Lilly Tech Systems
Best Practices
Build a comprehensive robustness testing strategy with CI/CD integration, automated monitoring, reporting frameworks, and a culture of continuous model validation.
Robustness Testing Checklist
Define your threat model
Document what adversaries can do (white-box vs black-box access), perturbation budgets, and acceptable failure rates before selecting tests.
Test with multiple attack methods
Never rely on a single attack. Use AutoAttack or a diverse ensemble. A model robust to FGSM may be vulnerable to PGD or C&W.
Measure the robustness-accuracy trade-off
Track both clean accuracy and adversarial accuracy. Accept that improving robustness often slightly reduces clean performance.
Integrate into CI/CD
Run robustness tests automatically on every model update. Block deployment if robustness metrics drop below thresholds.
Monitor distribution shift continuously
Deploy drift detection from day one. Alert on feature distribution changes, prediction distribution changes, and performance degradation.
CI/CD Integration
# .github/workflows/robustness-tests.yml name: ML Robustness Tests on: pull_request: paths: ['models/**', 'training/**'] jobs: robustness: runs-on: ubuntu-latest steps: - name: Run adversarial evaluation run: | python -m robustness.evaluate \ --model $MODEL_PATH \ --attacks fgsm pgd autoattack \ --epsilons 0.01 0.03 0.1 \ --min-accuracy 0.70 - name: Run distribution shift tests run: | python -m robustness.drift_check \ --model $MODEL_PATH \ --reference-data data/reference/ \ --test-data data/production_sample/ - name: Run stress tests run: | python -m robustness.stress \ --model $MODEL_PATH \ --edge-cases data/edge_cases/ \ --max-latency-p99 100ms
Robustness Improvement Strategies
| Strategy | How It Works | Trade-offs |
|---|---|---|
| Adversarial Training | Include adversarial examples in training data | Slower training, slight clean accuracy drop |
| Data Augmentation | Train on diverse transformations of data | Increased training time, may not cover all attacks |
| Ensemble Methods | Combine multiple models for more robust predictions | Higher inference cost, more complex deployment |
| Input Preprocessing | Apply denoising or smoothing before inference | May lose fine-grained details |
| Certified Defenses | Provide mathematical robustness guarantees | Significant clean accuracy trade-off |
Reporting and Documentation
Every model should have a robustness report that includes:
- Threat model documentation: What attacks were considered and why.
- Robustness metrics: Clean accuracy, adversarial accuracy at multiple epsilon values, mCE scores.
- Known failure modes: Documented cases where the model fails, with severity ratings.
- Mitigation status: What defenses are in place and their effectiveness.
- Monitoring configuration: What drift detectors are active and their alert thresholds.