Tuning for Two Adversaries: Enhancing the Robustness Against Transfer and Query-Based Attacks using Hyperparameter Tuning

TL;DR

This paper analyzes how hyperparameter tuning affects model robustness against transfer and query-based attacks, revealing opposing effects of learning rate adjustments and proposing joint tuning strategies for improved security.

Contribution

It provides the first detailed analysis of hyperparameter impacts on robustness against different attack types, supported by theory and experiments across various training setups.

Findings

Decreasing learning rate improves robustness against transfer attacks by up to 64%.

Increasing learning rate enhances robustness against query attacks by up to 28%.

Distributed training models benefit most from hyperparameter tuning, balancing both attack defenses.

Abstract

In this paper, we present the first detailed analysis of how training hyperparameters -- such as learning rate, weight decay, momentum, and batch size -- influence robustness against both transfer-based and query-based attacks. Supported by theory and experiments, our study spans a variety of practical deployment settings, including centralized training, ensemble learning, and distributed training. We uncover a striking dichotomy: for transfer-based attacks, decreasing the learning rate significantly enhances robustness by up to $64\%$. In contrast, for query-based attacks, increasing the learning rate consistently leads to improved robustness by up to $28\%$ across various settings and data distributions. Leveraging these findings, we explore -- for the first time -- the training hyperparameter space to jointly enhance robustness against both transfer-based and query-based attacks. Our results reveal that distributed models benefit the most from hyperparameter tuning, achieving a remarkable tradeoff by simultaneously mitigating both attack types more effectively than other training setups.