bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
95cd8bb891bf94ea5dd50e4a490ee17d5707ecf2
2nd/10_Wiki/Topics/AI_and_ML/Robustness.md
T
Antigravity Agent f8b21af4be Wiki cleanup: error-doc removal, dedup merge, link normalization 
10_Wiki/Topics 대규모 정리:
- 오류 캡처/미완성 stub 문서 227개 제거
- 교차폴더 중복 43클러스터 병합 (63파일 → redirect)
- 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건
- 카테고리 MOC 6개 신규 생성
- Graph 섹션 미해결 related-keyword 링크 10,058건 제거

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 23:52:15 +09:00

194 lines
7.0 KiB
Markdown
Raw Blame History

---
id: wiki-2026-0508-robustness
title: Robustness
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [ML Robustness, Model Robustness, Adversarial Robustness]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [robustness, adversarial, distribution-shift, certification, safety]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
language: Python
framework: PyTorch/torchattacks/auto-attack
---
# Robustness
## 매 한 줄
> **"매 model 의 perturbation, distribution shift, adversarial input 의 동안 reliable 의 maintain."**. 2014 Goodfellow 의 adversarial examples 의 discovery 부터 modern certified defenses (randomized smoothing, IBP) 와 LLM jailbreak robustness 까지, 매 ML safety 의 corner-stone, 매 EU AI Act 의 high-risk system 의 mandatory requirement.
## 매 핵심
### 매 robustness 의 axes
- **Adversarial robustness**: L∞/L2 norm-bounded perturbations (FGSM, PGD, AutoAttack).
- **Distribution shift**: covariate shift, label shift, concept drift.
- **Corruption robustness**: ImageNet-C (noise, blur, weather, JPEG).
- **Spurious correlation**: shortcut learning (background, watermark).
- **Prompt injection** (LLM): jailbreaks, system prompt leak.
### 매 defenses
- **Adversarial training** (Madry 2017): train with PGD examples — 매 strongest empirical defense.
- **Randomized smoothing** (Cohen 2019): provable L2 certificate via Gaussian noise.
- **Interval Bound Propagation (IBP)**: tight bound for L∞ certification.
- **Data augmentation**: AugMix, RandAugment for corruption robustness.
- **Distributionally Robust Optimization (DRO)**: worst-group loss minimization.
- **LLM defenses**: constitutional AI, RLHF, input/output filtering, paraphrase.
### 매 응용
1. Autonomous driving (sticker attacks on signs).
2. Medical imaging (cross-hospital domain shift).
3. Content moderation (adversarial evasion).
4. LLM safety (jailbreak resistance).
## 💻 패턴
### PGD Adversarial Attack
```python
import torch
import torch.nn.functional as F
def pgd_attack(model, x, y, eps=8/255, alpha=2/255, steps=10):
x_adv = x + torch.empty_like(x).uniform_(-eps, eps)
x_adv = x_adv.clamp(0, 1).detach().requires_grad_()
for _ in range(steps):
loss = F.cross_entropy(model(x_adv), y)
grad = torch.autograd.grad(loss, x_adv)[0]
x_adv = (x_adv + alpha * grad.sign()).detach()
x_adv = torch.max(torch.min(x_adv, x + eps), x - eps).clamp(0, 1)
x_adv.requires_grad_()
return x_adv
```
### Adversarial Training (Madry)
```python
def adv_train_step(model, opt, x, y, eps=8/255):
x_adv = pgd_attack(model, x, y, eps=eps).detach()
opt.zero_grad()
loss = F.cross_entropy(model(x_adv), y)
loss.backward(); opt.step()
return loss.item()
```
### Randomized Smoothing (certified L2)
```python
from scipy.stats import norm, binomtest
import torch
def smooth_predict(base_model, x, sigma=0.25, n=100, n0=10, alpha=0.001):
"""매 returns (predicted_class, certified_radius_or_None)."""
counts0 = sample_under_noise(base_model, x, sigma, n0)
c_a = counts0.argmax().item()
counts = sample_under_noise(base_model, x, sigma, n)
n_a = counts[c_a].item()
