How Worst-Case Are Adversarial Attacks? Linking Adversarial and Statistical Robustness
Giulio Rossolini
TL;DR
This paper interrogates whether adversarial perturbations provide a representative proxy for robustness to random noise. It introduces directional noisy risk, a probabilistic metric $\,\mathcal{R}(x; v, \kappa, r)$ that interpolates between isotropic noise ($\kappa=0$) and adversarial direction (large $\kappa$) via Gaussian perturbations projected onto the $\ell_p$-sphere, and proposes a directional noisy attack (DN-Attack) that optimizes for risk in low-$\kappa$ regimes. Through experiments on ImageNet-Val and CIFAR-10 across multiple architectures, the authors show that many standard attacks achieve high success only in highly directional, worst-case regimes, while DN-attacks reveal broader, noise-aligned failure regions that are more relevant for safety evaluations. The work provides practical guidelines for robustness assessment, highlighting when adversarial success reflects noisy risk and when it does not, and connects robustness evaluation to model confidence analyses and dimensionality considerations. Overall, the directional noisy risk framework and DN-attack offer a nuanced, statistically grounded approach to evaluating robustness beyond worst-case perturbations.
Abstract
Adversarial attacks are widely used to evaluate model robustness, yet their validity as proxies for robustness to random perturbations remains debated. We ask whether an adversarial perturbation provides a representative estimate of robustness under random noise of the same magnitude, or instead reflects an atypical worst-case event. To this end, we introduce a probabilistic metric that quantifies noisy risk with respect to directionally biased perturbation distributions, parameterized by a concentration factor $κ$ that interpolates between isotropic noise and adversarial direction. Using this framework, we study the limits of adversarial perturbations as estimators of noisy risk by proposing an attack strategy designed to operate in regimes statistically closer to uniform noise. Experiments on ImageNet and CIFAR-10 systematically benchmark widely used attacks, highlighting when adversarial success meaningfully reflects noisy risk and when it fails, thereby informing their use in safety-oriented evaluation.
