Evaluating Adversarial Robustness with Expected Viable Performance

Abstract-- We introduce a metric for evaluating the robustness of a classifier, with particular attention to adversarial perturbations, in terms of expected functionality with respect to possible adversarial perturbations. Defining robustness in terms of an expected value is motivated by a domain general approach to robustness quantification. In support of this, it is desirable to have an approach Adversarial ML arises when some aspect of the system is to quantifying robustness that applies generally across intentionally manipulated to cause the classifier to make errors. Adversarial robustness specifically seeks to measure a model's We adopt the perspective that robustness is the ability of an performance when these perturbations are chosen selectively ML system to maintain its functionality at an acceptable level to be maximally disruptive. For example, evasion attacks add of performance when some aspect of the system is subject to human-imperceptible perturbations to a data instance to alter perturbation, consistent with the domain-general definition laid the output of a classifier, as illustrated in Figure 1.