Detecting adversarial attacks on random samples

TL;DR

This paper investigates the detectability of adversarial perturbations in normal distribution samples, establishing thresholds for when such attacks can or cannot be reliably identified.

Contribution

It provides a theoretical analysis of the conditions under which adversarial attacks on normal samples are detectable or undetectable, with precise thresholds.

Findings

Detection thresholds depend on perturbation magnitude and sparsity.

When perturbations are below a certain magnitude, detection becomes impossible.

The study offers a clear characterization of detectability boundaries.

Abstract

This paper studies the problem of detecting adversarial perturbations in a sequence of observations. Given a data sample $X_1, \ldots, X_n$ drawn from a standard normal distribution, an adversary, after observing the sample, can perturb each observation by a fixed magnitude or leave it unchanged. We explore the relationship between the perturbation magnitude, the sparsity of the perturbation, and the detectability of the adversary's actions, establishing precise thresholds for when detection becomes impossible.