Designing powerful adversarial attacks is of paramount importance for the evaluation of $\ell_p$-bounded adversarial defenses. Projected Gradient Descent (PGD) is one of the most effective and conceptually simple algorithms to generate such adversaries. The search space of PGD is dictated by the steepest ascent directions of an objective. Despite the plethora of objective function choices, there is no universally superior option and robustness overestimation may arise from ill-suited objective selection. Driven by this observation, we postulate that the combination of different objectives through a simple loss alternating scheme renders PGD more robust towards design choices. We experimentally verify this assertion on a synthetic-data example and by evaluating our proposed method across 25 different $\ell_{\infty}$-robust models and 3 datasets. The performance improvement is consistent, when compared to the single loss counterparts. In the CIFAR-10 dataset, our strongest adversarial attack outperforms all of the white-box components of AutoAttack (AA) ensemble, as well as the most powerful attacks existing on the literature, achieving state-of-the-art results in the computational budget of our study ($T=100$, no restarts).

The field of defense strategies against adversarial attacks has significantly grown over the last years, but progress is hampered as the evaluation of adversarial defenses is often insufficient and thus gives a wrong impression of robustness. Many promising defenses could be broken later on, making it difficult to identify the state-of-the-art. Frequent pitfalls in the evaluation are improper tuning of hyperparameters of the attacks, gradient obfuscation or masking. In this paper we first propose two extensions of the PGD-attack overcoming failures due to suboptimal step size and problems of the objective function. We then combine our novel attacks with two complementary existing ones to form a parameter-free, computationally affordable and user-independent ensemble of attacks to test adversarial robustness. We apply our ensemble to over 50 models from papers published at recent top machine learning and computer vision venues. In all except one of the cases we achieve lower robust test accuracy than reported in these papers, often by more than 10%, identifying several broken defenses.

评估防御模型的稳健性是对抗对抗鲁棒性研究的具有挑战性的任务。僵化的渐变，先前已经发现了一种梯度掩蔽，以许多防御方法存在并导致鲁棒性的错误信号。在本文中，我们确定了一种更细微的情况，称为不平衡梯度，也可能导致过高的对抗性鲁棒性。当边缘损耗的一个术语的梯度主导并将攻击朝向次优化方向推动时，发生不平衡梯度的现象。为了利用不平衡的梯度，我们制定了分解利润率损失的边缘分解（MD）攻击，并通过两阶段过程分别探讨了这些术语的攻击性。我们还提出了一个Multared和Ensemble版本的MD攻击。通过调查自2018年以来提出的17个防御模型，我们发现6种型号易受不平衡梯度的影响，我们的MD攻击可以减少由最佳基线独立攻击评估的鲁棒性另外2％。我们还提供了对不平衡梯度的可能原因和有效对策的深入分析。

我们表明，当考虑到图像域$ [0,1] ^ D $时，已建立$ L_1 $ -Projected梯度下降（PGD）攻击是次优，因为它们不认为有效的威胁模型是交叉点$ l_1 $ -ball和$ [0,1] ^ d $。我们研究了这种有效威胁模型的最陡渐进步骤的预期稀疏性，并表明该组上的确切投影是计算可行的，并且产生更好的性能。此外，我们提出了一种自适应形式的PGD，即使具有小的迭代预算，这也是非常有效的。我们的结果$ l_1 $ -apgd是一个强大的白盒攻击，表明先前的作品高估了他们的$ l_1 $ -trobustness。使用$ l_1 $ -apgd for vercersarial培训，我们获得一个强大的分类器，具有sota $ l_1 $ -trobustness。最后，我们将$ l_1 $ -apgd和平方攻击的适应组合到$ l_1 $ to $ l_1 $ -autoattack，这是一个攻击的集合，可靠地评估$ l_1 $ -ball与$的威胁模型的对抗鲁棒性进行对抗[ 0,1] ^ d $。

Adaptive attacks have (rightfully) become the de facto standard for evaluating defenses to adversarial examples. We find, however, that typical adaptive evaluations are incomplete. We demonstrate that thirteen defenses recently published at ICLR, ICML and NeurIPS-and which illustrate a diverse set of defense strategies-can be circumvented despite attempting to perform evaluations using adaptive attacks. While prior evaluation papers focused mainly on the end result-showing that a defense was ineffective-this paper focuses on laying out the methodology and the approach necessary to perform an adaptive attack. Some of our attack strategies are generalizable, but no single strategy would have been sufficient for all defenses. This underlines our key message that adaptive attacks cannot be automated and always require careful and appropriate tuning to a given defense. We hope that these analyses will serve as guidance on how to properly perform adaptive attacks against defenses to adversarial examples, and thus will allow the community to make further progress in building more robust models.

