7, while on HMCorp-Python-adv it has Accuracy 8 and F1 9 (Yin et al., 17 Jul 2025).
Human–LLM comprehension studies sharpen the phenomenon by separating simple renaming from adversarial mis-framing. Under the 0 tier, misleading names degrade several reasoning-tuned models relative to ordinary renaming: for example, DS-R1-Qwen-7B drops from 1 at 2 to 3 at 4, SmolLM3-3B from 5 to 6, and Llama-3.1-8B from 7 to 8. The mechanism is not only lower accuracy but altered calibration. With high semantic displacement, confidence–accuracy relations become non-monotonic, and high-confidence incorrect answers rise when semantic displacement and identifier spikes co-occur (Le et al., 30 Jun 2026).
A second misconception is that confidence reliably tracks correctness under renaming. The obfuscation results show the opposite: adversarial renaming can produce high-confidence wrong answers, but only in a localized regime where semantic displacement and identifier-level interference occur together. This marks the failure as an atom-level comprehension problem rather than a global collapse of control-flow reasoning (Le et al., 30 Jun 2026).
4. Defensive strategies
Current defenses fall into three main families: adversarial training, causal/counterfactual suppression of direct naming effects, and naturalness-aware evaluate-and-purify pipelines. Each addresses a different aspect of the identifier channel.
Adversarial training is exemplified by CodeGPTSensor+. The training pipeline first trains a baseline detector on HMCorp, then attacks a randomly selected 9 subset of the training data with MIST, retains the first successful adversarial sample or the one with minimal adversarial loss, and builds an augmented set 0 containing 1 original samples and 2 adversarial samples. Fine-tuning on 3 preserves original-test performance while sharply improving adversarial robustness: on Java-adv, CodeGPTSensor+ reaches Accuracy 4 and F1 5; on Python-adv, Accuracy 6 and F1 7, with original-set performance essentially unchanged (Yin et al., 17 Jul 2025).
Causal defense is developed in CREAM. Its premise is that robustness requires suppressing the direct naming shortcut 8 without discarding the helpful interaction between names and structure. CREAM constructs three branches—non-naming 9, naming 0, and combined 1—and at inference uses the corrected logits
2
This counterfactual-style correction reduces the direct naming effect while keeping identifier semantics available in context. The empirical result is improved robustness to transformed test sets and to black-box attacks such as ALERT and MHM-NS. For example, on CodeBERT, ALERT’s attack success rate in defect detection falls from 3 to 4, and in code classification from 5 to 6 (Gao et al., 2022).
Naturalness-aware defense is represented by EP-Shield. Its starting point is that many successful identifier-substitution attacks remain detectable because they violate human coding conventions. Using GPT-4 as a judge, the work reports that over 7 of adversarial examples generated by state-of-the-art identifier substitution attackers such as ALERT are actually detectable, and that the overall weighted average Naturalness Evaluation Score for ALERT is 8 out of 9. EP-Shield then fine-tunes a 7B model to score naturalness and purify adversarial code by renaming identifiers back to more plausible forms. Against adversarial fine-tuning, EP-Shield reports up to 0 improvement and near-GPT-4 purification performance (Mu et al., 28 Apr 2025).
These defenses encode different invariances. Adversarial training teaches explicit robustness to targeted perturbation distributions; causal suppression reduces reliance on direct lexical shortcuts; evaluate-and-purify treats unnatural naming as a detectable artifact. A plausible implication is that robust systems may need all three properties simultaneously: exposure to strong attacks, architectural control over naming pathways, and a naturalness prior.
5. Deobfuscation, recovery, and poisoned naming channels
Identifier renaming is not only an attack on predictive models; it is also central to reverse engineering and deobfuscation. DIRE addresses the benign inverse problem: recovering semantically meaningful variable names from stripped binaries. It combines lexical and structural information recovered by Hex-Rays, including a bidirectional LSTM over tokenized decompiled code and a GGNN over an augmented AST with supernodes linking all occurrences of the same variable. On a corpus of 1 unique x86-64 binaries compiled from GitHub C projects, DIRE predicts variable names identical to the original source names up to 2 of the time (Lacomis et al., 2019).
