Adversarial Samples Are Not Created Equal

TL;DR

This paper distinguishes two types of adversarial samples based on their use of non-robust features, proposing a new metric to analyze their differences and re-evaluating existing robustness phenomena.

Contribution

It introduces an ensemble-based metric to differentiate adversarial samples that exploit non-robust features from those that do not, offering a new perspective on adversarial robustness evaluation.

Findings

Differentiates two types of adversarial samples based on feature usage.

Re-examines the impact of sharpness-aware minimization on robustness.

Analyzes the robustness gap between adversarial training and standard training.

Abstract

Over the past decade, numerous theories have been proposed to explain the widespread vulnerability of deep neural networks to adversarial evasion attacks. Among these, the theory of non-robust features proposed by Ilyas et al. has been widely accepted, showing that brittle but predictive features of the data distribution can be directly exploited by attackers. However, this theory overlooks adversarial samples that do not directly utilize these features. In this work, we advocate that these two kinds of samples - those which use use brittle but predictive features and those that do not - comprise two types of adversarial weaknesses and should be differentiated when evaluating adversarial robustness. For this purpose, we propose an ensemble-based metric to measure the manipulation of non-robust features by adversarial perturbations and use this metric to analyze the makeup of adversarial samples generated by attackers. This new perspective also allows us to re-examine multiple phenomena, including the impact of sharpness-aware minimization on adversarial robustness and the robustness gap observed between adversarially training and standard training on robust datasets.