Evaluating Adaptive Attacks on Adversarial Example Defenses

This content discusses the challenges in properly evaluating defenses against adversarial examples, highlighting the importance of adaptive evaluation methods. While consensus on strong evaluation standards is noted, many defenses are still found to be vulnerable. The work presents 13 case studies on designing stronger adaptive attacks, offering insights into defense weaknesses and potential improvements.

• Adversarial examples
• Adaptive attacks
• Evaluation standards
• Defense vulnerabilities
• Case studies

plei Follow

Uploaded on Oct 01, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. On Adaptive Attacks to Adversarial Example Defenses NeurIPS 2020 Florian Tram r* Nicholas Carlini* Wieland Brendel* Aleksander M dry *equal contribution

2. What Are Adversarial Examples? 88% Tabby Cat 99% Guacamole Biggio et al., 2014 Szegedy et al., 2014 Goodfellow et al., 2015 2

3. Many Defenses Are Proposed... https://nicholas.carlini.com/writing/2019/all-adversarial-example-papers.html 3

4. ... But Evaluating Them Properly Is Hard Broke 10 (mainly unpublished) defenses in 2017 Broke 7 defenses published at ICLR 2018 4

5. The Good: Consensus On Strong Evaluation Standards Clearly defined threat model 1. White-box: adversary has access to defense parameters Adaptive Evaluation Adversary tailors the attack to the defense Carlini & Wagner, 2017, Athalye et al., 2018, Carlini et al. 2019, ... Small perturbations: find ? s.t. ? misclassified and ? ? ? 2. 5

6. The Good: Adoption Of Strong Evaluation Standards We re-evaluate 13 defenses presented at: NeurIPS 18 (1) (1) ICLR 20 (5) NeurIPS 19 (2) ICML 19 (4) ICLR 19 Our paper (13 defenses) Carlini & Wagner 2017 (10 defenses) Athalye et al. 2018 (7 defenses) Some white-box 0/10 adaptive All white-box 2/7 adaptive All white-box 9/13 adaptive 6

7. The Bad: Defenses Are Still Broken We re-evaluate 13 defenses presented at: NeurIPS 18 (1) (1) ICLR 20 (5) NeurIPS 19 (2) ICML 19 (4) ICLR 19 We circumvent all of them! accuracy reduced to baseline (usually 0%) in the considered threat model Many defenses are not evaluated against a strong adaptive attack 7

8. Our Work 13 case studies on how to design strong(er) adaptive attacks Including: Our hypotheses when reading each defense s paper/code Things we tried but that didn t work Some things we didn t try but might also have worked 8

9. Conclusion Evaluating adversarial examples defenses is hard! Defenses must be evaluated against strongadaptive attacks How do we design strong adaptive attacks? 1. Practice! Try breaking other defenses before evaluating your own 2. Simplicity! Simple attacks are often easier to debug, and improve 3. Focus! Find the defense s weakest component, and attack exactly that https://arxiv.org/abs/2002.08347 https://github.com/wielandbrendel/adaptive_attacks_paper 9