Machine-learning models are known to be vulnerable to evasion attacks that perturb model inputs to induce misclassifications. In this work, we identify real-world scenarios where the true threat cannot be assessed accurately by existing attacks. Specifically, we find that conventional metrics measuring targeted and untargeted robustness do not appropriately reflect a model's ability to withstand attacks from one set of source classes to another set of target classes. To address the shortcomings of existing methods, we formally define a new metric, termed group-based robustness, that complements existing metrics and is better-suited for evaluating model performance in certain attack scenarios. We show empirically that group-based robustness allows us to distinguish between models' vulnerability against specific threat models in situations where traditional robustness metrics do not apply. Moreover, to measure group-based robustness efficiently and accurately, we 1) propose two loss functions and 2) identify three new attack strategies. We show empirically that with comparable success rates, finding evasive samples using our new loss functions saves computation by a factor as large as the number of targeted classes, and finding evasive samples using our new attack strategies saves time by up to 99\% compared to brute-force search methods. Finally, we propose a defense method that increases group-based robustness by up to 3.52$\times$.

翻译：机器学习模型已知易受规避攻击影响，这类攻击通过扰动模型输入来诱导错误分类。本文识别出真实场景中现有攻击无法准确评估实际威胁的情况。具体而言，我们发现衡量定向与非定向鲁棒性的传统指标无法恰当反映模型抵御从一组源类别到另一组目标类别攻击的能力。为弥补现有方法的不足，我们正式定义了一项新指标——基于分组的鲁棒性，该指标补充现有评估体系，更适用于特定攻击场景下的模型性能评估。实验表明，当传统鲁棒性指标失效时，基于分组的鲁棒性能够区分模型对不同威胁模型的脆弱性。此外，为高效精确测量基于分组的鲁棒性，我们：1）提出两种损失函数，2）识别三种新型攻击策略。实验证明，在成功率相当的情况下，使用新损失函数寻找规避样本的计算量可降低至目标类别数倍的倒数，而采用新攻击策略相比暴力搜索方法可节省高达99%的时间。最终，我们提出一种防御方法，将基于分组的鲁棒性提升至3.52倍。