Papers
Topics
Authors
Recent
Search
2000 character limit reached

Adversarial Identifier Renaming

Updated 6 July 2026
  • Adversarial identifier renaming is the targeted modification of program identifiers, preserving syntax and semantics to mislead code models.
  • It employs search techniques, genetic algorithms, and AST-based transformations to introduce minimal yet natural changes that significantly alter model predictions.
  • Robust defenses such as adversarial training, causal suppression, and naturalness-based purification are being developed to counter these attacks while maintaining code integrity.

Searching arXiv for the cited works and closely related identifier-renaming research. Adversarial identifier renaming is the deliberate, semantics-preserving modification of identifier names—such as variables, functions, classes, or other user-defined symbols—to change a model’s prediction, evade a detector, or induce a misleading interpretation without altering underlying program behavior. In the contemporary literature, it is treated not as arbitrary obfuscation but as a constrained perturbation channel: the modified code is expected to remain functionally equivalent, syntactically correct and compilable, small in edit magnitude, and natural-looking to humans. The topic now spans neural code comprehension, LLM-generated code detection, code-language-model security, deobfuscation, and adjacent robustness work on entity renaming in question answering (Yin et al., 17 Jul 2025, Gao et al., 2022, Mu et al., 28 Apr 2025, Lorenzo, 5 Apr 2026, Siro et al., 2023).

1. Definition and threat model

In code-oriented work, adversarial identifier renaming is usually framed as a black-box or query-based attack in which the adversary can modify identifier tokens while preserving syntax and semantics. The perturbation is often restricted to variables, parameters, methods, and classes, and it is commonly combined with collision checks or AST-based rewriting so that dataflow and control flow are not changed by accidental rebinding. One representative threat model assumes that the adversary can query a detector model MM, observe predicted probabilities, and manipulate code via Tree-sitter and hand-crafted transformation rules, but cannot access gradients or internal parameters (Yin et al., 17 Jul 2025).

The central rationale is that identifier names carry a dual role. They are useful semantic cues, because names such as sort, sum, user, or password often correlate with program intent, but they are also a source of spurious shortcuts, because a model may overfit to lexical regularities that are only contingently correlated with the label. This duality is explicit in the causal account developed for code comprehension: naming information TT contributes both a misleading direct path TRT \rightarrow R and a helpful indirect path through combined structural-semantic representations TKRT \rightarrow K \rightarrow R, while non-naming information FF supports a robust path FRF \rightarrow R (Gao et al., 2022).

A recurring misconception is that identifier renaming merely “removes information.” The recent obfuscation literature distinguishes plain renaming from adversarial renaming. In the latter, names are not simply shortened or anonymized; they are replaced with semantically meaningful but misleading names in the new context, producing what one study terms semantic mis-framing. This distinction is central to the L1L1 versus L1bL1b tiers used for human–LLM comprehension studies, where L1L1 removes semantic cues and L1bL1b injects incorrect ones (Le et al., 30 Jun 2026).

2. Attack construction and search procedures

The technical literature has converged on a small set of reusable design patterns: identify influential identifiers, choose natural replacements, preserve scope and semantics, and search efficiently over the resulting discrete space. Earlier attacks such as ALERT, MOAA, MHM, WIR-Random, and Beam-Attack emphasize identifier substitution, often with greedy, genetic, or sampling-based search; later work integrates identifier renaming with structural transformations or naturalness-aware evaluation (Tian et al., 2023, Mu et al., 28 Apr 2025).

Method family Core mechanism Main constraints
MIST Multi-objective genetic algorithm over identifier and structure transformations Semantic distance, edit distance, syntax and functional equivalence by construction
CODA Code-difference-guided reference selection, then EST + IRT Reference-derived candidate pool, collision avoidance, semantic similarity
ALERT / MOAA / MHM / WIR / Beam-Attack Identifier substitution via greedy, GA, MCMC, ranking, or beam search Semantics-preserving renaming, varying naturalness control
EP-Shield setting Evaluates identifier-substitution attacks rather than generating them Naturalness-aware detection and purification

A particularly explicit formulation appears in MIST, the adversarial generator used for CodeGPTSensor+. For a candidate TT0, it minimizes three objectives simultaneously: adversarial loss TT1, semantic distance TT2, and edit distance TT3. The identifier-selection stage computes an importance score

TT4

where TT5 masks all occurrences of identifier TT6 with <UNK>. Sampling then prioritizes identifiers with larger TT7, directly targeting the names on which the detector depends most. Replacement names are produced by masking the target identifier with CodeT5’s <extra_id_0>, generating top-TT8 candidates with TT9, and sampling a valid, non-colliding name from that set (Yin et al., 17 Jul 2025).

CODA constrains the search space differently. Rather than selecting from “all valid identifier names,” it constructs a reference-conditioned candidate pool. If TRT \rightarrow R0 is the identifier set of the target program and TRT \rightarrow R1 is the identifier set drawn from similar reference inputs in the second-most probable class, the identifier-renaming space is reduced to

TRT \rightarrow R2

Pairs TRT \rightarrow R3 are ranked by FastText cosine similarity, and renamings are applied iteratively with model queries used only to test success. CODA also pairs renaming with equivalent structure transformations over loops, branches, calculations, and constants, thereby shrinking the search space while preserving naturalness and semantics (Tian et al., 2023).

