AI Security Research Should Better Incentivize Defense Research
For the AI security research community, this paper highlights a systemic bias that undermines practical defense development.
This paper identifies an imbalance in AI security research, with more attack papers than defense papers, and argues that attack evaluations are often overly favorable while defenses face stricter standards, leading to a literature rich in vulnerabilities but thin on usable protections.
This work examines an imbalance in artificial intelligence (AI) security research: the field tends to produce more work on attacking AI systems than on defending them. Drawing on related academic papers, we find biased attack-to-defense ratios across subfields, including federated learning, speech recognition, membership inference, large language models, etc. The imbalance possibly means far beyond a simple count: attack papers are routinely evaluated under favorable conditions that make threats look more severe than they are in practice, while defenses are held to a stricter standard that few can meet. The result is a literature rich in demonstrated vulnerabilities and thin on usable and deployed protections. We thus argue that AI security research should better incentivize defense research.