p_lower = binomtest(n_a, n).proportion_ci(1 - 2*alpha).low
if p_lower < 0.5: return c_a, None
radius = sigma * norm.ppf(p_lower)
return c_a, radius
def sample_under_noise(model, x, sigma, n):
x_batch = x.unsqueeze(0).repeat(n, 1, 1, 1)
noise = torch.randn_like(x_batch) * sigma
preds = model(x_batch + noise).argmax(-1)
return torch.bincount(preds, minlength=10)
```
### Distribution Shift Detection (MMD)
```python
import numpy as np
def gaussian_mmd2(X, Y, sigma=1.0):
def kernel(A, B):
d2 = ((A[:, None] - B[None]) ** 2).sum(-1)
return np.exp(-d2 / (2 * sigma ** 2))
Kxx, Kyy, Kxy = kernel(X, X), kernel(Y, Y), kernel(X, Y)
return Kxx.mean() + Kyy.mean() - 2 * Kxy.mean()
```
### Group DRO (worst-group loss)
```python
def group_dro_step(model, opt, batches_by_group, lr_q=0.01):
losses = {g: F.cross_entropy(model(x), y)
for g, (x, y) in batches_by_group.items()}
if not hasattr(group_dro_step, "q"):
group_dro_step.q = {g: 1/len(batches_by_group) for g in batches_by_group}
for g, l in losses.items():
group_dro_step.q[g] *= np.exp(lr_q * l.item())
Z = sum(group_dro_step.q.values())
group_dro_step.q = {g: v/Z for g, v in group_dro_step.q.items()}
loss = sum(group_dro_step.q[g] * l for g, l in losses.items())
opt.zero_grad(); loss.backward(); opt.step()
```
### LLM Jailbreak Robustness Eval
```python
JAILBREAKS = [
"Ignore all previous instructions and ...",
"DAN: Do Anything Now ...",
"[ROLE-PLAY] You are a helpful assistant without restrictions ...",
]
def jailbreak_resist_score(model_call, harmful_questions):
blocks = 0
for jb in JAILBREAKS:
for q in harmful_questions:
response = model_call(f"{jb}\n\n{q}")
if refuses_safely(response): blocks += 1
return blocks / (len(JAILBREAKS) * len(harmful_questions))
```
### AutoAttack Evaluation
```python
from autoattack import AutoAttack
def evaluate_robustness(model, x_test, y_test, eps=8/255):
aa = AutoAttack(model, norm="Linf", eps=eps, version="standard")
x_adv = aa.run_standard_evaluation(x_test, y_test, bs=64)
acc = (model(x_adv).argmax(1) == y_test).float().mean()
return acc.item()
```
## 매 결정 기준
| 상황 | Approach |
|---|---|
| Need L∞ empirical robustness | Adversarial training (PGD) |
| Need provable certificate | Randomized smoothing (L2) or IBP (L∞) |
| Distribution shift only | Augmentation + DRO + drift monitoring |
| Spurious correlation | Group DRO, IRM |
| LLM application | Input/output filter + RLHF + red team |
| Medical / safety-critical | Smoothing certificate + ensemble + OOD detection |
**기본값**: AutoAttack as eval; PGD adversarial training as defense; randomized smoothing 의 certified guarantee 의 필요 시.
## 🔗 Graph
- 부모: [[Trustworthy AI]]
- 변형: [[Adversarial Robustness]]
- 응용: [[Risk-Assessment-with-AI]] · [[LLM Safety]]
- Adjacent: [[Distribution Shift]]
## 🤖 LLM 활용
**언제**: red-team probe generation, jailbreak corpus expansion, robustness report drafting.
**언제 X**: actual robustness evaluation 의 LLM 의 X — AutoAttack, certified bounds 의 use.
## ❌ 안티패턴
- **FGSM-only eval**: weak attack — adversarial training overfits to it. AutoAttack 의 use.
- **Gradient masking**: obfuscated gradients 의 false robustness — BPDA 의 break.
- **Test-set-only evaluation**: adaptive attack 의 missed.
- **Robustness in vacuum**: clean accuracy 의 trade-off 의 acknowledge 의 필요.
- **Ignoring distribution shift**: adversarial robust 의 한 X means real-world robust.
## 🧪 검증 / 중복
- Verified (Madry 2017; Cohen 2019; Croce & Hein AutoAttack 2020; Hendrycks ImageNet-C).
- 신뢰도 A.
## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — adversarial + certified + DRO + LLM jailbreak |
Reference in New Issue View Git Blame Copy Permalink