Dummy-Aware Weighted Attack (DAWA): Breaking the Safe Sink in Dummy Class Defenses

TL;DR

This paper introduces DAWA, a new attack method that more accurately evaluates Dummy Classes-based defenses, revealing their overestimated robustness and emphasizing the need for improved assessment techniques.

Contribution

The paper proposes DAWA, an adaptive attack that targets both true and dummy classes, effectively breaking Dummy Classes-based defenses and providing a more reliable robustness evaluation.

Findings

DAWA reduces the measured robustness of a leading defense from 58.61% to 29.52%.

Extensive experiments validate DAWA's effectiveness across datasets and perturbation settings.

The work highlights the limitations of conventional evaluation strategies for Dummy Classes defenses.

Abstract

Adversarial robustness evaluation faces a critical challenge as new defense paradigms emerge that can exploit limitations in existing assessment methods. This paper reveals that Dummy Classes-based defenses, which introduce an additional "dummy" class as a safety sink for adversarial examples, achieve significantly overestimated robustness under conventional evaluation strategies like AutoAttack. The fundamental limitation stems from these attacks' singular focus on misleading the true class label, which aligns perfectly with the defense mechanism--successful attacks are simply captured by the dummy class. To address this gap, we propose Dummy-Aware Weighted Attack (DAWA), a novel evaluation method that simultaneously targets both the true label and dummy label with adaptive weighting during adversarial example synthesis. Extensive experiments demonstrate that DAWA effectively breaks this defense paradigm, reducing the measured robustness of a leading Dummy Classes-based defense from 58.61% to 29.52% on CIFAR-10 under l_infty perturbation (epsilon=8/255). Our work provides a more reliable benchmark for evaluating this emerging class of defenses and highlights the need for continuous evolution of robustness assessment methodologies.