This suggests that adversarial identifier renaming is best understood as constrained search over a semantics-preserving manifold rather than as random lexical corruption. The strongest attacks do not maximize perturbation size; they optimize for small, plausible, targeted changes.

3. Effects on code understanding, detection, and comprehension

The empirical picture is consistent across tasks: many code models are highly sensitive to identifier names. In one function-naming example, renaming only the parameter arr to f changes the prediction of NCS from "sort" to "open" with no semantic change to the program. Across transformed test sets produced by random semantics-preserving renaming, average F1 drops by approximately TRT \rightarrow R4 in function naming, and substantial degradation also appears in defect detection and code classification (Gao et al., 2022).

The same vulnerability appears in provenance detection for LLM-generated code. A motivating example for CodeGPTSensor+ shows that extremely mild edits such as renaming j to n, or changing for to while, are sufficient to flip CodeGPTSensor from “LLM-generated” to “human-written” with TRT \rightarrow R5 confidence. On adversarial test sets generated by MIST, the original detector collapses: on HMCorp-Java-adv, CodeGPTSensor has Accuracy TRT \rightarrow R6 and F1 TRT \rightarrow R7, while on HMCorp-Python-adv it has Accuracy TRT \rightarrow R8 and F1 TRT \rightarrow R9 (Yin et al., 17 Jul 2025).

Human–LLM comprehension studies sharpen the phenomenon by separating simple renaming from adversarial mis-framing. Under the TKRT \rightarrow K \rightarrow R0 tier, misleading names degrade several reasoning-tuned models relative to ordinary renaming: for example, DS-R1-Qwen-7B drops from TKRT \rightarrow K \rightarrow R1 at TKRT \rightarrow K \rightarrow R2 to TKRT \rightarrow K \rightarrow R3 at TKRT \rightarrow K \rightarrow R4, SmolLM3-3B from TKRT \rightarrow K \rightarrow R5 to TKRT \rightarrow K \rightarrow R6, and Llama-3.1-8B from TKRT \rightarrow K \rightarrow R7 to TKRT \rightarrow K \rightarrow R8. The mechanism is not only lower accuracy but altered calibration. With high semantic displacement, confidence–accuracy relations become non-monotonic, and high-confidence incorrect answers rise when semantic displacement and identifier spikes co-occur (Le et al., 30 Jun 2026).

A second misconception is that confidence reliably tracks correctness under renaming. The obfuscation results show the opposite: adversarial renaming can produce high-confidence wrong answers, but only in a localized regime where semantic displacement and identifier-level interference occur together. This marks the failure as an atom-level comprehension problem rather than a global collapse of control-flow reasoning (Le et al., 30 Jun 2026).

4. Defensive strategies

Current defenses fall into three main families: adversarial training, causal/counterfactual suppression of direct naming effects, and naturalness-aware evaluate-and-purify pipelines. Each addresses a different aspect of the identifier channel.

Adversarial training is exemplified by CodeGPTSensor+. The training pipeline first trains a baseline detector on HMCorp, then attacks a randomly selected TKRT \rightarrow K \rightarrow R9 subset of the training data with MIST, retains the first successful adversarial sample or the one with minimal adversarial loss, and builds an augmented set FF0 containing FF1 original samples and FF2 adversarial samples. Fine-tuning on FF3 preserves original-test performance while sharply improving adversarial robustness: on Java-adv, CodeGPTSensor+ reaches Accuracy FF4 and F1 FF5; on Python-adv, Accuracy FF6 and F1 FF7, with original-set performance essentially unchanged (Yin et al., 17 Jul 2025).

Causal defense is developed in CREAM. Its premise is that robustness requires suppressing the direct naming shortcut FF8 without discarding the helpful interaction between names and structure. CREAM constructs three branches—non-naming FF9, naming FRF \rightarrow R0, and combined FRF \rightarrow R1—and at inference uses the corrected logits

FRF \rightarrow R2

This counterfactual-style correction reduces the direct naming effect while keeping identifier semantics available in context. The empirical result is improved robustness to transformed test sets and to black-box attacks such as ALERT and MHM-NS. For example, on CodeBERT, ALERT’s attack success rate in defect detection falls from FRF \rightarrow R3 to FRF \rightarrow R4, and in code classification from FRF \rightarrow R5 to FRF \rightarrow R6 (Gao et al., 2022).

Naturalness-aware defense is represented by EP-Shield. Its starting point is that many successful identifier-substitution attacks remain detectable because they violate human coding conventions. Using GPT-4 as a judge, the work reports that over FRF \rightarrow R7 of adversarial examples generated by state-of-the-art identifier substitution attackers such as ALERT are actually detectable, and that the overall weighted average Naturalness Evaluation Score for ALERT is FRF \rightarrow R8 out of FRF \rightarrow R9. EP-Shield then fine-tunes a 7B model to score naturalness and purify adversarial code by renaming identifiers back to more plausible forms. Against adversarial fine-tuning, EP-Shield reports up to L1L10 improvement and near-GPT-4 purification performance (Mu et al., 28 Apr 2025).

