HotFlip is a method for generating adversarial examples for text classification by manipulating characters in a text. It uses gradient-based optimization to find the most effective character changes that maximize the loss of a classifier. The method is efficient and can be used for adversarial training, making the model more robust to attacks. HotFlip can also be adapted to attack word-level classifiers by applying semantics-preserving constraints. The paper introduces HotFlip, which uses an atomic flip operation to swap one token for another based on the gradients of the one-hot input vectors. This method is efficient and allows for adversarial training, which improves the model's robustness. The method is tested on a character-level classifier and shown to be effective in generating adversarial examples that can fool the classifier. It is also shown to be effective in attacking word-level classifiers when constraints are applied to preserve semantics. The experiments show that HotFlip can generate adversarial examples that significantly increase the misclassification error of a classifier. The method is compared with a black-box adversary and is found to be more effective. The results also show that adversarial training using HotFlip examples is more effective than training with pseudo-adversarial examples. The paper also discusses the human perception of adversarial examples and shows that they rarely alter the meaning of a sentence. However, word-level adversarial examples are more likely to change the meaning of text, making semantics-preserving constraints necessary. Finally, the paper concludes that white-box attacks are among the most serious forms of attacks on machine learning models. HotFlip provides a method for generating adversarial examples that can be used in adversarial training to make models more robust to attacks. The paper also highlights the importance of studying the robustness of different character-level models for different tasks and the challenges of understanding the landscape of adversarial examples in NLP.HotFlip is a method for generating adversarial examples for text classification by manipulating characters in a text. It uses gradient-based optimization to find the most effective character changes that maximize the loss of a classifier. The method is efficient and can be used for adversarial training, making the model more robust to attacks. HotFlip can also be adapted to attack word-level classifiers by applying semantics-preserving constraints. The paper introduces HotFlip, which uses an atomic flip operation to swap one token for another based on the gradients of the one-hot input vectors. This method is efficient and allows for adversarial training, which improves the model's robustness. The method is tested on a character-level classifier and shown to be effective in generating adversarial examples that can fool the classifier. It is also shown to be effective in attacking word-level classifiers when constraints are applied to preserve semantics. The experiments show that HotFlip can generate adversarial examples that significantly increase the misclassification error of a classifier. The method is compared with a black-box adversary and is found to be more effective. The results also show that adversarial training using HotFlip examples is more effective than training with pseudo-adversarial examples. The paper also discusses the human perception of adversarial examples and shows that they rarely alter the meaning of a sentence. However, word-level adversarial examples are more likely to change the meaning of text, making semantics-preserving constraints necessary. Finally, the paper concludes that white-box attacks are among the most serious forms of attacks on machine learning models. HotFlip provides a method for generating adversarial examples that can be used in adversarial training to make models more robust to attacks. The paper also highlights the importance of studying the robustness of different character-level models for different tasks and the challenges of understanding the landscape of adversarial examples in NLP.