Rethinking Adversarial Robustness: When Compute Costs More Than Attacks

Adversarial attacks on large language models (LLMs) are a hot topic, but is anyone talking about the hidden costs? Most studies focus on attack success rates (ASR) without considering the diverse computational expenses involved. Not all attacks are created equal. It's time to acknowledge that.

Introducing Compute-Aware Evaluation

A new framework proposes evaluating adversarial robustness by measuring computational pressure in cumulative floating-point operations (FLOPs). This approach reveals the true adversarial effort, challenging the notion that ASR is the ultimate metric. In essence, it adds a layer of realism to the evaluation of LLM security.

Why is this important? Because understanding computational costs can mean the difference between a theoretical vulnerability and a practical threat. If the AI can hold a wallet, who writes the risk model for these attacks? Deciphering FLOPs in relation to attacks helps distinguish between feasible attacks and those that are impractically costly.

Findings Across Models and Attacks

The study evaluated ten models across three families and four training stages, using three attack types: gradient-based, iterative refinement, and template-based. Here's what emerged: alignment training influenced compute-space robustness unpredictably, scaling model size reduced gradient-based attack effectiveness, and compute costs varied drastically across harm categories within a single model.

The research also revealed that gradient-based attacks could transfer between models, slashing costs for attackers. Yet, scaling, often touted as a defense, had limited impact on cheaper template-based attacks. And when safety-aligned RL was thrown into the mix, while it bumped up overall costs, some categories still remained disproportionately easy to target.

The Real Cost of Adversarial Threats

This framework isn't just about numbers. It's about understanding the real-world implications of keeping LLMs secure. It questions the traditional approach of evaluating attacks purely on ASR, urging for a shift towards compute-aware risk assessment. If you think slapping a model on a GPU rental is enough for security, think again. Show me the inference costs. Then we'll talk.

Ultimately, this research challenges us to rethink adversarial success from a practical standpoint. Is it enough to know a model can be attacked, or should we focus on whether it's economically viable to do so?