QData
diff --git a/‎README.md‎
Lines changed: 47 additions & 52 deletions b/‎README.md‎
Lines changed: 47 additions & 52 deletions
diff --git a/‎docs/1start/attacks4Components.md‎
Lines changed: 19 additions & 23 deletions b/‎docs/1start/attacks4Components.md‎
Lines changed: 19 additions & 23 deletions
diff --git a/‎docs/3recipes/attack_recipes.rst‎
Lines changed: 11 additions & 0 deletions b/‎docs/3recipes/attack_recipes.rst‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎docs/3recipes/attack_recipes_cmd.md‎
Lines changed: 23 additions & 10 deletions b/‎docs/3recipes/attack_recipes_cmd.md‎
Lines changed: 23 additions & 10 deletions
diff --git a/‎docs/api/goal_functions.rst‎
Lines changed: 25 additions & 0 deletions b/‎docs/api/goal_functions.rst‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎docs/api/search_methods.rst‎
Lines changed: 5 additions & 0 deletions b/‎docs/api/search_methods.rst‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/apidoc/textattack.attack_recipes.rst‎
Lines changed: 26 additions & 1 deletion b/‎docs/apidoc/textattack.attack_recipes.rst‎
Lines changed: 26 additions & 1 deletion
diff --git a/‎docs/apidoc/textattack.attack_results.rst‎
Lines changed: 2 additions & 1 deletion b/‎docs/apidoc/textattack.attack_results.rst‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/apidoc/textattack.augmentation.rst‎
Lines changed: 2 additions & 1 deletion b/‎docs/apidoc/textattack.augmentation.rst‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/apidoc/textattack.commands.rst‎
Lines changed: 2 additions & 1 deletion b/‎docs/apidoc/textattack.commands.rst‎
Lines changed: 2 additions & 1 deletion
@@ -1,20 +1,15 @@
-Four Components of TextAttack Attacks
-========================================
-
-To unify adversarial attack methods into one system, We formulate an attack as consisting of four components: a **goal function** which determines if the attack has succeeded, **constraints** defining which perturbations are valid, a **transformation** that generates potential modifications given an input, and a **search method** which traverses through the search space of possible perturbations.  The attack attempts to perturb an input text such that the model output fulfills the goal function (i.e., indicating whether the attack is successful) and the perturbation adheres to the set of constraints (e.g., grammar constraint, semantic similarity constraint). A search method is used to find a sequence of transformations that produce a successful adversarial example.
-
+# Four Components of TextAttack Attacks
 
+To unify adversarial attack methods into one system, We formulate an attack as consisting of four components: a **goal function** which determines if the attack has succeeded, **constraints** defining which perturbations are valid, a **transformation** that generates potential modifications given an input, and a **search method** which traverses through the search space of possible perturbations. The attack attempts to perturb an input text such that the model output fulfills the goal function (i.e., indicating whether the attack is successful) and the perturbation adheres to the set of constraints (e.g., grammar constraint, semantic similarity constraint). A search method is used to find a sequence of transformations that produce a successful adversarial example.
 
 This modular design enables us to easily assemble attacks from the literature while re-using components that are shared across attacks. TextAttack provides clean, readable implementations of 16 adversarial attacks from the literature. For the first time, these attacks can be benchmarked, compared, and analyzed in a standardized setting.
 
-
 - Two examples showing four components of two SOTA attacks
-![two-categorized-attacks](/_static/imgs/intro/01-categorized-attacks.png)
+  ![two-categorized-attacks](/_static/imgs/intro/01-categorized-attacks.png)
 
+- You can create one new attack (in one line of code!!!) from composing members of four components we proposed, for instance:
 
-- You can create one new attack (in one line of code!!!) from composing members of four components we proposed, for instance: 
-
-```bash 
+```bash
 # Shows how to build an attack from components and use it on a pre-trained model on the Yelp dataset.
 textattack attack --attack-n --model bert-base-uncased-yelp --num-examples 8 \
     --goal-function untargeted-classification \
@@ -39,27 +34,20 @@ A `Transformation` takes as input an `AttackedText` and returns a list of possib
 
 A `SearchMethod` takes as input an initial `GoalFunctionResult` and returns a final `GoalFunctionResult` The search is given access to the `get_transformations` function, which takes as input an `AttackedText` object and outputs a list of possible transformations filtered by meeting all of the attack’s constraints. A search consists of successive calls to `get_transformations` until the search succeeds (determined using `get_goal_results`) or is exhausted.
 
