Previous work has shown that a neural network with the rectified linear unit (ReLU) activation function leads to a convex polyhedral decomposition of the input space. These decompositions can be represented by a dual graph with vertices corresponding to polyhedra and edges corresponding to polyhedra sharing a facet, which is a subgraph of a Hamming graph. This paper illustrates how one can utilize the dual graph to detect and analyze adversarial attacks in the context of digital images. When an image passes through a network containing ReLU nodes, the firing or non-firing at a node can be encoded as a bit ($1$ for ReLU activation, $0$ for ReLU non-activation). The sequence of all bit activations identifies the image with a bit vector, which identifies it with a polyhedron in the decomposition and, in turn, identifies it with a vertex in the dual graph. We identify ReLU bits that are discriminators between non-adversarial and adversarial images and examine how well collections of these discriminators can ensemble vote to build an adversarial image detector. Specifically, we examine the similarities and differences of ReLU bit vectors for adversarial images, and their non-adversarial counterparts, using a pre-trained ResNet-50 architecture. While this paper focuses on adversarial digital images, ResNet-50 architecture, and the ReLU activation function, our methods extend to other network architectures, activation functions, and types of datasets.

In order for machine learning to be trusted in many applications, it is critical to be able to reliably explain why the machine learning algorithm makes certain predictions. For this reason, a variety of methods have been developed recently to interpret neural network predictions by providing, for example, feature importance maps. For both scientific robustness and security reasons, it is important to know to what extent can the interpretations be altered by small systematic perturbations to the input data, which might be generated by adversaries or by measurement biases. In this paper, we demonstrate how to generate adversarial perturbations that produce perceptively indistinguishable inputs that are assigned the same predicted label, yet have very different interpretations. We systematically characterize the robustness of interpretations generated by several widely-used feature importance interpretation methods (feature importance maps, integrated gradients, and DeepLIFT) on ImageNet and CIFAR-10. In all cases, our experiments show that systematic perturbations can lead to dramatically different interpretations without changing the label. We extend these results to show that interpretations based on exemplars (e.g. influence functions) are similarly susceptible to adversarial attack. Our analysis of the geometry of the Hessian matrix gives insight on why robustness is a general challenge to current interpretation approaches.

Deep learning has been a popular topic and has achieved success in many areas. It has drawn the attention of researchers and machine learning practitioners alike, with developed models deployed to a variety of settings. Along with its achievements, research has shown that deep learning models are vulnerable to adversarial attacks. This finding brought about a new direction in research, whereby algorithms were developed to attack and defend vulnerable networks. Our interest is in understanding how these attacks effect change on the intermediate representations of deep learning models. We present a method for measuring and analyzing the deviations in representations induced by adversarial attacks, progressively across a selected set of layers. Experiments are conducted using an assortment of attack algorithms, on the CIFAR-10 dataset, with plots created to visualize the impact of adversarial attacks across different layers in a network.

The authors thank Nicholas Carlini (UC Berkeley) and Dimitris Tsipras (MIT) for feedback to improve the survey quality. We also acknowledge X. Huang (Uni. Liverpool), K. R. Reddy (IISC), E. Valle (UNICAMP), Y. Yoo (CLAIR) and others for providing pointers to make the survey more comprehensive.

Although deep neural networks (DNNs) have achieved great success in many tasks, they can often be fooled by adversarial examples that are generated by adding small but purposeful distortions to natural examples. Previous studies to defend against adversarial examples mostly focused on refining the DNN models, but have either shown limited success or required expensive computation. We propose a new strategy, feature squeezing, that can be used to harden DNN models by detecting adversarial examples. Feature squeezing reduces the search space available to an adversary by coalescing samples that correspond to many different feature vectors in the original space into a single sample. By comparing a DNN model's prediction on the original input with that on squeezed inputs, feature squeezing detects adversarial examples with high accuracy and few false positives.This paper explores two feature squeezing methods: reducing the color bit depth of each pixel and spatial smoothing. These simple strategies are inexpensive and complementary to other defenses, and can be combined in a joint detection framework to achieve high detection rates against state-of-the-art attacks.

