Attack Transferability Characterization for Adversarially Robust Multi-label Classification

TL;DR

This paper analyzes how adversarial attacks transfer between multi-label classifiers, introduces a new assessment method called SAE, and enhances robustness by integrating transferability regularization into multi-label learning.

Contribution

It provides a theoretical framework for understanding attack transferability in multi-label classifiers and proposes a novel transferability-based vulnerability assessment and robustness enhancement method.

Findings

Transferability level influences attackability of classifiers.

SAE effectively evaluates intrinsic vulnerability of multi-label classifiers.

Transferability-regularized training improves adversarial robustness.

Abstract

Despite of the pervasive existence of multi-label evasion attack, it is an open yet essential problem to characterize the origin of the adversarial vulnerability of a multi-label learning system and assess its attackability. In this study, we focus on non-targeted evasion attack against multi-label classifiers. The goal of the threat is to cause miss-classification with respect to as many labels as possible, with the same input perturbation. Our work gains in-depth understanding about the multi-label adversarial attack by first characterizing the transferability of the attack based on the functional properties of the multi-label classifier. We unveil how the transferability level of the attack determines the attackability of the classifier via establishing an information-theoretic analysis of the adversarial risk. Furthermore, we propose a transferability-centered attackability assessment, named Soft Attackability Estimator (SAE), to evaluate the intrinsic vulnerability level of the targeted multi-label classifier. This estimator is then integrated as a transferability-tuning regularization term into the multi-label learning paradigm to achieve adversarially robust classification. The experimental study on real-world data echos the theoretical analysis and verify the validity of the transferability-regularized multi-label learning method.