

A B S T R A C T

Adversarial robustness of machine learning models has attracted considerable attention over recent years. Adversarial attacks undermine the reliability of and trust in machine learning models, but the construction of more robust models hinges on a rigorous understanding of adversarial robustness as a property of a given model. Point-wise measures for specific threat models are currently the most popular tool for comparing the robustness of classifiers and are used in most recent publications on adversarial robustness. In this work, we use robustness curves to show that point-wise measures fail to capture important global properties that are essential to reliably compare the robustness of different classifiers. We introduce new ways in which robustness curves can be used to systematically uncover these properties and provide concrete recommendations for researchers and practitioners when assessing and comparing the robustness of trained models. Furthermore, we characterize scale as a way to distinguish small and large perturbations, and relate it to inherent properties of data sets, demonstrating that robustness thresholds must be chosen accordingly. We hope that our work contributes to a shift of focus away from point-wise measures of robustness and towards a discussion of the question what kind of robustness could and should reasonably be expected. We release code to reproduce all experiments presented in this paper, which includes a Python module to calculate robustness curves for arbitrary data sets and classifiers, supporting a number of frameworks, including TensorFlow, PyTorch and JAX.

1. I N T R O D U C T I O N

Despite their astonishing success in a wide range of classification tasks, deep neural networks can be lead to incorrectly classify inputs altered with specially crafted adversarial perturbations (Szegedy et al. 2014; Goodfellow et al. 2015) . These perturbations can be so small that they remain almost imperceptible to human observers (J. P. Göpfert et al. 2020) . Adversarial robustness describes a model's ability to behave correctly under such small perturbations crafted with the intent to mislead the model. The study of adversarial robustness -with its definitions, their implications, attacks, and defenses -has attracted considerable research interest. This is due to both the practical importance of trustworthy models as well as the intellectual interest in the differences between decisions of machine learning models and our human perception. A crucial starting point for any such analysis is the definition of what exactly a small input perturbation is -requiring (a) the choice of a distance function to measure perturbation size, and (b) the choice of a particular scale to distinguish small and large perturbations. Together, these two choices determine a threat model that defines exactly under which perturbations a model is required to be robust. The most popular choice of distance function is the class of distances induced by p norms (Szegedy et al. 2014; Goodfellow et al. 2015; Carlini, Athalye, et al. 2019) , in particular 1 , 2 and ∞ , although other choices such as Wasserstein distance have been explored as well (Wong, Schmidt, et al. 2019) . Regarding scale, the current default is to pick some perturbation threshold ε without providing concrete reasons for the exact choice. Analysis then focuses on the robust error of the model, the proportion of test inputs for which the model behaves incorrectly under some perturbation up to size ε. This means that the scale is defined as a binary distinction between small and large perturbations based on the perturbation threshold. A set of canonical thresholds have emerged in

