Detector-Evasive LLM Paraphrasing via Constrained Policy Optimization

Researchers present DEPO, a reinforcement learning algorithm that enables large language models to evade AI-text detectors through paraphrasing while maintaining semantic fidelity. The constrained optimization approach treats detector evasion as the primary objective with semantic preservation as an explicit constraint, demonstrating robust performance across multiple detectors and datasets.

This research addresses a critical vulnerability in AI-text detection systems that has significant implications for content authenticity and trust. The paper reveals that existing detector-evasion methods struggle with a fundamental trade-off: optimizing for evasion often corrupts the original meaning of text, while multi-objective approaches lack precise control over this balance. DEPO solves this through a constrained Markov Decision Process framework that explicitly separates evasion goals from semantic constraints, allowing controlled optimization within predetermined boundaries.

The security landscape surrounding AI-generated content has intensified as detectors like MAGE, RoBERTa, and Binoculars proliferate across academic and commercial platforms. Paraphrasing attacks represent an ongoing arms race, where each detector improvement prompts corresponding evasion techniques. DEPO's sophistication—particularly its group-based policy updates and adaptive Lagrangian balancing—marks an evolution in attack methodology that goes beyond naive prompt engineering or simple rewording strategies.

The implications extend beyond academic concern. Educational institutions relying on AI-text detectors for academic integrity face renewed vulnerability. Content moderation systems struggle similarly, as adversarially-paraphrased content could bypass safety filters while preserving harmful intent. The cross-detector and cross-domain robustness demonstrated in experiments suggests the technique generalizes effectively across different detection architectures.

The research underscores why detector development requires ongoing evolution rather than static deployment. Organizations implementing AI-text detection should prioritize ensemble approaches, semantic validation beyond detector scores, and human review for high-stakes decisions. The ability to evade detection while preserving meaning highlights that no single detector provides definitive AI-content classification.

• →DEPO achieves detector evasion while maintaining precise semantic preservation through constrained policy optimization
• →The algorithm demonstrates cross-detector and cross-domain robustness, suggesting broad applicability of the attack method
• →AI-text detectors face renewed vulnerability from sophisticated paraphrasing techniques that preserve meaning while evading detection
• →Constrained reinforcement learning offers more precise control over evasion-semantics trade-offs than previous scalarized reward approaches
• →Educational and content moderation systems relying solely on AI detectors require additional validation mechanisms