TextFooler is a baseline framework for crafting adversarial examples against text classification models without requiring access to model internals. It operates in two stages: first, it ranks words by their importance to the prediction by removing each word and measuring the drop in confidence score. Second, it iteratively replaces the most critical words with semantically similar synonyms that satisfy grammaticality constraints, using counter-fitted word embeddings and a language model to ensure fluency, until the model's prediction flips.
Glossary
TextFooler

What is TextFooler?
A black-box adversarial attack framework for natural language processing models that generates semantically similar adversarial text by identifying and replacing the most important words with synonyms that flip the model's classification.
As a black-box attack, TextFooler requires only the model's output scores to function, making it a practical tool for evaluating the robustness of deployed NLP systems. Its design prioritizes semantic preservation, ensuring the adversarial text remains a plausible paraphrase of the original. The framework is a standard benchmark in adversarial robustness research, often used alongside CleverHans and the Adversarial Robustness Toolbox to measure a model's vulnerability to lexical substitution attacks.
Key Characteristics of TextFooler
A black-box adversarial attack framework for NLP models that generates semantically similar adversarial text by identifying and replacing the most important words with synonyms that flip the model's classification.
Black-Box Attack Paradigm
TextFooler operates under a black-box threat model, requiring no access to the target model's architecture, gradients, or training data. It relies solely on input-output queries to observe classification confidence scores. This makes it highly practical for evaluating real-world deployed NLP systems where internal model details are proprietary. The framework systematically probes the model's decision boundary by manipulating text inputs and observing prediction changes, simulating a realistic external adversary with no insider knowledge.
Word Importance Ranking
The attack begins by calculating word importance scores for every token in the input text. TextFooler temporarily removes each word and measures the resulting drop in the target model's confidence for the correct class. Words whose deletion causes the largest confidence decrease are ranked as most critical. This step identifies the minimal set of words that dominate the model's classification decision, enabling efficient adversarial perturbation without exhaustive search over all possible token combinations.
Semantic Similarity Constraint
TextFooler enforces a semantic similarity threshold using Universal Sentence Encoder embeddings. For each candidate synonym substitution, the framework computes the cosine similarity between the original and perturbed sentence embeddings. Replacements that fall below a predefined similarity threshold (typically 0.8) are rejected. This constraint ensures the adversarial text remains semantically equivalent to the original, preserving human readability and preventing the attack from producing nonsensical or obviously altered text that would be trivially detectable.
Synonym Replacement Strategy
For each high-importance word, TextFooler generates a list of counter-fitted synonym candidates using pre-trained word embeddings. The framework prioritizes synonyms that are:
- Grammatically compatible with the surrounding context (matching part-of-speech tags)
- Semantically similar to the original word
- Likely to flip the classification when substituted
The attack iteratively replaces words in descending order of importance, querying the model after each substitution. The process stops as soon as the model's prediction changes to any incorrect class, minimizing the number of perturbations.
Attack Success Rate Performance
TextFooler achieves high attack success rates across diverse NLP tasks and model architectures. In the original paper, it fooled BERT-based classifiers on sentiment analysis and textual entailment datasets with success rates exceeding 90% while maintaining semantic similarity above 0.8. The framework is particularly effective against fine-tuned transformer models that rely heavily on specific keywords for classification. Its success demonstrates that even state-of-the-art NLP models remain vulnerable to simple, semantically-preserving word substitutions.
Defense Implications
TextFooler exposes a fundamental vulnerability in NLP classifiers: over-reliance on superficial lexical cues rather than deep semantic understanding. Defenses against this attack include:
- Adversarial training with TextFooler-generated examples to harden decision boundaries
- Interval Bound Propagation (IBP) for certified robustness to synonym substitutions
- Synonym encoding that maps synonyms to shared embeddings before classification
- Randomized smoothing over synonym sets to provide probabilistic robustness guarantees
The framework has become a standard benchmark in the adversarial robustness evaluation of NLP systems.
Frequently Asked Questions
Clear, technical answers to the most common questions about the TextFooler adversarial attack framework for NLP models.
