Real Attackers Don`t Compute Gradients: Bridging the Gap Between Adversarial ML Research and Practice

Apruzzese, G., Anderson, H. S., Dambra, S., Freeman, D., Pierazzi, F., & Roundy, K. A., IEEE Conference on Secure and Trustworthy Machine Learning, 2023 Conference
Oneliner: Let's change the domain of adversarial ML. For real.

Abstract. Recent years have seen a proliferation of research on adversarial machine learning. Numerous papers demonstrate powerful algorithmic attacks against a wide variety of machine learning (ML) models, and numerous other papers propose defenses that can withstand most attacks. However, abundant real-world evidence suggests that actual attackers use simple tactics to subvert ML-driven systems, and as a result security practitioners have not prioritized adversarial ML defenses.

Motivated by the apparent gap between researchers and practitioners, this position paper aims to bridge these two domains. We first present three real-world case studies from which we can glean practical insights unknown or neglected in research. Next, we analyze all adversarial ML papers recently published in top security conferences and highlight positive trends and blind spots. Finally, we state positions on precise and cost-driven threat modeling, collaboration between industry and academia, and reproducible research. If adopted, our positions will increase the real-world impact of future endeavours in adversarial ML, bringing both researchers and practitioners closer to their shared goal of improving the security of ML systems.

Paper PDF Cite OpenReview Website Talk