This restoration setting has now acquired an adversarial variant. A case study on Claude Opus 4.6 investigates “poisoned identifiers” in JavaScript string tables: names decoded from obfuscated code that are intentionally wrong for the underlying semantics. Across 3 inference runs on force-directed graph simulation and A* pathfinding, poisoned names persisted in every baseline run on both artifacts, summarized as physics 4 and pathfinding 5. In 6 runs, the model wrote wrong variable names while correctly describing the real operation in comments, producing a dual-representation pattern in which identifier names were wrong but semantic commentary was right (Lorenzo, 5 Apr 2026).
The most striking result concerns prompt framing. Explicit verification prompts had no effect, reported as 7 across four variants. By contrast, reframing from “deobfuscate this” to “write a fresh implementation” reduced propagation from 8 to 9-0 on the physics artifact and to 1 on pathfinding, while preserving checked algorithmic structure. This suggests that deobfuscation prompts can induce a translation-like faithfulness to attacker-supplied lexical material, whereas generation prompts encourage regeneration from inferred semantics (Lorenzo, 5 Apr 2026).
The deobfuscation results complicate a common assumption that better semantic understanding automatically corrects bad names. They show that a model can understand the algorithm and still preserve poisoned identifiers in code blocks. In that sense, adversarial identifier renaming can survive even when comprehension does not fail.
6. Evaluation practices, broader analogies, and open problems
Robust evaluation now requires adversarially renamed test sets rather than clean accuracy alone. This is explicit in code-detection work, where detectors that appear strong on unmodified code can fail almost completely on HMCorp-adv, and in code-comprehension work, where transformed test sets and black-box attack success rates reveal vulnerabilities that are not visible on original splits (Yin et al., 17 Jul 2025, Gao et al., 2022). Metrics used across the literature include Attack Success Rate, Average Model Queries, Identifier Change Rate, Semantic Distance, Edit Distance, Naturalness Evaluation Score, High-Confidence Incorrect, and Identifier Spike Fraction (Tian et al., 2023, Mu et al., 28 Apr 2025, Le et al., 30 Jun 2026).
A second broad lesson is that identifiers should not simply be abstracted away. Full identifier abstraction can significantly hurt performance: in one study, function-naming F1 drops by 2 for Java and 3 for Python when identifiers are abstracted to placeholders. The field therefore rejects the view that robustness is achieved by ignoring names; instead, the more successful approaches either separate helpful from misleading naming effects or train models to become invariant to realistic renamings while retaining contextual semantics (Gao et al., 2022).
The robustness question also extends beyond code. In machine reading comprehension, EntSwap creates AfriSQuAD2 by renaming entities in SQuAD2.0 with African-origin names while preserving answer structure. All tested QA models suffer a performance drop on the renamed set, and person entities are reported as particularly challenging. This is not identifier renaming in the programming-language sense, but it is a closely related invariance test: predictions should remain stable under semantics-preserving changes to surface names (Siro et al., 2023).
Open problems are recurrent and concrete. MIST covers identifier renaming and a limited set of structural equivalence rules, but not larger refactorings, external library substitutions, or broad statement reordering (Yin et al., 17 Jul 2025). CREAM improves robustness but does not eliminate black-box attack success (Gao et al., 2022). EP-Shield’s results imply that future attackers may optimize naturalness more carefully, reducing the detectability of adversarial code (Mu et al., 28 Apr 2025). Deobfuscation studies are presently limited to two JavaScript archetypes and one primary model family, so broader generalization remains to be established (Lorenzo, 5 Apr 2026).
Taken together, the literature treats adversarial identifier renaming as a foundational robustness problem for code intelligence. It sits at the intersection of lexical semantics, causal shortcut learning, program equivalence, search over constrained discrete spaces, and human-comprehension effects. The most durable insight is not that names are unreliable, but that models must learn when names should be trusted, when they should be discounted, and when they must be actively repaired.