对卷积神经网络（CNN）的对抗性攻击的存在质疑这种模型对严重应用的适合度。攻击操纵输入图像，使得错误分类是在对人类观察者看上去正常的同时唤起的 - 因此它们不容易被检测到。在不同的上下文中，CNN隐藏层的反向传播激活（对给定输入的“特征响应”）有助于可视化人类“调试器” CNN“在计算其输出时对CNN”的看法。在这项工作中，我们提出了一种新颖的检测方法，以防止攻击。我们通过在特征响应中跟踪对抗扰动来做到这一点，从而可以使用平均局部空间熵自动检测。该方法不会改变原始的网络体系结构，并且完全可以解释。实验证实了我们对在Imagenet训练的大规模模型的最新攻击方法的有效性。

深度学习（DL）系统的安全性是一个极为重要的研究领域，因为它们正在部署在多个应用程序中，因为它们不断改善，以解决具有挑战性的任务。尽管有压倒性的承诺，但深度学习系统容易受到制作的对抗性例子的影响，这可能是人眼无法察觉的，但可能会导致模型错误分类。对基于整体技术的对抗性扰动的保护已被证明很容易受到更强大的对手的影响，或者证明缺乏端到端评估。在本文中，我们试图开发一种新的基于整体的解决方案，该解决方案构建具有不同决策边界的防御者模型相对于原始模型。通过（1）通过一种称为拆分和剃须的方法转换输入的分类器的合奏，以及（2）通过一种称为对比度功能的方法限制重要特征，显示出相对于相对于不同的梯度对抗性攻击，这减少了将对抗性示例从原始示例转移到针对同一类的防御者模型的机会。我们使用标准图像分类数据集（即MNIST，CIFAR-10和CIFAR-100）进行了广泛的实验，以实现最新的对抗攻击，以证明基于合奏的防御的鲁棒性。我们还在存在更强大的对手的情况下评估稳健性，该对手同时靶向合奏中的所有模型。已经提供了整体假阳性和误报的结果，以估计提出的方法的总体性能。

了解深度神经网络（DNN）中的黑匣子表示是深度学习的重要问题。在这项工作中，我们提出了基于图形的相似性（GBS）来测量层特征的相似性。与之前的作品相反，在特征映射上直接计算相似度，GBS根据具有隐藏图层输出构造的图形来测量相关性。通过将每个输入样本视为节点和对应的层输出相似度作为边缘，我们构造了每层的DNN表示图。图层之间的相似性识别在不同数据集和初始化中培训的模型的表示之间的对应关系。我们展示并证明了GB的不变性属性，包括与各向同性缩放的正交转换和不变性的不变性，并与CKA进行比较GBS。 GBS显示了最先进的性能，反映了相似性，并提供了关于解释隐藏层空间上的对抗性样本行为的见解。

深度学习模型已被用于各种各样的任务。它们在计算机视觉，自然语言处理，语音识别等领域普遍存在。虽然这些模型在许多情况下工作得很好，但已经表明他们容易受到对抗的攻击。这导致了对途径的研究扩散，即可以识别和/或捍卫这种攻击。我们的目标是探讨可以归因于使用多个底层模型的贡献，以用于对冲实例检测。我们的论文描述了两种方法，该方法包含来自多种模型的表示，用于检测对抗性示例。我们设计了控制实验，用于测量逐步使用额外模型的检测冲击。对于我们考虑的许多场景，结果表明，性能随着用于提取表示的底层模型的数量而增加。

