神经进化可以通过应用进化计算的技术来自动化人工神经网络的产生。这些方法的主要目标是构建最大程度地提高预测性能的模型，有时还具有最大程度地减少计算复杂性的目标。尽管演变的模型在竞争成果方面取得了竞争成果，但它们对对抗性实例的稳健性（在关键方案中成为关注点）受到了有限的关注。在本文中，我们评估了通过CIFAR-10图像分类任务的两种突出的神经进化方法发现的模型的对抗性鲁棒性：密度和NSGA-NET。由于这些模型是公开可用的，因此我们考虑白盒不靶向的攻击，其中扰动是由L2或Linfital-norm界定的。与手动设计的网络类似，我们的结果表明，当通过迭代方法攻击演变的模型时，它们的准确性通常在两个距离指标下降至或接近零。密集的模型是这种趋势的例外，显示了L2威胁模型下的某些阻力，即使在迭代攻击中，其精度也从93.70％下降到18.10％。此外，我们分析了在网络第一层之前应用于数据的预处理的影响。我们的观察结果表明，其中一些技术会加剧添加到原始输入中的扰动，从而可能损害鲁棒性。因此，当自动设计网络的应用程序时，不应忽略此选择。

Adaptive attacks have (rightfully) become the de facto standard for evaluating defenses to adversarial examples. We find, however, that typical adaptive evaluations are incomplete. We demonstrate that thirteen defenses recently published at ICLR, ICML and NeurIPS-and which illustrate a diverse set of defense strategies-can be circumvented despite attempting to perform evaluations using adaptive attacks. While prior evaluation papers focused mainly on the end result-showing that a defense was ineffective-this paper focuses on laying out the methodology and the approach necessary to perform an adaptive attack. Some of our attack strategies are generalizable, but no single strategy would have been sufficient for all defenses. This underlines our key message that adaptive attacks cannot be automated and always require careful and appropriate tuning to a given defense. We hope that these analyses will serve as guidance on how to properly perform adaptive attacks against defenses to adversarial examples, and thus will allow the community to make further progress in building more robust models.

深度学习的进步使得广泛的有希望的应用程序。然而，这些系统容易受到对抗机器学习（AML）攻击的影响;对他们的意见的离前事实制作的扰动可能导致他们错误分类。若干最先进的对抗性攻击已经证明他们可以可靠地欺骗分类器，使这些攻击成为一个重大威胁。对抗性攻击生成算法主要侧重于创建成功的例子，同时控制噪声幅度和分布，使检测更加困难。这些攻击的潜在假设是脱机产生的对抗噪声，使其执行时间是次要考虑因素。然而，最近，攻击者机会自由地产生对抗性示例的立即对抗攻击已经可能。本文介绍了一个新问题：我们如何在实时约束下产生对抗性噪音，以支持这种实时对抗攻击？了解这一问题提高了我们对这些攻击对实时系统构成的威胁的理解，并为未来防御提供安全评估基准。因此，我们首先进行对抗生成算法的运行时间分析。普遍攻击脱机产生一般攻击，没有在线开销，并且可以应用于任何输入;然而，由于其一般性，他们的成功率是有限的。相比之下，在特定输入上工作的在线算法是计算昂贵的，使它们不适合在时间约束下的操作。因此，我们提出房间，一种新型实时在线脱机攻击施工模型，其中离线组件用于预热在线算法，使得可以在时间限制下产生高度成功的攻击。

基于深度神经网络（DNN）的智能信息（IOT）系统已被广泛部署在现实世界中。然而，发现DNNS易受对抗性示例的影响，这提高了人们对智能物联网系统的可靠性和安全性的担忧。测试和评估IOT系统的稳健性成为必要和必要。最近已经提出了各种攻击和策略，但效率问题仍未纠正。现有方法是计算地广泛或耗时，这在实践中不适用。在本文中，我们提出了一种称为攻击启发GaN（AI-GaN）的新框架，在有条件地产生对抗性实例。曾经接受过培训，可以有效地给予对抗扰动的输入图像和目标类。我们在白盒设置的不同数据集中应用AI-GaN，黑匣子设置和由最先进的防御保护的目标模型。通过广泛的实验，AI-GaN实现了高攻击成功率，优于现有方法，并显着降低了生成时间。此外，首次，AI-GaN成功地缩放到复杂的数据集。 Cifar-100和Imagenet，所有课程中的成功率约为90美元。

Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples-inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. 1

Although deep neural networks (DNNs) have achieved great success in many tasks, they can often be fooled by adversarial examples that are generated by adding small but purposeful distortions to natural examples. Previous studies to defend against adversarial examples mostly focused on refining the DNN models, but have either shown limited success or required expensive computation. We propose a new strategy, feature squeezing, that can be used to harden DNN models by detecting adversarial examples. Feature squeezing reduces the search space available to an adversary by coalescing samples that correspond to many different feature vectors in the original space into a single sample. By comparing a DNN model's prediction on the original input with that on squeezed inputs, feature squeezing detects adversarial examples with high accuracy and few false positives.This paper explores two feature squeezing methods: reducing the color bit depth of each pixel and spatial smoothing. These simple strategies are inexpensive and complementary to other defenses, and can be combined in a joint detection framework to achieve high detection rates against state-of-the-art attacks.

Deep neural networks (DNNs) are found to be vulnerable to adversarial attacks, and various methods have been proposed for the defense. Among these methods, adversarial training has been drawing increasing attention because of its simplicity and effectiveness. However, the performance of the adversarial training is greatly limited by the architectures of target DNNs, which often makes the resulting DNNs with poor accuracy and unsatisfactory robustness. To address this problem, we propose DSARA to automatically search for the neural architectures that are accurate and robust after adversarial training. In particular, we design a novel cell-based search space specially for adversarial training, which improves the accuracy and the robustness upper bound of the searched architectures by carefully designing the placement of the cells and the proportional relationship of the filter numbers. Then we propose a two-stage search strategy to search for both accurate and robust neural architectures. At the first stage, the architecture parameters are optimized to minimize the adversarial loss, which makes full use of the effectiveness of the adversarial training in enhancing the robustness. At the second stage, the architecture parameters are optimized to minimize both the natural loss and the adversarial loss utilizing the proposed multi-objective adversarial training method, so that the searched neural architectures are both accurate and robust. We evaluate the proposed algorithm under natural data and various adversarial attacks, which reveals the superiority of the proposed method in terms of both accurate and robust architectures. We also conclude that accurate and robust neural architectures tend to deploy very different structures near the input and the output, which has great practical significance on both hand-crafting and automatically designing of accurate and robust neural architectures.

Adversarial examples are perturbed inputs designed to fool machine learning models. Adversarial training injects such examples into training data to increase robustness. To scale this technique to large datasets, perturbations are crafted using fast single-step methods that maximize a linear approximation of the model's loss. We show that this form of adversarial training converges to a degenerate global minimum, wherein small curvature artifacts near the data points obfuscate a linear approximation of the loss. The model thus learns to generate weak perturbations, rather than defend against strong ones. As a result, we find that adversarial training remains vulnerable to black-box attacks, where we transfer perturbations computed on undefended models, as well as to a powerful novel single-step attack that escapes the non-smooth vicinity of the input data via a small random step. We further introduce Ensemble Adversarial Training, a technique that augments training data with perturbations transferred from other models. On ImageNet, Ensemble Adversarial Training yields models with stronger robustness to blackbox attacks. In particular, our most robust model won the first round of the NIPS 2017 competition on Defenses against Adversarial Attacks (Kurakin et al., 2017c). However, subsequent work found that more elaborate black-box attacks could significantly enhance transferability and reduce the accuracy of our models.

