Adversarial robustness assessment: Why in evaluation both L0 and L∞ attacks are necessary

There are different types of adversarial attacks and defences for machine learning algorithms which makes assessing the robustness of an algorithm a daunting task. Moreover, there is an intrinsic bias in these adversarial attacks and defences to make matters worse. Here, we organise the problems faced: a) Model Dependence, b) Insufficient Evaluation, c) False Adversarial Samples, and d) Perturbation Dependent Results. Based on this, we propose a model agnostic adversarial robustness assessment method based on L-0 and L-infinity distance-based norms and the concept of robustness levels to tackle the problems. We validate our robustness assessment on several neural network architectures (WideResNet, ResNet, AllConv, DenseNet, NIN, LeNet and CapsNet) and adversarial defences for image classification problem. The proposed robustness assessment reveals that the robustness may vary significantly depending on the metric used (i.e., L-0 or L-infinity). Hence, the duality should be taken into account for a correct evaluation. Moreover, a mathematical derivation and a counter-example suggest that L-1 and L-2 metrics alone are not sufficient to avoid spurious adversarial samples. Interestingly, the threshold attack of the proposed assessment is a novel L-infinity black-box adversarial method which requires even more minor perturbation than the One-Pixel Attack (only 12% of One-Pixel Attack's amount of perturbation) to achieve similar results. We further show that all current networks and defences are vulnerable at all levels of robustness, suggesting that current networks and defences are only effective against a few attacks keeping the models vulnerable to different types of attacks.

Automated summary

The robustness assessment of machine learning algorithms is a challenging task due to different types of adversarial attacks and defences, as well as the inherent bias in these attacks and defences. This study proposes a model-agnostic adversarial robustness assessment method based on L-0 and L-infinity distance-based norms and robustness levels to address the problems faced. The assessment results show that the robustness may vary significantly depending on the metric used and that L-1 and L-2 metrics alone are not sufficient to avoid spurious adversarial samples. The study also introduces a novel L-infinity black-box adversarial method with lower perturbation than the One-Pixel Attack.