Group-based Robustness: A General Framework for Customized Robustness in the Real World

TL;DR

This paper introduces group-based robustness, a new metric for evaluating model vulnerability to class-specific attacks, along with efficient attack strategies and a defense method, addressing limitations of traditional robustness metrics in real-world scenarios.

Contribution

It defines a novel group-based robustness metric, proposes new attack strategies and loss functions, and presents a defense method to enhance robustness against class-specific attacks.

Findings

Group-based robustness effectively distinguishes model vulnerabilities in complex attack scenarios.

New attack strategies significantly reduce computation time and increase efficiency.

The proposed defense method improves group-based robustness by up to 3.52 times.

Abstract

Machine-learning models are known to be vulnerable to evasion attacks that perturb model inputs to induce misclassifications. In this work, we identify real-world scenarios where the true threat cannot be assessed accurately by existing attacks. Specifically, we find that conventional metrics measuring targeted and untargeted robustness do not appropriately reflect a model's ability to withstand attacks from one set of source classes to another set of target classes. To address the shortcomings of existing methods, we formally define a new metric, termed group-based robustness, that complements existing metrics and is better-suited for evaluating model performance in certain attack scenarios. We show empirically that group-based robustness allows us to distinguish between models' vulnerability against specific threat models in situations where traditional robustness metrics do not apply. Moreover, to measure group-based robustness efficiently and accurately, we 1) propose two loss functions and 2) identify three new attack strategies. We show empirically that with comparable success rates, finding evasive samples using our new loss functions saves computation by a factor as large as the number of targeted classes, and finding evasive samples using our new attack strategies saves time by up to 99\% compared to brute-force search methods. Finally, we propose a defense method that increases group-based robustness by up to 3.52$\times$.