Skip to main content
QUICK REVIEW

[Paper Review] Generalized Likelihood Ratio Test for Adversarially Robust Hypothesis Testing

Bhagyashree Puranik, Upamanyu Madhow|arXiv (Cornell University)|Dec 4, 2021
Adversarial Robustness in Machine Learning23 references4 citations
TL;DR

This paper proposes a Generalized Likelihood Ratio Test (GLRT) defense for adversarially robust hypothesis testing by jointly estimating the true class and adversarial perturbation as a nuisance parameter. It demonstrates that the GLRT asymptotically achieves minimax performance under ℓ∞-bounded attacks and outperforms minimax defenses in non-asymptotic regimes with better robustness-accuracy trade-offs, especially under weaker attacks.

ABSTRACT

Machine learning models are known to be susceptible to adversarial attacks which can cause misclassification by introducing small but well designed perturbations. In this paper, we consider a classical hypothesis testing problem in order to develop fundamental insight into defending against such adversarial perturbations. We interpret an adversarial perturbation as a nuisance parameter, and propose a defense based on applying the generalized likelihood ratio test (GLRT) to the resulting composite hypothesis testing problem, jointly estimating the class of interest and the adversarial perturbation. While the GLRT approach is applicable to general multi-class hypothesis testing, we first evaluate it for binary hypothesis testing in white Gaussian noise under $\ell_{\infty}$ norm-bounded adversarial perturbations, for which a known minimax defense optimizing for the worst-case attack provides a benchmark. We derive the worst-case attack for the GLRT defense, and show that its asymptotic performance (as the dimension of the data increases) approaches that of the minimax defense. For non-asymptotic regimes, we show via simulations that the GLRT defense is competitive with the minimax approach under the worst-case attack, while yielding a better robustness-accuracy tradeoff under weaker attacks. We also illustrate the GLRT approach for a multi-class hypothesis testing problem, for which a minimax strategy is not known, evaluating its performance under both noise-agnostic and noise-aware adversarial settings, by providing a method to find optimal noise-aware attacks, and heuristics to find noise-agnostic attacks that are close to optimal in the high SNR regime.

Motivation & Objective

  • To develop a statistically principled defense against adversarial attacks in machine learning using classical hypothesis testing frameworks.
  • To treat adversarial perturbations as nuisance parameters in composite hypothesis testing, enabling joint estimation of class and perturbation.
  • To provide a general defense framework applicable beyond binary classification, especially where minimax strategies are unknown.
  • To analyze the robustness-accuracy trade-off of the GLRT under varying attack strengths, including weak and strong adversaries.
  • To establish theoretical performance bounds and asymptotic equivalence to minimax strategies under ℓ∞-bounded perturbations.

Proposed method

  • Formulates adversarial robustness as a composite hypothesis testing problem where the adversarial perturbation is treated as a nuisance parameter.
  • Applies the Generalized Likelihood Ratio Test (GLRT) to jointly estimate the true class and the perturbation, maximizing the likelihood under both hypotheses.
  • Derives the worst-case attack for the GLRT defense using variational optimization, enabling performance comparison with minimax strategies.
  • Uses asymptotic analysis (large dimension d) to show that GLRT performance approaches that of the known minimax defense.
  • Develops noise-aware and noise-agnostic attack heuristics for multi-class settings, with optimal attack computation via conditional expectation and Mills' ratio approximations.
  • Employs Lindeberg’s condition and central limit theorem arguments to justify asymptotic normality of cost differences across coordinates.

Experimental results

Research questions

  • RQ1Can the GLRT framework achieve minimax performance in adversarially robust binary hypothesis testing under ℓ∞-bounded perturbations?
  • RQ2How does the GLRT defense compare to minimax defenses in terms of robustness-accuracy trade-off under varying attack budgets?
  • RQ3What is the asymptotic performance of the GLRT as the data dimension increases, and does it converge to the minimax risk?
  • RQ4How can optimal noise-aware and noise-agnostic attacks be constructed in multi-class settings where minimax strategies are unknown?
  • RQ5Does the GLRT defense adapt better to weaker attacks than pessimistic minimax strategies due to joint estimation of class and perturbation?

Key findings

  • The GLRT defense asymptotically achieves the same performance as the known minimax defense under ℓ∞-bounded attacks as the data dimension d → ∞.
  • In non-asymptotic regimes, the GLRT outperforms minimax defenses in terms of robustness-accuracy trade-off, especially under weaker attacks.
  • The per-coordinate cost difference in the GLRT is monotonically non-decreasing in the attack magnitude e when the signal mean µ ≥ 0, indicating adaptive response to attack strength.
  • For µ < 0, the cost difference is monotonically decreasing in e, showing that the GLRT adapts differently based on signal polarity.
  • The Lindeberg condition is satisfied for the sum of per-coordinate cost differences, justifying the use of the central limit theorem in asymptotic analysis.
  • Theoretical analysis confirms that the expected values of squared and linear cost differences vanish in the limit, supporting convergence to optimal performance.

Better researchstarts right now

From paper design to paper writing, dramatically reduce your research time.

No credit card · Free plan available

This review was created by AI and reviewed by human editors.