Belangrijkste concepten
Defenses against adversarial examples should look beyond robustness against single attack types and instead focus on achieving robustness against multiple attacks simultaneously, handling unforeseen attacks, and enabling continual adaptation to new attacks.
Samenvatting
This position paper argues that the current focus of adversarial robustness research on achieving robustness against a single attack type, such as ℓ2 or ℓ∞-bounded attacks, is insufficient. The space of possible perturbations is much larger and cannot be fully captured by a single attack type. This discrepancy between the focus of current defenses and the space of attacks of interest calls into question the practicality and reliability of existing defenses.
The paper proposes three key directions to address this issue:
- Simultaneous Multiattack Robustness (sMAR): Designing defenses that can achieve robustness against multiple attacks of interest simultaneously.
- Unforeseen Attack Robustness (UAR): Ensuring that defenses generalize to attacks that were not considered in the design of the defense.
- Continual Adaptive Robustness (CAR): Developing defenses that can efficiently adapt to new attacks over time while maintaining robustness against previous attacks.
The paper provides a unified game-theoretic framework to rigorously define these problem settings and synthesize existing research in these areas. It also outlines open research directions, such as:
- Formulating attack spaces and designing general defenses that can work with any attack type
- Understanding and balancing the tradeoffs between robustness against different attacks and clean accuracy
- Improving the efficiency of training and evaluating defenses against multiple attacks
- Exploring the connections between continual learning and CAR, and leveraging test-time adaptation techniques for CAR.
The authors hope that this position paper will inspire more research in simultaneous multiattack, unforeseen attack, and continual adaptive robustness to improve the practicality and reliability of adversarial machine learning.
Statistieken
Current defenses mainly focus on robustness against specific narrow threat models, primarily ℓ∞ and ℓ2 bounded adversaries.
The space of possible perturbations is much larger and cannot be fully captured by a single attack type.
Existing attacks follow different threat models, including spatial transformations, color shifts, JPEG-compression based attacks, weather-based attacks, Wasserstein distance bounded attacks, and perceptual distance based attacks.
Citaten
"We argue that this discrepancy between the focus of current defenses and the space of existing attacks leads to vulnerability; an attacker can easily breach the defense by using an attack different from the focus of the defense."
"We hope that our position paper inspires more research in simultaneous multiattack, unforeseen attack, and continual adaptive robustness to improve the practicality and reliability of adversarial machine learning."