[论文解读] Robustness Assessment for Adversarial Machine Learning: Problems, Solutions and a Survey of Current Neural Networks and Defenses

In adversarial machine learning, there are a huge number of attacks of various types which evaluates robustness for new models and defences a daunting task. To make matters worse, there is an inherent bias in attacks and defences. Here, we organize the problems faced (model dependence, insufficient evaluation, false adversarial samples and perturbation dependent results) and propose a model agnostic dual ($L_0$ and $L_\infty$) quality assessment method together with the concept of robustness levels to tackle them. We validate the dual quality assessment on state-of-the-art models (WideResNet, ResNet, AllConv, DenseNet, NIN, LeNet and CapsNet) as well as the current hardest defences proposed at ICLR 2018 and the widely known adversarial training, showing that current models and defences are vulnerable in all levels of robustness. The robustness assessment show that depending on the metric used (i.e., $L_0$ or $L_\infty$) the robustness may change significantly and therefore duality should be taken into account for a correct assessment. Moreover, a mathematical derivation, as well as a counterexample, suggest that $L_1$ and $L_2$ metrics alone are not enough to avoid false adversarial samples. Interestingly, a by-product of the assessment proposed is a novel $L_\infty$ black-box method which requires even less perturbation than the One-Pixel Attack (only 12\% of One-Pixel Attack's amount of perturbation) to achieve similar results. Thus, this paper elucidates the problems of robustness evaluation, proposes a dual quality assessment to tackle them as well as survey the robustness of current models and defences. Code available at http://bit.ly/DualQualityAssessment.