Recently, there is an emerging interest in adversarially training a classifier with a rejection option (also known as a selective classifier) for boosting adversarial robustness. While rejection can incur a cost in many applications, existing studies typically associate zero cost with rejecting perturbed inputs, which can result in the rejection of numerous slightly-perturbed inputs that could be correctly classified. In this work, we study adversarially-robust classification with rejection in the stratified rejection setting, where the rejection cost is modeled by rejection loss functions monotonically non-increasing in the perturbation magnitude. We theoretically analyze the stratified rejection setting and propose a novel defense method -- Adversarial Training with Consistent Prediction-based Rejection (CPR) -- for building a robust selective classifier. Experiments on image datasets demonstrate that the proposed method significantly outperforms existing methods under strong adaptive attacks. For instance, on CIFAR-10, CPR reduces the total robust loss (for different rejection losses) by at least 7.3% under both seen and unseen attacks.

翻译：近年来，带有拒绝选项的对抗训练分类器（亦称选择性分类器）在提升对抗鲁棒性方面引起了广泛关注。尽管在许多应用中拒绝行为会带来成本，现有研究通常将拒绝受扰动输入的代价设为零，这可能导致大量轻微扰动但可被正确分类的输入被拒绝。本文研究了在分层拒绝场景下具有拒绝机制的对抗鲁棒分类问题，其中拒绝成本由随扰动幅度单调非增的拒绝损失函数建模。我们从理论上分析了分层拒绝场景，并提出了一种新颖的防御方法——基于一致性预测的对抗训练拒绝策略（CPR），用于构建鲁棒选择性分类器。在图像数据集上的实验表明，所提方法在强自适应攻击下显著优于现有方法。例如，在CIFAR-10数据集上，CPR在已知和未知攻击下均能将总鲁棒损失（针对不同拒绝损失）至少降低7.3%。