Machine-learning models are known to be vulnerable to evasion attacks that perturb model inputs to induce misclassifications. In this work, we identify real-world scenarios where the true threat cannot be assessed accurately by existing attacks. Specifically, we find that conventional metrics measuring targeted and untargeted robustness do not appropriately reflect a model's ability to withstand attacks from one set of source classes to another set of target classes. To address the shortcomings of existing methods, we formally define a new metric, termed group-based robustness, that complements existing metrics and is better-suited for evaluating model performance in certain attack scenarios. We show empirically that group-based robustness allows us to distinguish between models' vulnerability against specific threat models in situations where traditional robustness metrics do not apply. Moreover, to measure group-based robustness efficiently and accurately, we 1) propose two loss functions and 2) identify three new attack strategies. We show empirically that with comparable success rates, finding evasive samples using our new loss functions saves computation by a factor as large as the number of targeted classes, and finding evasive samples using our new attack strategies saves time by up to 99\% compared to brute-force search methods. Finally, we propose a defense method that increases group-based robustness by up to 3.52$\times$.

翻译：机器学习模型已知易受逃避攻击影响，此类攻击通过扰动模型输入诱导错误分类。本工作中，我们识别出真实场景中现有攻击无法准确评估真实威胁的情况——具体而言，我们发现测量定向与非定向鲁棒性的传统指标无法恰当反映模型抵御从一组源类别到另一组目标类别攻击的能力。为弥补现有方法的不足，我们形式化定义了一个新指标——基于群体的鲁棒性，该指标补充现有指标并能更优地评估特定攻击场景下的模型性能。实验表明，在传统鲁棒性指标失效的情景中，基于群体的鲁棒性可有效区分模型针对特定威胁模型的脆弱性。此外，为高效准确测量该指标，我们：1）提出两种损失函数；2）识别三种新型攻击策略。实验证明，在成功率相当的情况下，使用新损失函数寻找逃避样本的计算量可节省多达目标类别规模的因子，而采用新攻击策略寻找逃避样本相比暴力搜索方法可节省高达99%的时间。最后，我们提出一种防御方法，将基于群体的鲁棒性提升至3.52倍。