TextFooler is a black-box adversarial attack framework designed specifically for natural language processing (NLP) models. It generates semantically similar adversarial text examples that cause a target model to flip its classification prediction. The framework operates in two sequential stages: word importance ranking and synonym replacement. First, TextFooler identifies the words in the input text that have the highest influence on the model's classification decision by iteratively removing each word and measuring the change in the model's confidence score. Once the most important words are ranked, the second stage replaces them with semantically similar synonyms that satisfy specific constraints—the replacement must preserve grammaticality, maintain semantic similarity above a cosine similarity threshold using Universal Sentence Encoder embeddings, and successfully change the model's prediction. The attack is considered black-box because it requires only the model's output scores, not its internal architecture or gradients.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
TextFooler vs. Other NLP Adversarial Attacks
A feature-level comparison of TextFooler against other prominent black-box adversarial attack frameworks for natural language processing models.
| Feature | TextFooler | BAE | CLARE |
|---|---|---|---|
Attack Knowledge Required | Black-box (confidence scores only) | Black-box (confidence scores only) | Black-box (confidence scores only) |
Perturbation Granularity | Word-level substitution | Word-level substitution | Sentence-level edit |
Semantic Similarity Constraint | Counter-fitted word embeddings + cosine similarity threshold | Masked language model (BERT) for context-aware substitution | Masked language model (RoBERTa) for fluent insertion/replacement |
Importance Ranking Method | Word deletion impact on prediction probability | Masked token prediction loss | Masked token prediction loss + gradient-based ranking |
Grammaticality Preservation | POS checking (optional) | Inherent via MLM generation | Inherent via MLM generation |
Attack Success Rate (IMDB, BERT) | 90.3% | 88.8% | 92.2% |
Perturbation Rate (IMDB, BERT) | 6.1% | 4.3% | 3.8% |
Human Evaluation Score (1-5) | 2.8 | 3.1 | 3.4 |
Related Terms
Explore the core concepts and related attack methodologies that define the TextFooler framework and its role in black-box adversarial robustness testing for natural language processing.
Core Mechanism: Semantic Perturbation
TextFooler operates by identifying the most salient words in a text using importance scoring. It then iteratively replaces these words with semantically similar synonyms that flip the model's classification. The attack maintains lexical correctness and semantic similarity to the original input, making it a highly effective black-box method.
Word Importance Ranking
The attack calculates the importance of each word by measuring the drop in the target model's confidence score when the word is removed or replaced with an OOV (Out-Of-Vocabulary) token. Words causing the largest drop are prioritized for perturbation. This greedy selection ensures minimal text alteration for maximum adversarial impact.
Synonym Substitution Strategy
TextFooler uses counter-fitted word embeddings to find synonyms that are semantically similar but can cross the model's decision boundary. The framework enforces Part-of-Speech (POS) consistency to ensure grammatical correctness. If no single synonym flips the label, it proceeds to the next most important word, maintaining a cumulative perturbation.
TextFooler vs. Other Attacks
- TextFooler: Black-box, semantics-preserving, greedy word replacement.
- HotFlip: White-box, character-level flips using gradient-based optimization.
- BAE (BERT-based Adversarial Examples): Replaces entire tokens using a masked language model.
- DeepWordBug: Black-box, character-level scoring and swapping. TextFooler is distinguished by its strong semantic similarity constraint and high attack success rate on BERT-based classifiers.
Defense: Adversarial Training
The primary defense against TextFooler is adversarial training. By augmenting the training dataset with TextFooler-generated examples, models learn to be invariant to synonym substitutions. This process significantly improves robust accuracy but may incur a slight trade-off with performance on clean data.
Evaluation Metrics
TextFooler's performance is measured by:
- Attack Success Rate (ASR): Percentage of inputs where the classification is flipped.
- Semantic Similarity: Often measured via Universal Sentence Encoder (USE) cosine similarity.
- Perturbation Rate: The percentage of words modified in the original text. A successful attack achieves high ASR with high semantic similarity and a low perturbation rate.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us