The robustness of modern machine learning (ML) models has become an increasing concern within the community. The ability to subvert a model into making errant predictions using seemingly inconsequential changes to input is startling, as is our lack of success in building models robust to this concern. Existing research shows progress, but current mitigations come with a high cost and simultaneously reduce the model's accuracy. However, such trade-offs may not be necessary when other design choices could subvert the risk. In this survey we review the current literature on attacks and their real-world occurrences, or limited evidence thereof, to critically evaluate the real-world risks of adversarial machine learning (AML) for the average entity. This is done with an eye toward how one would then mitigate these attacks in practice, the risks for production deployment, and how those risks could be managed. In doing so we elucidate that many AML threats do not warrant the cost and trade-offs of robustness due to a low likelihood of attack or availability of superior non-ML mitigations. Our analysis also recommends cases where an actor should be concerned about AML to the degree where robust ML models are necessary for a complete deployment.

翻译：现代机器学习模型的鲁棒性已成为学术界日益关注的焦点。利用看似微不足道的输入变化诱使模型做出错误预测的能力令人震惊，而我们在构建能够应对这一问题的鲁棒模型方面也缺乏成功经验。现有研究虽取得进展，但当前的缓解措施成本高昂且会同时降低模型准确性。然而，若采取其他设计选择能够规避风险，此类权衡或许并非必要。本综述系统梳理了当前关于攻击及其实际发生案例（或有限证据）的文献，旨在批判性评估对抗性机器学习对普通实体构成的现实风险。我们着眼于以下维度：实践中如何缓解这些攻击、生产部署中的风险、以及这些风险的管理方式。通过分析发现，由于攻击可能性较低或存在更优的非机器学习缓解方案，许多对抗性机器学习威胁并不值得为鲁棒性付出成本和权衡。本文分析还建议了哪些情况下行动者应高度关注对抗性机器学习，以致需要部署鲁棒机器学习模型才能实现完整部署。