Stratified Adversarial Robustness with Rejection
This work addresses the challenge of balancing rejection costs and robustness in adversarial settings for machine learning security, representing an incremental improvement over existing methods.
The paper tackles the problem of adversarial robustness in classifiers with a rejection option by introducing a stratified rejection setting where rejection cost decreases with perturbation magnitude, and proposes a method that reduces total robust loss by at least 7.3% on CIFAR-10 under strong attacks.
Recently, there is an emerging interest in adversarially training a classifier with a rejection option (also known as a selective classifier) for boosting adversarial robustness. While rejection can incur a cost in many applications, existing studies typically associate zero cost with rejecting perturbed inputs, which can result in the rejection of numerous slightly-perturbed inputs that could be correctly classified. In this work, we study adversarially-robust classification with rejection in the stratified rejection setting, where the rejection cost is modeled by rejection loss functions monotonically non-increasing in the perturbation magnitude. We theoretically analyze the stratified rejection setting and propose a novel defense method -- Adversarial Training with Consistent Prediction-based Rejection (CPR) -- for building a robust selective classifier. Experiments on image datasets demonstrate that the proposed method significantly outperforms existing methods under strong adaptive attacks. For instance, on CIFAR-10, CPR reduces the total robust loss (for different rejection losses) by at least 7.3% under both seen and unseen attacks.