The machine learning security community has developed myriad defenses for evasion attacks over the past decade. An understudied question in that community is: for whom do these defenses defend? In this work, we consider some common approaches to defending learned systems and whether those approaches may offer unexpected performance inequities when used by different sub-populations. We outline simple parity metrics and a framework for analysis that can begin to answer this question through empirical results of the fairness implications of machine learning security methods. Many methods have been proposed that can cause direct harm, which we describe as biased vulnerability and biased rejection. Our framework and metric can be applied to robustly trained models, preprocessing-based methods, and rejection methods to capture behavior over security budgets. We identify a realistic dataset with a reasonable computational cost suitable for measuring the equality of defenses. Through a case study in speech command recognition, we show how such defenses do not offer equal protection for social subgroups and how to perform such analyses for robustness training, and we present a comparison of fairness between two rejection-based defenses: randomized smoothing and neural rejection. We offer further analysis of factors that correlate to equitable defenses to stimulate the future investigation of how to assist in building such defenses. To the best of our knowledge, this is the first work that examines the fairness disparity in the accuracy-robustness trade-off in speech data and addresses fairness evaluation for rejection-based defenses.

翻译：在过去十年中，机器学习安全社区针对逃逸攻击开发了众多防御方法。但一个尚未得到充分研究的问题是：这些防御措施究竟为谁提供保护？本文探讨了防御学习系统的几种常见方法，并分析这些方法在应用于不同子群体时是否会导致意外的性能不均衡现象。我们提出了简单的平等性度量指标及分析框架，通过机器学习安全方法公平性影响的实证结果，初步回答这一问题。许多已被提出的方法可能导致直接伤害，我们将其定义为"偏见性脆弱性"和"偏见性拒绝"。我们的框架和度量指标可应用于鲁棒训练模型、基于预处理的方法以及拒绝方法，用于捕获安全预算下的行为表现。我们选取了一个计算成本合理且适合度量防御平等性的真实数据集。通过语音命令识别案例研究，我们展示了这类防御措施如何无法为社会子群体提供平等保护，以及如何对鲁棒训练展开此类分析，并比较了两种基于拒绝的防御方法（随机平滑与神经拒绝）的公平性差异。我们进一步分析了与公平防御相关的因素，以推动未来如何构建此类防御方法的研究。据我们所知，这是首项针对语音数据中准确性-鲁棒性权衡的公平性差异进行考察，并解决基于拒绝的防御方法公平性评估的研究。