Harder to Defend: Towards Chinese Toxicity Attacks via Implicit Enhancement and Obfuscation Rewriting

· Source: Computation and Language · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

The Chinese Implicit Toxicity Attack (CITA) framework addresses the underexplored challenge of evaluating and defending against implicit and obfuscated toxicity in Chinese language models. Introduced as a controlled red-team evaluation and defense-data generation tool, CITA is not a deployable evasion mechanism. It operates in three stages: Harmful Intent Learning, Implicit Toxicity Enhancement, and Obfuscation Variant Rewriting, designed to maintain harmful intent while increasing implicitness and generating diverse surface variants. Evaluation using CITA-generated samples revealed that seven tested detectors exhibited an average Attack Success Rate (ASR) of 69.48%, highlighting significant missed-detection risks. Human assessments corroborated the preserved harmfulness and enhanced evasiveness. Furthermore, CITA-generated data successfully fine-tuned a Chinese Implicit Toxicity Defense (CITD) model, demonstrating its utility in improving model robustness.

Key takeaway

For AI Security Engineers developing toxicity detection systems for Chinese language models, you must recognize that current explicit-word-based evaluations are insufficient. The CITA framework demonstrates that implicit and obfuscated toxicity can achieve a 69.48% attack success rate against existing detectors. You should integrate CITA-like red-teaming to generate robust defense data and fine-tune your models, significantly improving their resilience against sophisticated, evasive attacks.

Key insights

Chinese implicit toxicity, combining indirectness and obfuscation, presents a major challenge for LLM detectors, with CITA revealing high missed-detection rates.

Principles

Method

The CITA framework generates red-team data via three stages: Harmful Intent Learning, Implicit Toxicity Enhancement, and Obfuscation Variant Rewriting, preserving harmful intent, increasing implicitness, and adding controlled surface variants.

In practice

Topics

Best for: NLP Engineer, Research Scientist, AI Scientist, Machine Learning Engineer, AI Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Computation and Language.