Adversarial Attack and Defense for Non-Parametric Two-Sample Tests

TL;DR

This paper reveals vulnerabilities of non-parametric two-sample tests to adversarial attacks, proposes defense strategies, and demonstrates their effectiveness through extensive experiments on simulated and real datasets.

Contribution

It systematically uncovers attack methods against TSTs, introduces ensemble attacks, and develops a robust training framework to defend against adversarial manipulations.

Findings

Adversaries can effectively degrade TST performance.

Ensemble attack framework enables TST-agnostic adversarial attacks.

Proposed defense improves robustness of TSTs against attacks.

Abstract

Non-parametric two-sample tests (TSTs) that judge whether two sets of samples are drawn from the same distribution, have been widely used in the analysis of critical data. People tend to employ TSTs as trusted basic tools and rarely have any doubt about their reliability. This paper systematically uncovers the failure mode of non-parametric TSTs through adversarial attacks and then proposes corresponding defense strategies. First, we theoretically show that an adversary can upper-bound the distributional shift which guarantees the attack's invisibility. Furthermore, we theoretically find that the adversary can also degrade the lower bound of a TST's test power, which enables us to iteratively minimize the test criterion in order to search for adversarial pairs. To enable TST-agnostic attacks, we propose an ensemble attack (EA) framework that jointly minimizes the different types of test criteria. Second, to robustify TSTs, we propose a max-min optimization that iteratively generates adversarial pairs to train the deep kernels. Extensive experiments on both simulated and real-world datasets validate the adversarial vulnerabilities of non-parametric TSTs and the effectiveness of our proposed defense. Source code is available at https://github.com/GodXuxilie/Robust-TST.git.