English

Detecting Adversarial Examples Is (Nearly) As Hard As Classifying Them

Machine Learning 2022-06-17 v2 Cryptography and Security Machine Learning

Abstract

Making classifiers robust to adversarial examples is hard. Thus, many defenses tackle the seemingly easier task of detecting perturbed inputs. We show a barrier towards this goal. We prove a general hardness reduction between detection and classification of adversarial examples: given a robust detector for attacks at distance {\epsilon} (in some metric), we can build a similarly robust (but inefficient) classifier for attacks at distance {\epsilon}/2. Our reduction is computationally inefficient, and thus cannot be used to build practical classifiers. Instead, it is a useful sanity check to test whether empirical detection results imply something much stronger than the authors presumably anticipated. To illustrate, we revisit 13 detector defenses. For 11/13 cases, we show that the claimed detection results would imply an inefficient classifier with robustness far beyond the state-of-the-art.

Keywords

Cite

@article{arxiv.2107.11630,
  title  = {Detecting Adversarial Examples Is (Nearly) As Hard As Classifying Them},
  author = {Florian Tramèr},
  journal= {arXiv preprint arXiv:2107.11630},
  year   = {2022}
}

Comments

ICML 2022 (Long Talk)

R2 v1 2026-06-24T04:29:19.732Z