-
-
 ### On Benchmarking Attack Recipes
 
-- Please read our analysis paper: Searching for a Search Method: Benchmarking Search Algorithms for Generating NLP Adversarial Examples at [EMNLP BlackBoxNLP](https://arxiv.org/abs/2009.06368). 
-
-- As we emphasized in the above paper, we don't recommend to directly compare Attack Recipes out of the box. 
-
-- This is due to that attack recipes in the recent literature used different ways or thresholds in setting up their constraints. Without the constraint space held constant, an increase in attack success rate could come from an improved search or a better transformation method or a less restrictive search space. 
-
+- Please read our analysis paper: Searching for a Search Method: Benchmarking Search Algorithms for Generating NLP Adversarial Examples at [EMNLP BlackBoxNLP](https://arxiv.org/abs/2009.06368).
 
+- As we emphasized in the above paper, we don't recommend to directly compare Attack Recipes out of the box.
 
-### Four components in Attack Recipes we have implemented 
+- This is due to that attack recipes in the recent literature used different ways or thresholds in setting up their constraints. Without the constraint space held constant, an increase in attack success rate could come from an improved search or a better transformation method or a less restrictive search space.
 
+### Four components in Attack Recipes we have implemented
 
 - TextAttack provides clean, readable implementations of 16 adversarial attacks from the literature.
 
 - To run an attack recipe: `textattack attack --recipe [recipe_name]`
 
-
-
 <table  style="width:100%" border="1">
 <thead>
 <tr class="header">
@@ -224,13 +212,21 @@ A `SearchMethod` takes as input an initial `GoalFunctionResult` and returns a fi
 <td ><sub>Greedy attack with goal of changing every word in the output translation. Currently implemented as black-box with plans to change to white-box as done in paper (["Seq2Sick: Evaluating the Robustness of Sequence-to-Sequence Models with Adversarial Examples" (Cheng et al., 2018)](https://arxiv.org/abs/1803.01128)) </sub>  </td>
 </tr>
 
+<tr><td style="text-align: center;" colspan="6"><strong><br>General: <br></strong></td></tr>
+
+<tr class="odd">
+<td style="text-align: left;"><code>bad-characters</code> <span class="citation" data-cites=""></span></td>
+<td style="text-align: left;"><sub>TargetedClassification, TargetedStrict, TargetedBonus, NamedEntityRecognition, LogitSum, MinimizeBleu, MaximizeLevenshtein</sub></td>
+<td style="text-align: left;"></td>
+<td style="text-align: left;"><sub>(Homoglyph, Invisible Characters, Reorderings, Deletions) Word Swap</sub></td>
+<td style="text-align: left;"><sub>DifferentialEvolution</sub></td>
+<td><sub>Uses imperceptible character-level perturbations including homoglyph substitutions, Unicode reordering, deletions, and invisibles. Based on (["Bad Characters: Imperceptible NLP Attacks" (Boucher et al., 2021)](https://arxiv.org/abs/2106.09898)).</sub></td>
+</tr>
 
