Defense-friendly Images in Adversarial Attacks: Dataset and Metrics for Perturbation Difficulty

TL;DR

This paper introduces a new dataset and metrics to identify and quantify robust images that resist adversarial attacks, aiming to improve unbiased benchmarking of attack and defense methods in adversarial machine learning.

Contribution

The authors present the first dataset of robust images, propose three metrics for dataset bias detection, and provide tools for more accurate evaluation of adversarial defenses.

Findings

A class of images resilient to attacks is identified.

The dataset and metrics reveal biases in existing benchmarks.

Robust images recover better under simple defenses than random images.

Abstract

Dataset bias is a problem in adversarial machine learning, especially in the evaluation of defenses. An adversarial attack or defense algorithm may show better results on the reported dataset than can be replicated on other datasets. Even when two algorithms are compared, their relative performance can vary depending on the dataset. Deep learning offers state-of-the-art solutions for image recognition, but deep models are vulnerable even to small perturbations. Research in this area focuses primarily on adversarial attacks and defense algorithms. In this paper, we report for the first time, a class of robust images that are both resilient to attacks and that recover better than random images under adversarial attacks using simple defense techniques. Thus, a test dataset with a high proportion of robust images gives a misleading impression about the performance of an adversarial attack or defense. We propose three metrics to determine the proportion of robust images in a dataset and provide scoring to determine the dataset bias. We also provide an ImageNet-R dataset of 15000+ robust images to facilitate further research on this intriguing phenomenon of image strength under attack. Our dataset, combined with the proposed metrics, is valuable for unbiased benchmarking of adversarial attack and defense algorithms.