The authors thank Nicholas Carlini (UC Berkeley) and Dimitris Tsipras (MIT) for feedback to improve the survey quality. We also acknowledge X. Huang (Uni. Liverpool), K. R. Reddy (IISC), E. Valle (UNICAMP), Y. Yoo (CLAIR) and others for providing pointers to make the survey more comprehensive.

已经发现深层神经网络容易受到对抗攻击的影响，从而引起了对安全敏感的环境的潜在关注。为了解决这个问题，最近的研究从建筑的角度研究了深神经网络的对抗性鲁棒性。但是，搜索深神经网络的体系结构在计算上是昂贵的，尤其是当与对抗性训练过程相结合时。为了应对上述挑战，本文提出了双重主体神经体系结构搜索方法。首先，我们制定了NAS问题，以增强深度神经网络的对抗性鲁棒性为多目标优化问题。具体而言，除了低保真绩效预测器作为第一个目标外，我们还利用辅助目标 - 其值是经过高保真评估训练的替代模型的输出。其次，我们通过结合三种性能估计方法，即参数共享，低保真评估和基于替代的预测指标来降低计算成本。在CIFAR-10，CIFAR-100和SVHN数据集上进行的广泛实验证实了所提出的方法的有效性。

This paper investigates recently proposed approaches for defending against adversarial examples and evaluating adversarial robustness. We motivate adversarial risk as an objective for achieving models robust to worst-case inputs. We then frame commonly used attacks and evaluation metrics as defining a tractable surrogate objective to the true adversarial risk. This suggests that models may optimize this surrogate rather than the true adversarial risk. We formalize this notion as obscurity to an adversary, and develop tools and heuristics for identifying obscured models and designing transparent models. We demonstrate that this is a significant problem in practice by repurposing gradient-free optimization techniques into adversarial attacks, which we use to decrease the accuracy of several recently proposed defenses to near zero. Our hope is that our formulations and results will help researchers to develop more powerful defenses.

最近对机器学习（ML）模型的攻击，例如逃避攻击，具有对抗性示例，并通过提取攻击窃取了一些模型，构成了几种安全性和隐私威胁。先前的工作建议使用对抗性训练从对抗性示例中保护模型，以逃避模型的分类并恶化其性能。但是，这种保护技术会影响模型的决策边界及其预测概率，因此可能会增加模型隐私风险。实际上，仅使用对模型预测输出的查询访问的恶意用户可以提取它并获得高智能和高保真替代模型。为了更大的提取，这些攻击利用了受害者模型的预测概率。实际上，所有先前关于提取攻击的工作都没有考虑到出于安全目的的培训过程中的变化。在本文中，我们提出了一个框架，以评估具有视觉数据集对对抗训练的模型的提取攻击。据我们所知，我们的工作是第一个进行此类评估的工作。通过一项广泛的实证研究，我们证明了受对抗训练的模型比在自然训练情况下获得的模型更容易受到提取攻击的影响。他们可以达到高达$ \ times1.2 $更高的准确性和同意，而疑问低于$ \ times0.75 $。我们还发现，与从自然训练的（即标准）模型中提取的DNN相比，从鲁棒模型中提取的对抗性鲁棒性能力可通过提取攻击（即从鲁棒模型提取的深神经网络（DNN）提取的深神网络（DNN））传递。

Designing powerful adversarial attacks is of paramount importance for the evaluation of $\ell_p$-bounded adversarial defenses. Projected Gradient Descent (PGD) is one of the most effective and conceptually simple algorithms to generate such adversaries. The search space of PGD is dictated by the steepest ascent directions of an objective. Despite the plethora of objective function choices, there is no universally superior option and robustness overestimation may arise from ill-suited objective selection. Driven by this observation, we postulate that the combination of different objectives through a simple loss alternating scheme renders PGD more robust towards design choices. We experimentally verify this assertion on a synthetic-data example and by evaluating our proposed method across 25 different $\ell_{\infty}$-robust models and 3 datasets. The performance improvement is consistent, when compared to the single loss counterparts. In the CIFAR-10 dataset, our strongest adversarial attack outperforms all of the white-box components of AutoAttack (AA) ensemble, as well as the most powerful attacks existing on the literature, achieving state-of-the-art results in the computational budget of our study ($T=100$, no restarts).

