Machine learning models are known to be susceptible to adversarial attacks, which can cause misclassification by introducing small but well designed perturbations. In this paper, we consider a classical hypothesis testing problem in order to develop fundamental insight into defending against such adversarial perturbations. We interpret an adversarial perturbation as a nuisance parameter, and propose a defense based on applying the generalized likelihood ratio test (GLRT) to the resulting composite hypothesis testing problem, jointly estimating the class of interest and the adversarial perturbation. While the GLRT approach is applicable to general multi-class hypothesis testing, we first evaluate it for binary hypothesis testing in white Gaussian noise under $\ell _{\infty }$ norm-bounded adversarial perturbations, for which a known minimax defense optimizing for the worst-case attack provides a benchmark. We derive the worst-case attack for the GLRT defense, and show that its asymptotic performance (as the dimension of the data increases) approaches that of the minimax defense. For non-asymptotic regimes, we show via simulations that the GLRT defense is competitive with the minimax approach under the worst-case attack, while yielding a better robustness-accuracy trade-off under weaker attacks. We also illustrate the GLRT approach for a multi-class hypothesis testing problem, for which a minimax strategy is not known, evaluating its performance under both noise-agnostic and noise-aware adversarial settings, by providing a method to find optimal noise-aware attacks, and ideas to find noise-agnostic attacks that are close to optimal in the high SNR regime. We show through experiments the application of the GLRT defense in colored Gaussian noise. We also demonstrate the use of GLRT defense beyond Gaussian settings by considering Laplacian noise and illustrating how our rule simplifies.

中文翻译：

---

对抗性稳健假设检验的广义似然比检验

众所周知，机器学习模型容易受到对抗性攻击，这可能会通过引入小的但设计良好的扰动而导致错误分类。在本文中，我们考虑了一个经典的假设检验问题，以便对防御这种对抗性扰动产生基本的洞察力。我们将对抗性扰动解释为令人讨厌的参数，并基于将广义似然比检验 (GLRT) 应用于所产生的复合假设检验问题，共同估计感兴趣的类别和对抗性扰动，提出了一种防御措施。虽然 GLRT 方法适用于一般的多类假设检验，但我们首先评估它在高斯白噪声下的二元假设检验$\ell _{\infty }$范数有界对抗性扰动，针对最坏情况攻击优化的已知极小极大防御提供了基准。我们推导出 GLRT 防御的最坏情况攻击，并表明其渐近性能（随着数据维度的增加）接近极小极大防御。对于非渐近方案，我们通过模拟表明，GLRT 防御在最坏情况下的攻击下与 minimax 方法具有竞争力，同时在较弱的攻击下产生更好的鲁棒性 - 准确性权衡。我们还说明了用于多类假设检验问题的 GLRT 方法，该问题的极小极大策略未知，通过提供一种找到最佳噪声感知攻击的方法来评估其在与噪声无关和噪声感知对抗设置下的性能, 以及寻找在高信噪比情况下接近最优的与噪声无关的攻击的想法。我们通过实验展示了 GLRT 防御在彩色高斯噪声中的应用。我们还通过考虑拉普拉斯噪声和说明我们的规则如何简化来演示在高斯设置之外使用 GLRT 防御。