Generalized Likelihood Ratio Test for Adversarially Robust Hypothesis Testing

TL;DR

This paper introduces a defense method against adversarial attacks in hypothesis testing using the generalized likelihood ratio test (GLRT), demonstrating its effectiveness and robustness in various scenarios, including unknown attack models.

Contribution

The paper develops a GLRT-based defense for adversarial hypothesis testing, extending its application to multi-class problems and analyzing its performance against worst-case and adaptive attacks.

Findings

GLRT approaches minimax defense asymptotically in high dimensions

GLRT offers better robustness-accuracy tradeoff under weaker attacks

Effective in multi-class hypothesis testing with unknown attack models

Abstract

Machine learning models are known to be susceptible to adversarial attacks which can cause misclassification by introducing small but well designed perturbations. In this paper, we consider a classical hypothesis testing problem in order to develop fundamental insight into defending against such adversarial perturbations. We interpret an adversarial perturbation as a nuisance parameter, and propose a defense based on applying the generalized likelihood ratio test (GLRT) to the resulting composite hypothesis testing problem, jointly estimating the class of interest and the adversarial perturbation. While the GLRT approach is applicable to general multi-class hypothesis testing, we first evaluate it for binary hypothesis testing in white Gaussian noise under $\ell_{\infty}$ norm-bounded adversarial perturbations, for which a known minimax defense optimizing for the worst-case attack provides a benchmark. We derive the worst-case attack for the GLRT defense, and show that its asymptotic performance (as the dimension of the data increases) approaches that of the minimax defense. For non-asymptotic regimes, we show via simulations that the GLRT defense is competitive with the minimax approach under the worst-case attack, while yielding a better robustness-accuracy tradeoff under weaker attacks. We also illustrate the GLRT approach for a multi-class hypothesis testing problem, for which a minimax strategy is not known, evaluating its performance under both noise-agnostic and noise-aware adversarial settings, by providing a method to find optimal noise-aware attacks, and heuristics to find noise-agnostic attacks that are close to optimal in the high SNR regime.