AutoAdvExBench: Benchmarking autonomous exploitation of adversarial example defenses
This provides a practical benchmark for machine learning security researchers to assess LLMs' real-world adversarial exploitation capabilities, though it is incremental relative to existing security benchmarks.
The authors introduced AutoAdvExBench, a benchmark to evaluate large language models' ability to autonomously exploit adversarial example defenses, finding that their best agent succeeded on 21% of real-world defenses but 54% of CTF-like defenses, revealing a significant gap in difficulty.
We introduce AutoAdvExBench, a benchmark to evaluate if large language models (LLMs) can autonomously exploit defenses to adversarial examples. Unlike existing security benchmarks that often serve as proxies for real-world tasks, bench directly measures LLMs' success on tasks regularly performed by machine learning security experts. This approach offers a significant advantage: if a LLM could solve the challenges presented in bench, it would immediately present practical utility for adversarial machine learning researchers. We then design a strong agent that is capable of breaking 75% of CTF-like ("homework exercise") adversarial example defenses. However, we show that this agent is only able to succeed on 13% of the real-world defenses in our benchmark, indicating the large gap between difficulty in attacking "real" code, and CTF-like code. In contrast, a stronger LLM that can attack 21% of real defenses only succeeds on 54% of CTF-like defenses. We make this benchmark available at https://github.com/ethz-spylab/AutoAdvExBench.