 </tbody>
 </font>
 </table>
 
-
-
 - Citations
 
 ```
 
@@ -160,5 +160,16 @@ Attacks on sequence-to-sequence models
    :noindex:
 
 
+General
+############################################
+
+19. BadCharacters (Bad Characters: Imperceptible NLP Attacks)
+
+
+.. automodule:: textattack.attack_recipes.bad_characters_2021
+   :members:
+   :noindex:
+
+
 
 
@@ -2,23 +2,24 @@
 
 We provide a number of pre-built attack recipes, which correspond to attacks from the literature.
 
-
 ## Help: `textattack --help`
 
 TextAttack's main features can all be accessed via the `textattack` command. Two very
 common commands are `textattack attack <args>`, and `textattack augment <args>`. You can see more
 information about all commands using
+
 ```bash
 textattack --help
 ```
+
 or a specific command using, for example,
+
 ```bash
 textattack attack --help
 ```
 
 The [`examples/`](https://github.com/QData/TextAttack/tree/master/examples) folder includes scripts showing common TextAttack usage for training models, running attacks, and augmenting a CSV file.
 
-
 The [documentation website](https://textattack.readthedocs.io/en/latest) contains walkthroughs explaining basic usage of TextAttack, including building a custom transformation and a custom constraint..
 
 ## Running Attacks: `textattack attack --help`
@@ -29,17 +30,20 @@ The easiest way to try out an attack is via the command-line interface, `textatt
 
 Here are some concrete examples:
 
-*TextFooler on BERT trained on the MR sentiment classification dataset*:
+_TextFooler on BERT trained on the MR sentiment classification dataset_:
+
 ```bash
 textattack attack --recipe textfooler --model bert-base-uncased-mr --num-examples 100
 ```
 
-*DeepWordBug on DistilBERT trained on the Quora Question Pairs paraphrase identification dataset*:
+_DeepWordBug on DistilBERT trained on the Quora Question Pairs paraphrase identification dataset_:
+
 ```bash
 textattack attack --model distilbert-base-uncased-cola --recipe deepwordbug --num-examples 100
 ```
 
-*Beam search with beam width 4 and word embedding transformation and untargeted goal function on an LSTM*:
+_Beam search with beam width 4 and word embedding transformation and untargeted goal function on an LSTM_:
+
 ```bash
 textattack attack --model lstm-mr --num-examples 20 \
  --search-method beam-search^beam_width=4 --transformation word-swap-embedding \
@@ -55,7 +59,6 @@ We include attack recipes which implement attacks from the literature. You can l
 
 To run an attack recipe: `textattack attack --recipe [recipe_name]`
 
-
 <table  style="width:100%" border="1">
 <thead>
 <tr class="header">
@@ -220,23 +223,33 @@ To run an attack recipe: `textattack attack --recipe [recipe_name]`
 <td ><sub>Greedy attack with goal of changing every word in the output translation. Currently implemented as black-box with plans to change to white-box as done in paper, from <a href="https://arxiv.org/abs/1803.01128">"Seq2Sick: Evaluating the Robustness of Sequence-to-Sequence Models with Adversarial Examples" (Cheng et al., 2018)</a></sub>  </td>
 </tr>
 
+<tr><td style="text-align: center;" colspan="6"><strong><br>General: <br></strong></td></tr>
+
+<tr>
+<td><code>bad-characters</code> <span class="citation" data-cites=""></span></td>
+<td><sub>TargetedClassification, TargetedStrict, TargetedBonus, NamedEntityRecognition, LogitSum, MinimizeBleu, MaximizeLevenshtein</sub> </td>
+<td></td>
+<td><sub>(Homoglyph, Invisible Characters, Reorderings, Deletions) Word Swap</sub> </td>
+<td><sub>DifferentialEvolution</sub></td>
+<td ><sub>Uses imperceptible character-level perturbations including homoglyph substitutions, Unicode reordering, deletions, and invisibles. Based on (["Bad Characters: Imperceptible NLP Attacks" (Boucher et al., 2021)](https://arxiv.org/abs/2106.09898)).</sub>  </td>
+</tr>
 
 </tbody>
 </font>
 </table>
 
-
-
 ## Recipe Usage Examples
 
 Here are some examples of testing attacks from the literature from the command-line:
 
