Chapter 9. Evaluating Model Robustness to Adversarial Inputs

To begin the exploration of defenses, this chapter looks at evaluating the robustness of DNN models against adversarial examples. This will provide the foundations for understanding the effectiveness of the defenses described in Chapter 10.

Evaluating robustness of individual DNN components enables objective comparison of models and defense approaches. For example, this might be for research purposes, to see whether a new defense approach is more or less effective than previous approaches. Alternatively, evaluation may be necessary to ensure that the most recently deployed model in your organization is equally or more secure than the previous version.

Model evaluation requires a consistent methodology and consistent measures to ensure that the metrics used for comparison are objective. Unfortunately, generating metrics that indicate a neural network’s ability to defend against adversarial examples is not simple. We need to initially answer the question: defense against what? Therefore, based on Chapter 7 and Chapter 8, we will begin by considering how we model the threat that is being defended against. This is the threat model discussed in “Adversarial Goals, Capabilities, Constraints, and Knowledge”.