This paper investigates recently proposed approaches for defending against adversarial examples and evaluating adversarial robustness. We motivate adversarial risk as an objective for achieving models robust to worst-case inputs. We then frame commonly used attacks and evaluation metrics as defining a tractable surrogate objective to the true adversarial risk. This suggests that models may optimize this surrogate rather than the true adversarial risk. We formalize this notion as obscurity to an adversary, and develop tools and heuristics for identifying obscured models and designing transparent models. We demonstrate that this is a significant problem in practice by repurposing gradient-free optimization techniques into adversarial attacks, which we use to decrease the accuracy of several recently proposed defenses to near zero. Our hope is that our formulations and results will help researchers to develop more powerful defenses.

现代目光跟踪系统中的相机具有基本的带宽和功率限制，实际上将数据采集速度限制为300 Hz。这会阻碍使用移动眼镜手术器的使用，例如低潜伏期预测性渲染，或者在野外使用头部安装的设备来快速而微妙的眼动运动，例如微扫视。在这里，我们提出了一个基于混合框架的近眼凝视跟踪系统，可提供超过10,000 Hz的更新速率，其准确性与在相同条件下评估时相匹配的高端台式机商业跟踪器。我们的系统建立在新兴事件摄像机的基础上，该摄像头同时获得定期采样框架和自适应采样事件。我们开发了一种在线2D学生拟合方法，该方法每一个或几个事件都会更新参数模型。此外，我们提出了一个多项式回归器，用于实时估算参数学生模型的凝视点。使用第一个基于事件的凝视数据集，可在https://github.com/aangelopoulos/event_based_gaze_tracking上获得，我们证明我们的系统可实现0.45度 - 1.75度的准确度，用于从45度到98度的视野。借助这项技术，我们希望能够为虚拟和增强现实提供新一代的超低延迟凝视呈现和展示技术。