Most attacks on NLP models work by finding a perturbation tailored to a specific input: a few word substitutions that flip a sentiment classifier on one particular review, or a paraphrase that breaks a textual entailment model on one particular sentence. These attacks are powerful but narrow. They exploit the model’s behavior on a specific input rather than something fundamental about its parameters.

The more unsettling question is whether you can find a universal trigger, a short sequence of tokens that, when prepended to any input, drives the model toward a target class, without ever seeing a single training example. Just the model itself.

That’s what MINIMAL (Mining Models for Universal Adversarial Triggers) is about, and the answer turns out to be yes.

The Setup

Previous work on universal adversarial triggers (UATs), most notably the paper by Wallace et al., assumed access to a dataset. You need examples to evaluate the trigger against. You need to know what the model outputs on real inputs to know whether your trigger is working. It’s a reasonable assumption in a research setting, but it narrows the threat model considerably.

MINIMAL removes that assumption entirely. Given only model parameters and random token initialization, we mine triggers that generalize across arbitrary inputs.

The mechanism exploits something that should make anyone who trains language models a little uncomfortable: the gradient signal from the model’s own parameters, computed with respect to a target label, is rich enough to discover adversarial structure without any external data. The model has effectively memorized the shape of its own decision boundaries, and those boundaries are accessible without the data that carved them.

What Happens in Practice

On the Stanford Sentiment Treebank, a single 5-token trigger reduced positive-class accuracy from 93.6% to 9.6%. Prepend those five tokens to any review, a glowing five-star restaurant critique, a heartfelt book recommendation, anything, and the classifier confidently calls it negative.

On SNLI (natural language inference), a single trigger reduced entailment-class accuracy from 90.95% to below 0.6%.

These aren’t subtle improvements over data-dependent baselines. They’re roughly matching them, from zero data.

Why This Is the Scary Result

There’s a tempting way to downplay adversarial attacks on NLP models: require that the attacker have substantial access to training data. Data is an expensive, controlled resource. An attacker without the training set is, on this view, operating with at least some handicap.

MINIMAL eliminates that handicap. The attack surface is the model itself: the weights that are often distributed, downloaded, served via API, or extracted through repeated queries. In a world where fine-tuned models are routinely shared on model hubs, the trigger is derivable from the artifact millions of people already have.

The deeper issue is what this reveals about how language models encode their tasks. A model trained on sentiment should, in some idealized sense, have distributed its task knowledge across enough parameters that no small token sequence could uniformly hijack it. Instead, the geometry of the parameter space contains concentrated adversarial structure, choke points where a short, fixed input can override everything else the model has learned. That’s a property of the training dynamics, not just the specific model. We found it across multiple architectures and datasets.

What This Means Going Forward

The obvious defense is adversarial training against data-free triggers. We evaluated several filtering-based defenses and found they trade too much clean accuracy to be practical. The more promising direction is regularization during pre-training: penalizing the formation of the concentrated parameter geometry that makes data-free mining possible in the first place. That’s a harder problem, but it’s the right one to be working on.

There’s also a methodological point worth making: if you’re evaluating the robustness of a language model, running only data-dependent attack baselines will give you an overly optimistic picture. The attack surface extends past your dataset.

The code is available here and the paper is at AAAI 2022.