Gradient-based attacks are a primary tool to evaluate robustness of machine-learning models. However, many attacks tend to provide overly-optimistic evaluations as they use fixed loss functions, optimizers, step-size schedulers, and default hyperparameters. In this work, we tackle these limitations by proposing a parametric variation of the well-known fast minimum-norm attack algorithm, whose loss, optimizer, step-size scheduler, and hyperparameters can be dynamically adjusted. We re-evaluate 12 robust models, showing that our attack finds smaller adversarial perturbations without requiring any additional tuning. This also enables reporting adversarial robustness as a function of the perturbation budget, providing a more complete evaluation than that offered by fixed-budget attacks, while remaining efficient. We release our open-source code at https://github.com/pralab/HO-FMN.

翻译：基于梯度的攻击是评估机器学习模型鲁棒性的主要工具。然而，许多攻击由于采用固定的损失函数、优化器、步长调度器及默认超参数，往往提供过于乐观的评估结果。本研究通过提出一种参数化的快速最小范数攻击算法变体来解决这些局限，该算法的损失函数、优化器、步长调度器及超参数均可动态调整。我们重新评估了12个鲁棒模型，结果表明，我们的攻击能够在无需额外调优的情况下找到更小的对抗性扰动。这还支持将对抗鲁棒性报告为扰动预算的函数，从而提供比固定预算攻击更全面的评估，同时保持高效性。我们的开源代码发布于 https://github.com/pralab/HO-FMN。