-*TextFooler against BERT fine-tuned on SST-2:*
+_TextFooler against BERT fine-tuned on SST-2:_
+
 ```bash
 textattack attack --model bert-base-uncased-sst2 --recipe textfooler --num-examples 10
 ```
 
-*seq2sick (black-box) against T5 fine-tuned for English-German translation:*
+_seq2sick (black-box) against T5 fine-tuned for English-German translation:_
+
 ```bash
  textattack attack --model t5-en-de --recipe seq2sick --num-examples 100
 ```
@@ -9,6 +9,26 @@ GoalFunction
 .. autoclass:: textattack.goal_functions.GoalFunction
    :members:
 
+LogitSum
+--------------------------
+.. autoclass:: textattack.goal_functions.LogitSum
+   :members:
+
+NamedEntityRecognition
+--------------------------
+.. autoclass:: textattack.goal_functions.NamedEntityRecognition
+   :members:
+
+TargetedStrict
+--------------------------
+.. autoclass:: textattack.goal_functions.TargetedStrict
+   :members:
+
+TargetedBonus
+--------------------------
+.. autoclass:: textattack.goal_functions.TargetedBonus
+   :members:
+
 ClassificationGoalFunction
 --------------------------
 .. autoclass:: textattack.goal_functions.classification.ClassificationGoalFunction
@@ -44,3 +64,8 @@ NonOverlappingOutput
 .. autoclass:: textattack.goal_functions.text.NonOverlappingOutput
    :members:
 
+MaximizeLevenshtein
+--------------------------
+.. autoclass:: textattack.goal_functions.text.MaximizeLevenshtein
+   :members:
+
@@ -44,3 +44,8 @@ ParticleSwarmOptimization
 .. autoclass:: textattack.search_methods.ParticleSwarmOptimization
    :members:
 
+DifferentialEvolution
+--------------------------
+.. autoclass:: textattack.search_methods.DifferentialEvolution
+   :members:
+
@@ -6,7 +6,8 @@ textattack.attack\_recipes package
    :undoc-members:
    :show-inheritance:
 
-
+Submodules
+----------
 
 
 .. automodule:: textattack.attack_recipes.a2t_yoo_2021
@@ -21,6 +22,12 @@ textattack.attack\_recipes package
    :show-inheritance:
 
 
+.. automodule:: textattack.attack_recipes.bad_characters_2021
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+
 .. automodule:: textattack.attack_recipes.bae_garg_2019
    :members:
    :undoc-members:
@@ -39,6 +46,12 @@ textattack.attack\_recipes package
    :show-inheritance:
 
 
+.. automodule:: textattack.attack_recipes.chinese_recipe
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+
 .. automodule:: textattack.attack_recipes.clare_li_2020
    :members:
    :undoc-members:
@@ -57,6 +70,12 @@ textattack.attack\_recipes package
    :show-inheritance:
 
 
+.. automodule:: textattack.attack_recipes.french_recipe
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+
 .. automodule:: textattack.attack_recipes.genetic_algorithm_alzantot_2018
    :members:
    :undoc-members:
@@ -117,6 +136,12 @@ textattack.attack\_recipes package
    :show-inheritance:
 
 
+.. automodule:: textattack.attack_recipes.spanish_recipe
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+
 .. automodule:: textattack.attack_recipes.textbugger_li_2018
    :members:
    :undoc-members:
 
@@ -6,7 +6,8 @@ textattack.attack\_results package
    :undoc-members:
    :show-inheritance:
 
-
+Submodules
+----------
 
 
 .. automodule:: textattack.attack_results.attack_result
 
@@ -6,7 +6,8 @@ textattack.augmentation package
    :undoc-members:
    :show-inheritance:
 
-
+Submodules
+----------
 
 
 .. automodule:: textattack.augmentation.augmenter
 
@@ -6,7 +6,8 @@ textattack.commands package
    :undoc-members:
    :show-inheritance:
 
-
+Submodules
+----------
 
 
 .. automodule:: textattack.commands.attack_command