These defenses encode different invariances. Adversarial training teaches explicit robustness to targeted perturbation distributions; causal suppression reduces reliance on direct lexical shortcuts; evaluate-and-purify treats unnatural naming as a detectable artifact. A plausible implication is that robust systems may need all three properties simultaneously: exposure to strong attacks, architectural control over naming pathways, and a naturalness prior.

5. Deobfuscation, recovery, and poisoned naming channels

Identifier renaming is not only an attack on predictive models; it is also central to reverse engineering and deobfuscation. DIRE addresses the benign inverse problem: recovering semantically meaningful variable names from stripped binaries. It combines lexical and structural information recovered by Hex-Rays, including a bidirectional LSTM over tokenized decompiled code and a GGNN over an augmented AST with supernodes linking all occurrences of the same variable. On a corpus of L1L11 unique x86-64 binaries compiled from GitHub C projects, DIRE predicts variable names identical to the original source names up to L1L12 of the time (Lacomis et al., 2019).

This restoration setting has now acquired an adversarial variant. A case study on Claude Opus 4.6 investigates “poisoned identifiers” in JavaScript string tables: names decoded from obfuscated code that are intentionally wrong for the underlying semantics. Across L1L13 inference runs on force-directed graph simulation and A* pathfinding, poisoned names persisted in every baseline run on both artifacts, summarized as physics L1L14 and pathfinding L1L15. In L1L16 runs, the model wrote wrong variable names while correctly describing the real operation in comments, producing a dual-representation pattern in which identifier names were wrong but semantic commentary was right (Lorenzo, 5 Apr 2026).

The most striking result concerns prompt framing. Explicit verification prompts had no effect, reported as L1L17 across four variants. By contrast, reframing from “deobfuscate this” to “write a fresh implementation” reduced propagation from L1L18 to L1L19-L1bL1b0 on the physics artifact and to L1bL1b1 on pathfinding, while preserving checked algorithmic structure. This suggests that deobfuscation prompts can induce a translation-like faithfulness to attacker-supplied lexical material, whereas generation prompts encourage regeneration from inferred semantics (Lorenzo, 5 Apr 2026).

The deobfuscation results complicate a common assumption that better semantic understanding automatically corrects bad names. They show that a model can understand the algorithm and still preserve poisoned identifiers in code blocks. In that sense, adversarial identifier renaming can survive even when comprehension does not fail.

6. Evaluation practices, broader analogies, and open problems

Robust evaluation now requires adversarially renamed test sets rather than clean accuracy alone. This is explicit in code-detection work, where detectors that appear strong on unmodified code can fail almost completely on HMCorp-adv, and in code-comprehension work, where transformed test sets and black-box attack success rates reveal vulnerabilities that are not visible on original splits (Yin et al., 17 Jul 2025, Gao et al., 2022). Metrics used across the literature include Attack Success Rate, Average Model Queries, Identifier Change Rate, Semantic Distance, Edit Distance, Naturalness Evaluation Score, High-Confidence Incorrect, and Identifier Spike Fraction (Tian et al., 2023, Mu et al., 28 Apr 2025, Le et al., 30 Jun 2026).

A second broad lesson is that identifiers should not simply be abstracted away. Full identifier abstraction can significantly hurt performance: in one study, function-naming F1 drops by L1bL1b2 for Java and L1bL1b3 for Python when identifiers are abstracted to placeholders. The field therefore rejects the view that robustness is achieved by ignoring names; instead, the more successful approaches either separate helpful from misleading naming effects or train models to become invariant to realistic renamings while retaining contextual semantics (Gao et al., 2022).

The robustness question also extends beyond code. In machine reading comprehension, EntSwap creates AfriSQuAD2 by renaming entities in SQuAD2.0 with African-origin names while preserving answer structure. All tested QA models suffer a performance drop on the renamed set, and person entities are reported as particularly challenging. This is not identifier renaming in the programming-language sense, but it is a closely related invariance test: predictions should remain stable under semantics-preserving changes to surface names (Siro et al., 2023).

Open problems are recurrent and concrete. MIST covers identifier renaming and a limited set of structural equivalence rules, but not larger refactorings, external library substitutions, or broad statement reordering (Yin et al., 17 Jul 2025). CREAM improves robustness but does not eliminate black-box attack success (Gao et al., 2022). EP-Shield’s results imply that future attackers may optimize naturalness more carefully, reducing the detectability of adversarial code (Mu et al., 28 Apr 2025). Deobfuscation studies are presently limited to two JavaScript archetypes and one primary model family, so broader generalization remains to be established (Lorenzo, 5 Apr 2026).

Taken together, the literature treats adversarial identifier renaming as a foundational robustness problem for code intelligence. It sits at the intersection of lexical semantics, causal shortcut learning, program equivalence, search over constrained discrete spaces, and human-comprehension effects. The most durable insight is not that names are unreliable, but that models must learn when names should be trusted, when they should be discounted, and when they must be actively repaired.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Adversarial Identifier Renaming.