近年来，已经开发了用于图像分类的新型体系结构组件，从变压器中使用的注意力和斑块开始。尽管先前的作品已经分析了建筑成分某些方面对对抗性攻击的鲁棒性，尤其是视觉变形金刚的影响，但对主要因素的理解仍然是有限的。我们比较了几个（非）固定分类器与不同的架构并研究其属性，包括对抗训练对学习特征的解释性和对看不见威胁模型的鲁棒性的影响。从Resnet到Convnext的消融揭示了关键的架构变化，导致$ 10 \％$更高$ \ ell_ \ ell_ \ infty $ bobustness。

图像空间中的视觉反事实解释（VCE）是了解图像分类器的决策的重要工具，因为它们显示了图像的更改，分类器的决策将会改变。他们在图像空间中的产生具有挑战性，由于对抗性例子的问题，需要强大的模型。在图像空间中生成VCE的现有技术遭受背景虚假变化的影响。我们对VCE的新型扰动模型以及通过我们的新型自动 - 弗兰克 - 摩 - 摩托方案的有效优化产生了稀疏的VCE，从而导致了针对目标类别的细微变化。此外，我们表明，由于Imagenet数据集中的虚假特征，VCE可用于检测Imagenet分类器的不希望的行为。

在测试时间进行优化的自适应防御能力有望改善对抗性鲁棒性。我们对这种自适应测试时间防御措施进行分类，解释其潜在的好处和缺点，并评估图像分类的最新自适应防御能力的代表性。不幸的是，经过我们仔细的案例研究评估时，没有任何显着改善静态防御。有些甚至削弱了基本静态模型，同时增加了推理计算。尽管这些结果令人失望，但我们仍然认为自适应测试时间防御措施是一项有希望的研究途径，因此，我们为他们的彻底评估提供了建议。我们扩展了Carlini等人的清单。（2019年）通过提供针对自适应防御的具体步骤。

与标准的训练时间相比，训练时间非常长，尤其是针对稳健模型的主要缺点，尤其是对于大型数据集而言。此外，模型不仅应适用于一个$ l_p $ - 威胁模型，而且对所有模型来说都是理想的。在本文中，我们提出了基于$ l_p $ -Balls的几何特性的多元素鲁棒性的极端规范对抗训练（E-AT）。 E-AT的成本比其他对抗性训练方法低三倍，以进行多种锻炼。使用e-at，我们证明，对于ImageNet，单个时期和CIFAR-10，三个时期足以将任何$ L_P $ - 抛光模型变成一个多符号鲁棒模型。通过这种方式，我们获得了ImageNet的第一个多元素鲁棒模型，并在CIFAR-10上提高了多个Norm鲁棒性的最新型号，以超过$ 51 \％$。最后，我们通过对不同单独的$ l_p $ threat模型之间的对抗鲁棒性进行微调研究一般的转移，并改善了Cifar-10和Imagenet上的先前的SOTA $ L_1 $ - 固定。广泛的实验表明，我们的计划在包括视觉变压器在内的数据集和架构上起作用。

我们表明，当考虑到图像域$ [0,1] ^ D $时，已建立$ L_1 $ -Projected梯度下降（PGD）攻击是次优，因为它们不认为有效的威胁模型是交叉点$ l_1 $ -ball和$ [0,1] ^ d $。我们研究了这种有效威胁模型的最陡渐进步骤的预期稀疏性，并表明该组上的确切投影是计算可行的，并且产生更好的性能。此外，我们提出了一种自适应形式的PGD，即使具有小的迭代预算，这也是非常有效的。我们的结果$ l_1 $ -apgd是一个强大的白盒攻击，表明先前的作品高估了他们的$ l_1 $ -trobustness。使用$ l_1 $ -apgd for vercersarial培训，我们获得一个强大的分类器，具有sota $ l_1 $ -trobustness。最后，我们将$ l_1 $ -apgd和平方攻击的适应组合到$ l_1 $ to $ l_1 $ -autoattack，这是一个攻击的集合，可靠地评估$ l_1 $ -ball与$的威胁模型的对抗鲁棒性进行对抗[ 0,1] ^ d $。