The evaluation of robustness against adversarial manipulation of neural networks-based classifiers is mainly tested with empirical attacks as methods for the exact computation, even when available, do not scale to large networks. We propose in this paper a new white-box adversarial attack wrt the l p -norms for p ∈ {1, 2, ∞} aiming at finding the minimal perturbation necessary to change the class of a given input. It has an intuitive geometric meaning, yields quickly high quality results, minimizes the size of the perturbation (so that it returns the robust accuracy at every threshold with a single run). It performs better or similar to stateof-the-art attacks which are partially specialized to one l p -norm, and is robust to the phenomenon of gradient masking.

This paper investigates recently proposed approaches for defending against adversarial examples and evaluating adversarial robustness. We motivate adversarial risk as an objective for achieving models robust to worst-case inputs. We then frame commonly used attacks and evaluation metrics as defining a tractable surrogate objective to the true adversarial risk. This suggests that models may optimize this surrogate rather than the true adversarial risk. We formalize this notion as obscurity to an adversary, and develop tools and heuristics for identifying obscured models and designing transparent models. We demonstrate that this is a significant problem in practice by repurposing gradient-free optimization techniques into adversarial attacks, which we use to decrease the accuracy of several recently proposed defenses to near zero. Our hope is that our formulations and results will help researchers to develop more powerful defenses.

We propose the Square Attack, a score-based black-box l2and l∞-adversarial attack that does not rely on local gradient information and thus is not affected by gradient masking. Square Attack is based on a randomized search scheme which selects localized squareshaped updates at random positions so that at each iteration the perturbation is situated approximately at the boundary of the feasible set. Our method is significantly more query efficient and achieves a higher success rate compared to the state-of-the-art methods, especially in the untargeted setting. In particular, on ImageNet we improve the average query efficiency in the untargeted setting for various deep networks by a factor of at least 1.8 and up to 3 compared to the recent state-ofthe-art l∞-attack of Al-Dujaili & OReilly (2020). Moreover, although our attack is black-box, it can also outperform gradient-based white-box attacks on the standard benchmarks achieving a new state-of-the-art in terms of the success rate. The code of our attack is available at https://github.com/max-andr/square-attack.

Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples-inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. 1

Adversarial training is an effective approach to make deep neural networks robust against adversarial attacks. Recently, different adversarial training defenses are proposed that not only maintain a high clean accuracy but also show significant robustness against popular and well studied adversarial attacks such as PGD. High adversarial robustness can also arise if an attack fails to find adversarial gradient directions, a phenomenon known as `gradient masking'. In this work, we analyse the effect of label smoothing on adversarial training as one of the potential causes of gradient masking. We then develop a guided mechanism to avoid local minima during attack optimization, leading to a novel attack dubbed Guided Projected Gradient Attack (G-PGA). Our attack approach is based on a `match and deceive' loss that finds optimal adversarial directions through guidance from a surrogate model. Our modified attack does not require random restarts, large number of attack iterations or search for an optimal step-size. Furthermore, our proposed G-PGA is generic, thus it can be combined with an ensemble attack strategy as we demonstrate for the case of Auto-Attack, leading to efficiency and convergence speed improvements. More than an effective attack, G-PGA can be used as a diagnostic tool to reveal elusive robustness due to gradient masking in adversarial defenses.

在测试时间进行优化的自适应防御能力有望改善对抗性鲁棒性。我们对这种自适应测试时间防御措施进行分类，解释其潜在的好处和缺点，并评估图像分类的最新自适应防御能力的代表性。不幸的是，经过我们仔细的案例研究评估时，没有任何显着改善静态防御。有些甚至削弱了基本静态模型，同时增加了推理计算。尽管这些结果令人失望，但我们仍然认为自适应测试时间防御措施是一项有希望的研究途径，因此，我们为他们的彻底评估提供了建议。我们扩展了Carlini等人的清单。（2019年）通过提供针对自适应防御的具体步骤。

