SPADE: A Spectral Method for Black-Box Adversarial Robustness Evaluation
This work provides a new black-box method for evaluating adversarial robustness, which is important for researchers and practitioners in machine learning security.
This paper introduces SPADE, a black-box spectral method to evaluate the adversarial robustness of machine learning models. It leverages bijective distance mapping between input/output graphs to approximate data manifolds and proposes a SPADE score, which is an upper bound of the best Lipschitz constant under manifold settings. The method also identifies vulnerable data samples using spectral graph embedding and shows promising results on adversarially trained neural networks on MNIST and CIFAR-10.
A black-box spectral method is introduced for evaluating the adversarial robustness of a given machine learning (ML) model. Our approach, named SPADE, exploits bijective distance mapping between the input/output graphs constructed for approximating the manifolds corresponding to the input/output data. By leveraging the generalized Courant-Fischer theorem, we propose a SPADE score for evaluating the adversarial robustness of a given model, which is proved to be an upper bound of the best Lipschitz constant under the manifold setting. To reveal the most non-robust data samples highly vulnerable to adversarial attacks, we develop a spectral graph embedding procedure leveraging dominant generalized eigenvectors. This embedding step allows assigning each data sample a robustness score that can be further harnessed for more effective adversarial training. Our experiments show the proposed SPADE method leads to promising empirical results for neural network models that are adversarially trained with the MNIST and CIFAR-10 data sets.