机器学习算法和深度神经网络在几种感知和控制任务中的卓越性能正在推动该行业在安全关键应用中采用这种技术，作为自治机器人和自动驾驶车辆。然而，目前，需要解决几个问题，以使深入学习方法更可靠，可预测，安全，防止对抗性攻击。虽然已经提出了几种方法来提高深度神经网络的可信度，但大多数都是针对特定类的对抗示例量身定制的，因此未能检测到其他角落案件或不安全的输入，这些输入大量偏离训练样本。本文介绍了基于覆盖范式的轻量级监控架构，以增强针对不同不安全输入的模型鲁棒性。特别是，在用于评估多种检测逻辑的架构中提出并测试了四种覆盖分析方法。实验结果表明，该方法有效地检测强大的对抗性示例和分销外输入，引入有限的执行时间和内存要求。

Deep neural networks have achieved impressive experimental results in image classification, but can surprisingly be unstable with respect to adversarial perturbations, that is, minimal changes to the input image that cause the network to misclassify it. With potential applications including perception modules and end-to-end controllers for self-driving cars, this raises concerns about their safety. We develop a novel automated verification framework for feed-forward multi-layer neural networks based on Satisfiability Modulo Theory (SMT). We focus on safety of image classification decisions with respect to image manipulations, such as scratches or changes to camera angle or lighting conditions that would result in the same class being assigned by a human, and define safety for an individual decision in terms of invariance of the classification within a small neighbourhood of the original image. We enable exhaustive search of the region by employing discretisation, and propagate the analysis layer by layer. Our method works directly with the network code and, in contrast to existing methods, can guarantee that adversarial examples, if they exist, are found for the given region and family of manipulations. If found, adversarial examples can be shown to human testers and/or used to fine-tune the network. We implement the techniques using Z3 and evaluate them on state-of-the-art networks, including regularised and deep learning networks. We also compare against existing techniques to search for adversarial examples and estimate network robustness.

已知深度神经网络（DNN）容易受到用不可察觉的扰动制作的对抗性示例的影响，即，输入图像的微小变化会引起错误的分类，从而威胁着基于深度学习的部署系统的可靠性。经常采用对抗训练（AT）来通过训练损坏和干净的数据的混合物来提高DNN的鲁棒性。但是，大多数基于AT的方法在处理\ textit {转移的对抗示例}方面是无效的，这些方法是生成以欺骗各种防御模型的生成的，因此无法满足现实情况下提出的概括要求。此外，对抗性训练一般的国防模型不能对具有扰动的输入产生可解释的预测，而不同的领域专家则需要一个高度可解释的强大模型才能了解DNN的行为。在这项工作中，我们提出了一种基于Jacobian规范和选择性输入梯度正则化（J-SIGR）的方法，该方法通过Jacobian归一化提出了线性化的鲁棒性，还将基于扰动的显着性图正规化，以模仿模型的可解释预测。因此，我们既可以提高DNN的防御能力和高解释性。最后，我们评估了跨不同体系结构的方法，以针对强大的对抗性攻击。实验表明，提出的J-Sigr赋予了针对转移的对抗攻击的鲁棒性，我们还表明，来自神经网络的预测易于解释。

深度神经网络（DNN）已成为实现各种复杂任务的首选技术。但是，正如许多最近的研究所强调的那样，即使是对正确分类的输入的不可察觉的扰动也可能导致DNN错误分类。这使DNNS容易受到攻击者的战略输入操作，并且对环境噪声过敏。为了减轻这种现象，从业人员通过DNNS的“合奏”进行联合分类。通过汇总不同单个DNN的分类输出对相同的输入，基于合奏的分类可以减少因任何单个DNN的随机训练过程的特定实现而导致错误分类的风险。但是，DNN集合的有效性高度依赖于其成员 *在许多不同的输入上没有同时错误 *。在本案例研究中，我们利用DNN验证的最新进展，设计一种方法来识别一种合奏组成，即使输入对对抗性进行了扰动，也不太容易出现同时误差 - 从而导致基于更坚固的集合分类。我们提出的框架使用DNN验证器作为后端，并包括启发式方法，有助于降低直接验证合奏的高复杂性。从更广泛的角度来看，我们的工作提出了一个新颖的普遍目标，以实现正式验证，该目标可能可以改善各种应用领域的现实世界中基于深度学习的系统的鲁棒性。

