Transfer of Adversarial Robustness Between Perturbation Types

TL;DR

This paper investigates how adversarial robustness in neural networks transfers across different types of perturbations, revealing that robustness does not always transfer and can sometimes be compromised.

Contribution

It provides an empirical analysis of robustness transfer across five perturbation types and 32 attack methods, highlighting the complexity of adversarial robustness.

Findings

Robustness transfer between perturbation types is inconsistent.

Evaluating on diverse perturbation sizes is crucial for understanding robustness.

Robustness against one perturbation type may not imply robustness against others.

Abstract

We study the transfer of adversarial robustness of deep neural networks between different perturbation types. While most work on adversarial examples has focused on $L_\infty$ and $L_2$-bounded perturbations, these do not capture all types of perturbations available to an adversary. The present work evaluates 32 attacks of 5 different types against models adversarially trained on a 100-class subset of ImageNet. Our empirical results suggest that evaluating on a wide range of perturbation sizes is necessary to understand whether adversarial robustness transfers between perturbation types. We further demonstrate that robustness against one perturbation type may not always imply and may sometimes hurt robustness against other perturbation types. In light of these results, we recommend evaluation of adversarial defenses take place on a diverse range of perturbation types and sizes.