MLASTG-TEST-MODEL-001: Adversarial Robustness & Evasion Testing
Control Reference
- MLASVS-MODEL-001: Adversarial Robustness Testing
- MLASVS-MODEL-002: Input Perturbation Limits
- MLASVS-MODEL-003: Model Input Validation
- MLASVS-MODEL-010: Anomalous Input Detection
- MLASVS-MODEL-012: Resource Limits on Inference
- MLASVS-MODEL-016: Certified Adversarial Robustness - L2
- MLASVS-MODEL-017: Robustness Certification - L2
- MLASVS-MODEL-024: Adversarial Training Validation - L2
- MLASVS-MODEL-025: Feature Squeezing Validation - L2
- MLASVS-MODEL-026: Model Ensemble Diversity - L2
- MLASVS-MODEL-027: Certified Defense Mechanisms - L2
- MLASVS-MODEL-028: Red Team Exercise Completion - L2
- MLASVS-MODEL-029: Continuous Adversarial Retesting - L2
Severity
High (L1) / Critical (L2)
Prerequisites
| Requirement | Details |
| Tools | IBM ART (pip install adversarial-robustness-toolbox) |
| Model Access | White-box (architecture + weights) or black-box (API access) |
| Test Data | Minimum 1000 representative test samples |
| Compute | GPU recommended for iterative attacks (PGD, CW) |
Step-by-Step Procedure
- Load the target model and test dataset.
- Evaluate clean (unperturbed) accuracy.
- Record baseline metrics using standard metrics.
- Pass condition: Baseline accuracy meets business requirements (e.g., >90%).
- Fail condition: Baseline accuracy is too low to perform meaningful robustness testing.
Step 2: Execute White-Box Evasion Attacks (L1)
- Generate adversarial examples using Fast Gradient Sign Method (FGSM) at moderate perturbation budgets (e.g., ε = 0.1).
- Generate adversarial examples using Projected Gradient Descent (PGD).
- Evaluate model accuracy on the generated adversarial examples.
- Pass condition: Accuracy drop is ≤ 25% under moderate FGSM attack.
- Fail condition: Accuracy drop is > 25% under moderate FGSM attack.
Step 3: Execute Black-Box Evasion Attacks (L1)
- Generate adversarial examples using HopSkipJump attack (decision-based).
- Measure the degradation in model accuracy.
- Pass condition: Accuracy drop is ≤ 25% under HopSkipJump attack.
- Fail condition: Accuracy drop is > 25% under HopSkipJump attack.
Step 4: Analyze Robustness Metrics
- Summarize accuracy under each attack in a results table.
- Verify if the degradation is within acceptable limits for the given severity level.
- Pass condition: All robustness metrics fall within acceptable thresholds for the tested level.
- Fail condition: One or more robustness metrics exceed the acceptable degradation thresholds.
- Send inputs outside the expected range (very large/small values).
- Send inputs with incorrect dimensions.
- Send inputs with NaN/Inf values.
- Pass condition: Invalid inputs are rejected with appropriate errors and not processed.
- Fail condition: Invalid inputs are processed by the model without errors, leading to unexpected outputs or crashes.
Step 6: Execute Certified Robustness Evaluation (L2)
- Implement randomized smoothing certification.
- Document certified accuracy at different radii.
- Pass condition: Certified accuracy ≥ 80% at radius r ≥ 0.1 (L2 norm).
- Fail condition: Certified accuracy is < 80% at radius r ≥ 0.1 (L2 norm).
Step 7: Validate Adversarial Training (L2)
- Verify the training pipeline includes adversarial training (e.g., PGD-AT).
- Compare robust accuracy of the adversarially trained model against the standard trained baseline under the same attack budget.
- Test against attack types not used during adversarial training to assess generalization.
- Pass condition: Adversarially trained model achieves >15% higher robust accuracy than the standard trained model under the same attack budget.
- Fail condition: The model does not demonstrate a significant (>15%) improvement in robust accuracy, or generalizes poorly to unseen attack types.
- Deploy a feature squeezing defense or similar detection mechanism.
- Test detection rate of adversarial inputs.
- Pass condition: Detection rate > 80% with false positive rate < 5%.
- Fail condition: Detection rate is ≤ 80% or false positive rate is ≥ 5%.
Step 9: Review Red Team Reports (L2)
- Verify red team exercises were conducted within the last quarter.
- Review findings for evasion-related vulnerabilities.
- Confirm findings are tracked to remediation.
- Pass condition: Red team exercises are conducted at least quarterly with all evasion findings tracked and remediated.
- Fail condition: Red team exercises are missing, outdated, or findings are unaddressed.
Expected Result
| Level | Expected Outcome |
| L1 | Accuracy drop ≤ 25% under FGSM (ε=0.1) and PGD (ε=0.3, 40 steps); input validation enforces bounds. |
| L2 | Certified robust accuracy ≥ 80% at r ≥ 0.1; adversarial training validated; quarterly red team exercises; continuous testing in CI/CD. |
Evidence Requirements
- Implement adversarial training with PGD-based examples
- Apply feature squeezing preprocessing
- Increase model capacity/resilience
- Implement ensemble methods for diverse defenses
- Consider certified defenses (randomized smoothing)
References
- MITRE ATLAS: AML.T0010 - Adversarial Examples (Evasion)
- MITRE ATLAS: AML.T0029 - Craft Adversarial Data
- MITRE ATLAS: AML.T0043 - Discover Model Ontology
- MLASWE: MLASWE-0001 (Adversarial Perturbation)