Abstract
The study of enhancing model robustness against adversarial examples has become increasingly critical in the security of deep learning, leading to the development of numerous adversarial defense techniques. While these defense methods have shown promise in mitigating the impact of adversarial perturbations, evaluating their effectiveness remains a critical challenge. The recently introduced AutoAttack technique has been recognized as a standardized method for assessing model robustness. However, the computational demands of the AutoAttack method significantly limits its applicability, underscoring the urgent need for efficient evaluation techniques. To address this challenge, we propose a novel and efficient evaluation framework based on strategic constraint relaxation. Our key insight is that temporarily expanding the adversarial perturbation bounds during the attack process can help discover more effective adversarial examples. Based on this insight, we develop the Constraint Relaxation Attack (CR Attack) method, which systematically relaxes and resets perturbation constraints during optimization. Extensive experiments on 105 robust models show that CR Attack outperforms AutoAttack in both attack success rate and efficiency, reducing forward and backward propagation time by 38.3× and 15.9× respectively. Through comprehensive analysis, we validate that the constraint relaxation mechanism is crucial for the method's effectiveness.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 39th Annual AAAI Conference on Artificial Intelligence |
| Publisher | PKP Publishing Services Network |
| Pages | 6263-6271 |
| Volume | 39 |
| Edition | 6 |
| DOIs | |
| Publication status | Published - 11 Apr 2025 |
Publication series
| Name | Proceedings of the AAAI Conference on Artificial Intelligence |
|---|---|
| Publisher | Association for the Advancement of Artificial Intelligence |
| ISSN (Print) | 2159-5399 |
Funding
We extend our sincere thanks to the anonymous reviewers, whose detailed and thoughtful feedback led to substantial improvements in the manuscript. This work was supported by the National Natural Science Foundation of China under Grant 62250710682, Guangdong Provincial Key Laboratory under Grant 2020B121201001, and the Program for Guangdong Introducing Innovative and Entrepreneurial Teams under Grant 2017ZT07X386. The work described in this paper was (partially) supported by a grant from HK RGC Themebased Research Scheme (PolyU No.: T43-513/23-N).