当有大量的计算资源可用时，AutoAttack（AA）是评估对抗性鲁棒性的最可靠方法。但是，高计算成本（例如，比项目梯度下降攻击的100倍）使AA对于具有有限计算资源的从业者来说是不可行的，并且也阻碍了AA在对抗培训中的应用（AT）。在本文中，我们提出了一种新颖的方法，即最小利润率（MM）攻击，以快速可靠地评估对抗性鲁棒性。与AA相比，我们的方法可实现可比的性能，但在广泛的实验中仅占计算时间的3％。我们方法的可靠性在于，我们使用两个目标之间的边缘来评估对抗性示例的质量，这些目标可以精确地识别最对抗性的示例。我们方法的计算效率在于有效的顺序目标排名选择（星形）方法，以确保MM攻击的成本与类数无关。 MM攻击开辟了一种评估对抗性鲁棒性的新方法，并提供了一种可行且可靠的方式来生成高质量的对抗示例。

作为反对攻击的最有效的防御方法之一，对抗性训练倾向于学习包容性的决策边界，以提高深度学习模型的鲁棒性。但是，由于沿对抗方向的边缘的大幅度和不必要的增加，对抗性训练会在自然实例和对抗性示例之间引起严重的交叉，这不利于平衡稳健性和自然准确性之间的权衡。在本文中，我们提出了一种新颖的对抗训练计划，以在稳健性和自然准确性之间进行更好的权衡。它旨在学习一个中度包容的决策边界，这意味着决策边界下的自然示例的边缘是中等的。我们称此方案为中等边缘的对抗训练（MMAT），该方案生成更细粒度的对抗示例以减轻交叉问题。我们还利用了经过良好培训的教师模型的逻辑来指导我们的模型学习。最后，MMAT在Black-Box和White-Box攻击下都可以实现高自然的精度和鲁棒性。例如，在SVHN上，实现了最新的鲁棒性和自然精度。

对抗性训练遭受了稳健的过度装备，这是一种现象，在训练期间鲁棒测试精度开始减少。在本文中，我们专注于通过使用常见的数据增强方案来减少强大的过度装备。我们证明，与先前的发现相反，当与模型重量平均结合时，数据增强可以显着提高鲁棒精度。此外，我们比较各种增强技术，并观察到空间组合技术适用于对抗性培训。最后，我们评估了我们在Cifar-10上的方法，而不是$ \ ell_ indty $和$ \ ell_2 $ norm-indeded扰动分别为尺寸$ \ epsilon = 8/255 $和$ \ epsilon = 128/255 $。与以前的最先进的方法相比，我们表现出+ 2.93％的绝对改善+ 2.93％，+ 2.16％。特别是，反对$ \ ell_ infty $ norm-indeded扰动尺寸$ \ epsilon = 8/255 $，我们的模型达到60.07％的强劲准确性而不使用任何外部数据。我们还通过这种方法实现了显着的性能提升，同时使用其他架构和数据集如CiFar-100，SVHN和TinyimageNet。

对抗性可转移性是一种有趣的性质 - 针对一个模型制作的对抗性扰动也是对另一个模型有效的，而这些模型来自不同的模型家庭或培训过程。为了更好地保护ML系统免受对抗性攻击，提出了几个问题：对抗性转移性的充分条件是什么，以及如何绑定它？有没有办法降低对抗的转移性，以改善合奏ML模型的鲁棒性？为了回答这些问题，在这项工作中，我们首先在理论上分析和概述了模型之间的对抗性可转移的充分条件;然后提出一种实用的算法，以减少集合内基础模型之间的可转换，以提高其鲁棒性。我们的理论分析表明，只有促进基础模型梯度之间的正交性不足以确保低可转移性;与此同时，模型平滑度是控制可转移性的重要因素。我们还在某些条件下提供了对抗性可转移性的下界和上限。灵感来自我们的理论分析，我们提出了一种有效的可转让性，减少了平滑（TRS）集合培训策略，以通过实施基础模型之间的梯度正交性和模型平滑度来培训具有低可转换性的强大集成。我们对TRS进行了广泛的实验，并与6个最先进的集合基线进行比较，防止不同数据集的8个白箱攻击，表明所提出的TRS显着优于所有基线。

对抗训练（AT）在防御对抗例子方面表现出色。最近的研究表明，示例对于AT期间模型的最终鲁棒性并不同样重要，即，所谓的硬示例可以攻击容易表现出比对最终鲁棒性的鲁棒示例更大的影响。因此，保证硬示例的鲁棒性对于改善模型的最终鲁棒性至关重要。但是，定义有效的启发式方法来寻找辛苦示例仍然很困难。在本文中，受到信息瓶颈（IB）原则的启发，我们发现了一个具有高度共同信息及其相关的潜在表示的例子，更有可能受到攻击。基于此观察，我们提出了一种新颖有效的对抗训练方法（Infoat）。鼓励Infoat找到具有高相互信息的示例，并有效利用它们以提高模型的最终鲁棒性。实验结果表明，与几种最先进的方法相比，Infoat在不同数据集和模型之间达到了最佳的鲁棒性。