作为研究界，我们仍然缺乏对对抗性稳健性的进展的系统理解，这通常使得难以识别训练强大模型中最有前途的想法。基准稳健性的关键挑战是，其评估往往是出错的导致鲁棒性高估。我们的目标是建立对抗性稳健性的标准化基准，尽可能准确地反映出考虑在合理的计算预算范围内所考虑的模型的稳健性。为此，我们首先考虑图像分类任务并在允许的型号上引入限制（可能在将来宽松）。我们评估了与AutoAtrack的对抗鲁棒性，白和黑箱攻击的集合，最近在大规模研究中显示，与原始出版物相比，改善了几乎所有稳健性评估。为防止对自动攻击进行新防御的过度适应，我们欢迎基于自适应攻击的外部评估，特别是在自动攻击稳健性潜在高估的地方。我们的排行榜，托管在https://robustbench.github.io/，包含120多个模型的评估，并旨在反映在$ \ ell_ \ infty $的一套明确的任务上的图像分类中的当前状态 - 和$ \ ell_2 $ -Threat模型和共同腐败，未来可能的扩展。此外，我们开源源是图书馆https://github.com/robustbench/robustbench，可以提供对80多个强大模型的统一访问，以方便他们的下游应用程序。最后，根据收集的模型，我们分析了稳健性对分布换档，校准，分配检测，公平性，隐私泄漏，平滑度和可转移性的影响。

The field of defense strategies against adversarial attacks has significantly grown over the last years, but progress is hampered as the evaluation of adversarial defenses is often insufficient and thus gives a wrong impression of robustness. Many promising defenses could be broken later on, making it difficult to identify the state-of-the-art. Frequent pitfalls in the evaluation are improper tuning of hyperparameters of the attacks, gradient obfuscation or masking. In this paper we first propose two extensions of the PGD-attack overcoming failures due to suboptimal step size and problems of the objective function. We then combine our novel attacks with two complementary existing ones to form a parameter-free, computationally affordable and user-independent ensemble of attacks to test adversarial robustness. We apply our ensemble to over 50 models from papers published at recent top machine learning and computer vision venues. In all except one of the cases we achieve lower robust test accuracy than reported in these papers, often by more than 10%, identifying several broken defenses.

We propose the Square Attack, a score-based black-box l2and l∞-adversarial attack that does not rely on local gradient information and thus is not affected by gradient masking. Square Attack is based on a randomized search scheme which selects localized squareshaped updates at random positions so that at each iteration the perturbation is situated approximately at the boundary of the feasible set. Our method is significantly more query efficient and achieves a higher success rate compared to the state-of-the-art methods, especially in the untargeted setting. In particular, on ImageNet we improve the average query efficiency in the untargeted setting for various deep networks by a factor of at least 1.8 and up to 3 compared to the recent state-ofthe-art l∞-attack of Al-Dujaili & OReilly (2020). Moreover, although our attack is black-box, it can also outperform gradient-based white-box attacks on the standard benchmarks achieving a new state-of-the-art in terms of the success rate. The code of our attack is available at https://github.com/max-andr/square-attack.

The evaluation of robustness against adversarial manipulation of neural networks-based classifiers is mainly tested with empirical attacks as methods for the exact computation, even when available, do not scale to large networks. We propose in this paper a new white-box adversarial attack wrt the l p -norms for p ∈ {1, 2, ∞} aiming at finding the minimal perturbation necessary to change the class of a given input. It has an intuitive geometric meaning, yields quickly high quality results, minimizes the size of the perturbation (so that it returns the robust accuracy at every threshold with a single run). It performs better or similar to stateof-the-art attacks which are partially specialized to one l p -norm, and is robust to the phenomenon of gradient masking.

Continual Learning (CL) is a field dedicated to devise algorithms able to achieve lifelong learning. Overcoming the knowledge disruption of previously acquired concepts, a drawback affecting deep learning models and that goes by the name of catastrophic forgetting, is a hard challenge. Currently, deep learning methods can attain impressive results when the data modeled does not undergo a considerable distributional shift in subsequent learning sessions, but whenever we expose such systems to this incremental setting, performance drop very quickly. Overcoming this limitation is fundamental as it would allow us to build truly intelligent systems showing stability and plasticity. Secondly, it would allow us to overcome the onerous limitation of retraining these architectures from scratch with the new updated data. In this thesis, we tackle the problem from multiple directions. In a first study, we show that in rehearsal-based techniques (systems that use memory buffer), the quantity of data stored in the rehearsal buffer is a more important factor over the quality of the data. Secondly, we propose one of the early works of incremental learning on ViTs architectures, comparing functional, weight and attention regularization approaches and propose effective novel a novel asymmetric loss. At the end we conclude with a study on pretraining and how it affects the performance in Continual Learning, raising some questions about the effective progression of the field. We then conclude with some future directions and closing remarks.