How Worst-Case Are Adversarial Attacks? Linking Adversarial and Perturbation Robustness

TL;DR

This paper investigates whether adversarial attacks accurately estimate a model's vulnerability to random perturbations, introducing a probabilistic framework and experiments to clarify when adversarial success indicates true robustness or not.

Contribution

It introduces a probabilistic analysis linking adversarial and stochastic robustness, and proposes an attack strategy to evaluate this connection across different regimes.

Findings

Adversarial success often correlates with robustness in certain regimes.

The proposed attack probes vulnerabilities closer to random noise.

Benchmarking reveals when adversarial attacks are reliable indicators of robustness.

Abstract

Adversarial attacks are widely used to identify model vulnerabilities; however, their validity as proxies for robustness to random perturbations remains debated. We ask whether an adversarial example provides a representative estimate of misprediction risk under stochastic perturbations of the same magnitude, or instead reflects an atypical worst-case event. To address this question, we introduce a probabilistic analysis that quantifies this risk with respect to directionally biased perturbation distributions, parameterized by a concentration factor $\kappa$ that interpolates between isotropic noise and adversarial directions. Building on this, we study the limits of this connection by proposing an attack strategy designed to probe vulnerabilities in regimes that are statistically closer to uniform noise. Experiments on ImageNet and CIFAR-10 systematically benchmark multiple attacks, revealing when adversarial success meaningfully reflects robustness to perturbations and when it does not, thereby informing their use in safety-oriented robustness evaluation.