评估对抗性鲁棒性的量，以找到有输入样品被错误分类所需的最小扰动。底层优化的固有复杂性需要仔细调整基于梯度的攻击，初始化，并且可能为许多计算苛刻的迭代而被执行，即使专门用于给定的扰动模型也是如此。在这项工作中，我们通过提出使用不同$ \ ell_p $ -norm扰动模型（$ p = 0，1,2，\ idty $）的快速最小规范（FMN）攻击来克服这些限制（FMN）攻击选择，不需要对抗性起点，并在很少的轻量级步骤中收敛。它通过迭代地发现在$ \ ell_p $ -norm的最大信心被错误分类的样本进行了尺寸的尺寸$ \ epsilon $的限制，同时适应$ \ epsilon $，以最小化当前样本到决策边界的距离。广泛的实验表明，FMN在收敛速度和计算时间方面显着优于现有的攻击，同时报告可比或甚至更小的扰动尺寸。

深度卷积神经网络（CNN）很容易被输入图像的细微，不可察觉的变化所欺骗。为了解决此漏洞，对抗训练会创建扰动模式，并将其包括在培训设置中以鲁棒性化模型。与仅使用阶级有限信息的现有对抗训练方法（例如，使用交叉渗透损失）相反，我们建议利用功能空间中的其他信息来促进更强的对手，这些信息又用于学习强大的模型。具体来说，我们将使用另一类的目标样本的样式和内容信息以及其班级边界信息来创建对抗性扰动。我们以深入监督的方式应用了我们提出的多任务目标，从而提取了多尺度特征知识，以创建最大程度地分开对手。随后，我们提出了一种最大边缘对抗训练方法，该方法可最大程度地减少源图像与其对手之间的距离，并最大程度地提高对手和目标图像之间的距离。与最先进的防御能力相比，我们的对抗训练方法表明了强大的鲁棒性，可以很好地推广到自然发生的损坏和数据分配变化，并保留了清洁示例的模型准确性。

由于在量化网络上的按位操作产生的有效存储器消耗和更快的计算，神经网络量化已经变得越来越受欢迎。尽管它们表现出优异的泛化能力，但其鲁棒性属性并不是很好地理解。在这项工作中，我们系统地研究量化网络对基于梯度的对抗性攻击的鲁棒性，并证明这些量化模型遭受梯度消失问题并显示出虚假的鲁棒感。通过归因于培训的网络中的渐变消失到较差的前后信号传播，我们引入了一个简单的温度缩放方法来缓解此问题，同时保留决策边界。尽管对基于梯度的对抗攻击进行了简单的修改，但具有多个网络架构的多个图像分类数据集的实验表明，我们的温度缩放攻击在量化网络上获得了近乎完美的成功率，同时表现出对普遍培训的模型以及浮动的原始攻击以及浮动 - 点网络。代码可在https://github.com/kartikgupta-at-anu/Attack-bnn获得。

尽管深层神经网络在各种任务中取得了巨大的成功，但它们对不可察觉的对抗性扰动的脆弱性阻碍了他们在现实世界中的部署。最近，与随机合奏的作品相对于经过最小的计算开销的标准对手训练（AT）模型，对对抗性训练（AT）模型的对抗性鲁棒性有了显着改善，这使它们成为安全临界资源限制应用程序的有前途解决方案。但是，这种令人印象深刻的表现提出了一个问题：这些稳健性是由随机合奏提供的吗？在这项工作中，我们从理论和经验上都解决了这个问题。从理论上讲，我们首先确定通常采用的鲁棒性评估方法（例如自适应PGD）在这种情况下提供了错误的安全感。随后，我们提出了一种理论上有效的对抗攻击算法（ARC），即使在自适应PGD无法做到这一点的情况下，也能妥协随机合奏。我们在各种网络体系结构，培训方案，数据集和规范上进行全面的实验，以支持我们的主张，并经验证明，随机合奏实际上比在模型上更容易受到$ \ ell_p $结合的对抗性扰动的影响。我们的代码可以在https://github.com/hsndbk4/arc上找到。