A type of attack that can occur in the Learning-to-Defer framework: the malicious attacker perturbs the input to increase the probability that the query is assigned to a less accurate expert, thereby maximizing classification errors.

Adversarial Robustness in Two-Stage Learning-to-Defer: Algorithms and Guarantees

Y. Montreuil, A. Carlier, L.X. Ng, W.T. Ooi.
(Accepté) International Conference on Machine Learning, 2025

PDF arXiv

Abstract

Learning-to-Defer (L2D) facilitates optimal task allocation between AI systems and decision-makers. Despite its potential, we show that current two-stage L2D frameworks are highly vulnerable to adversarial attacks, which can misdirect queries or overwhelm decision agents, significantly degrading system performance. This paper conducts the first comprehensive analysis of adversarial robustness in two-stage L2D frameworks. We introduce two novel attack strategies—untargeted and targeted—that exploit inherent structural vulnerabilities in these systems. To mitigate these threats, we propose SARD, a robust, convex, deferral algorithm rooted in Bayes and (R, G)-consistency. Our approach guarantees optimal task allocation under adversarial perturbations for all surrogates in the cross-entropy family. Extensive experiments on classification, regression, and multi-task benchmarks validate the robustness of SARD.