MEAD: A Multi-Armed Approach for Evaluation of Adversarial Examples Detectors

TL;DR

This paper introduces MEAD, a multi-armed evaluation framework for adversarial example detectors that considers multiple attack strategies to provide a more realistic assessment of their robustness in real-world scenarios.

Contribution

The paper proposes a novel multi-armed evaluation framework, MEAD, incorporating multiple attack strategies and new objectives to assess detector robustness more accurately.

Findings

MEAD effectively evaluates detectors against diverse attack strategies.

State-of-the-art detectors perform poorly under the multi-attack evaluation.

The approach highlights the need for more robust adversarial detection methods.

Abstract

Detection of adversarial examples has been a hot topic in the last years due to its importance for safely deploying machine learning algorithms in critical applications. However, the detection methods are generally validated by assuming a single implicitly known attack strategy, which does not necessarily account for real-life threats. Indeed, this can lead to an overoptimistic assessment of the detectors' performance and may induce some bias in the comparison between competing detection schemes. We propose a novel multi-armed framework, called MEAD, for evaluating detectors based on several attack strategies to overcome this limitation. Among them, we make use of three new objectives to generate attacks. The proposed performance metric is based on the worst-case scenario: detection is successful if and only if all different attacks are correctly recognized. Empirically, we show the effectiveness of our approach. Moreover, the poor performance obtained for state-of-the-art detectors opens a new exciting line of research.