在测试时间进行优化的自适应防御能力有望改善对抗性鲁棒性。我们对这种自适应测试时间防御措施进行分类，解释其潜在的好处和缺点，并评估图像分类的最新自适应防御能力的代表性。不幸的是，经过我们仔细的案例研究评估时，没有任何显着改善静态防御。有些甚至削弱了基本静态模型，同时增加了推理计算。尽管这些结果令人失望，但我们仍然认为自适应测试时间防御措施是一项有希望的研究途径，因此，我们为他们的彻底评估提供了建议。我们扩展了Carlini等人的清单。（2019年）通过提供针对自适应防御的具体步骤。

人类严重依赖于形状信息来识别对象。相反，卷积神经网络（CNNS）偏向于纹理。这也许是CNNS易受对抗性示例的影响的主要原因。在这里，我们探索如何将偏差纳入CNN，以提高其鲁棒性。提出了两种算法，基于边缘不变，以中等难以察觉的扰动。在第一个中，分类器在具有边缘图作为附加信道的图像上进行前列地培训。在推断时间，边缘映射被重新计算并连接到图像。在第二算法中，训练了条件GaN，以将边缘映射从干净和/或扰动图像转换为清洁图像。推断在与输入的边缘图对应的生成图像上完成。超过10个数据集的广泛实验证明了算法对FGSM和$ \ ELL_ infty $ PGD-40攻击的有效性。此外，我们表明a）边缘信息还可以使其他对抗训练方法有益，并且B）在边缘增强输入上培训的CNNS对抗自然图像损坏，例如运动模糊，脉冲噪声和JPEG压缩，而不是仅培训的CNNS RGB图像。从更广泛的角度来看，我们的研究表明，CNN不会充分占对鲁棒性至关重要的图像结构。代码可用：〜\ url {https://github.com/aliborji/shapedefense.git}。

作为研究界，我们仍然缺乏对对抗性稳健性的进展的系统理解，这通常使得难以识别训练强大模型中最有前途的想法。基准稳健性的关键挑战是，其评估往往是出错的导致鲁棒性高估。我们的目标是建立对抗性稳健性的标准化基准，尽可能准确地反映出考虑在合理的计算预算范围内所考虑的模型的稳健性。为此，我们首先考虑图像分类任务并在允许的型号上引入限制（可能在将来宽松）。我们评估了与AutoAtrack的对抗鲁棒性，白和黑箱攻击的集合，最近在大规模研究中显示，与原始出版物相比，改善了几乎所有稳健性评估。为防止对自动攻击进行新防御的过度适应，我们欢迎基于自适应攻击的外部评估，特别是在自动攻击稳健性潜在高估的地方。我们的排行榜，托管在https://robustbench.github.io/，包含120多个模型的评估，并旨在反映在$ \ ell_ \ infty $的一套明确的任务上的图像分类中的当前状态 - 和$ \ ell_2 $ -Threat模型和共同腐败，未来可能的扩展。此外，我们开源源是图书馆https://github.com/robustbench/robustbench，可以提供对80多个强大模型的统一访问，以方便他们的下游应用程序。最后，根据收集的模型，我们分析了稳健性对分布换档，校准，分配检测，公平性，隐私泄漏，平滑度和可转移性的影响。

