On the Adversarial Robustness of Learning-based Conformal Novelty Detection
This work addresses the vulnerability of statistical novelty detection methods to adversarial attacks, which is a critical problem for ensuring reliable anomaly detection in security-sensitive applications, though it is incremental in exploring robustness for an existing framework.
The paper studied the adversarial robustness of AdaDetect, a learning-based conformal novelty detection method with finite-sample false discovery rate (FDR) control, and found that adversarial perturbations can significantly increase FDR while maintaining high detection power, exposing limitations in current error-controlled methods.
This paper studies the adversarial robustness of conformal novelty detection. In particular, we focus on AdaDetect, a powerful learning-based framework for novelty detection with finite-sample false discovery rate (FDR) control. While AdaDetect provides rigorous statistical guarantees under benign conditions, its behavior under adversarial perturbations remains unexplored. We first formulate an oracle attack setting that quantifies the worst-case degradation of FDR, deriving an upper bound that characterizes the statistical cost of attacks. This idealized formulation directly motivates a practical and effective attack scheme that only requires query access to AdaDetect's output labels. Coupling these formulations with two popular and complementary black-box adversarial algorithms, we systematically evaluate the vulnerability of AdaDetect on synthetic and real-world datasets. Our results show that adversarial perturbations can significantly increase the FDR while maintaining high detection power, exposing fundamental limitations of current error-controlled novelty detection methods and motivating the development of more robust alternatives.