已知深度神经网络（DNN）容易受到用不可察觉的扰动制作的对抗性示例的影响，即，输入图像的微小变化会引起错误的分类，从而威胁着基于深度学习的部署系统的可靠性。经常采用对抗训练（AT）来通过训练损坏和干净的数据的混合物来提高DNN的鲁棒性。但是，大多数基于AT的方法在处理\ textit {转移的对抗示例}方面是无效的，这些方法是生成以欺骗各种防御模型的生成的，因此无法满足现实情况下提出的概括要求。此外，对抗性训练一般的国防模型不能对具有扰动的输入产生可解释的预测，而不同的领域专家则需要一个高度可解释的强大模型才能了解DNN的行为。在这项工作中，我们提出了一种基于Jacobian规范和选择性输入梯度正则化（J-SIGR）的方法，该方法通过Jacobian归一化提出了线性化的鲁棒性，还将基于扰动的显着性图正规化，以模仿模型的可解释预测。因此，我们既可以提高DNN的防御能力和高解释性。最后，我们评估了跨不同体系结构的方法，以针对强大的对抗性攻击。实验表明，提出的J-Sigr赋予了针对转移的对抗攻击的鲁棒性，我们还表明，来自神经网络的预测易于解释。

基于转移的对手示例是最重要的黑匣子攻击类别之一。然而，在对抗性扰动的可转移性和难以察觉之间存在权衡。在此方向上的事先工作经常需要固定但大量的$ \ ell_p $ -norm扰动预算，达到良好的转移成功率，导致可察觉的对抗扰动。另一方面，目前的大多数旨在产生语义保留扰动的难以限制的对抗攻击患有对目标模型的可转移性较弱。在这项工作中，我们提出了一个几何形象感知框架，以产生具有最小变化的可转移的对抗性示例。类似于在统计机器学习中的模型选择，我们利用验证模型为$ \ ell _ {\ infty} $ - norm和不受限制的威胁模型中选择每个图像的最佳扰动预算。广泛的实验验证了我们对平衡令人难以置信的难以察觉和可转移性的框架的有效性。方法论是我们进入CVPR'21安全性AI挑战者的基础：对想象成的不受限制的对抗攻击，其中我们将第1位排名第1,559支队伍，并在决赛方面超过了亚军提交的提交4.59％和23.91％分别和平均图像质量水平。代码可在https://github.com/equationliu/ga-attack获得。

时间序列异常检测在统计，经济学和计算机科学中进行了广泛的研究。多年来，使用基于深度学习的方法为时间序列异常检测提出了许多方法。这些方法中的许多方法都在基准数据集上显示了最先进的性能，给人一种错误的印象，即这些系统在许多实用和工业现实世界中都可以强大且可部署。在本文中，我们证明了最先进的异常检测方法的性能通过仅在传感器数据中添加小的对抗扰动来实质性地降解。我们使用不同的评分指标，例如预测错误，异常和分类评分，包括几个公共和私人数据集，从航空航天应用程序，服务器机器到发电厂的网络物理系统。在众所周知的对抗攻击中，来自快速梯度标志方法（FGSM）和预计梯度下降（PGD）方法，我们证明了最新的深神经网络（DNNS）和图形神经网络（GNNS）方法，这些方法声称这些方法是要对异常进行稳健，并且可能已集成在现实生活中，其性能下降到低至0％。据我们最好的理解，我们首次证明了针对对抗攻击的异常检测系统的脆弱性。这项研究的总体目标是提高对时间序列异常检测器的对抗性脆弱性的认识。

With rapid progress and significant successes in a wide spectrum of applications, deep learning is being applied in many safety-critical environments. However, deep neural networks have been recently found vulnerable to well-designed input samples, called adversarial examples. Adversarial perturbations are imperceptible to human but can easily fool deep neural networks in the testing/deploying stage. The vulnerability to adversarial examples becomes one of the major risks for applying deep neural networks in safety-critical environments. Therefore, attacks and defenses on adversarial examples draw great attention. In this paper, we review recent findings on adversarial examples for deep neural networks, summarize the methods for generating adversarial examples, and propose a taxonomy of these methods. Under the taxonomy, applications for adversarial examples are investigated. We further elaborate on countermeasures for adversarial examples. In addition, three major challenges in adversarial examples and the potential solutions are discussed.