We present AI 2 , the first sound and scalable analyzer for deep neural networks. Based on overapproximation, AI 2 can automatically prove safety properties (e.g., robustness) of realistic neural networks (e.g., convolutional neural networks).The key insight behind AI 2 is to phrase reasoning about safety and robustness of neural networks in terms of classic abstract interpretation, enabling us to leverage decades of advances in that area. Concretely, we introduce abstract transformers that capture the behavior of fully connected and convolutional neural network layers with rectified linear unit activations (ReLU), as well as max pooling layers. This allows us to handle real-world neural networks, which are often built out of those types of layers.We present a complete implementation of AI 2 together with an extensive evaluation on 20 neural networks. Our results demonstrate that: (i) AI 2 is precise enough to prove useful specifications (e.g., robustness), (ii) AI 2 can be used to certify the effectiveness of state-of-the-art defenses for neural networks, (iii) AI 2 is significantly faster than existing analyzers based on symbolic analysis, which often take hours to verify simple fully connected networks, and (iv) AI 2 can handle deep convolutional networks, which are beyond the reach of existing methods.

通常，深度神经网络（DNN）是通过在训练阶段排除的未见数据测量的概括性能评估的。随着DNN的发展，概括性能会收敛到最新的，并且很难仅基于该指标评估DNN。对抗攻击的鲁棒性已被用作通过测量其脆弱性来评估DNN的额外指标。但是，很少有研究通过DNN中的几何形状来分析对抗性鲁棒性。在这项工作中，我们进行了一项实证研究，以分析影响对抗性攻击下模型鲁棒性的DNN的内部特性。特别是，我们提出了人口稠密区域集（PRS）的新颖概念，其中训练样本更频繁地代表在实际环境中DNN的内部特性。从对拟议概念进行的系统实验，我们提供了经验证据，以证明低PRS比与DNNS的对抗鲁棒性具有牢固的关系。我们还设计了PRS正常器利用PRS的特征来改善对抗性鲁棒性，而无需对抗训练。

普遍的对策扰动是图像不可思议的和模型 - 无关的噪声，当添加到任何图像时可以误导训练的深卷积神经网络进入错误的预测。由于这些普遍的对抗性扰动可以严重危害实践深度学习应用的安全性和完整性，因此现有技术使用额外的神经网络来检测输入图像源的这些噪声的存在。在本文中，我们展示了一种攻击策略，即通过流氓手段激活（例如，恶意软件，木马）可以通过增强AI硬件加速器级的对抗噪声来绕过这些现有对策。我们使用Conv2D功能软件内核的共同仿真和FuseSoC环境下的硬件的Verilog RTL模型的共同仿真，展示了关于几个深度学习模型的加速度普遍对抗噪声。

Although deep learning has made remarkable progress in processing various types of data such as images, text and speech, they are known to be susceptible to adversarial perturbations: perturbations specifically designed and added to the input to make the target model produce erroneous output. Most of the existing studies on generating adversarial perturbations attempt to perturb the entire input indiscriminately. In this paper, we propose ExploreADV, a general and flexible adversarial attack system that is capable of modeling regional and imperceptible attacks, allowing users to explore various kinds of adversarial examples as needed. We adapt and combine two existing boundary attack methods, DeepFool and Brendel\&Bethge Attack, and propose a mask-constrained adversarial attack system, which generates minimal adversarial perturbations under the pixel-level constraints, namely ``mask-constraints''. We study different ways of generating such mask-constraints considering the variance and importance of the input features, and show that our adversarial attack system offers users good flexibility to focus on sub-regions of inputs, explore imperceptible perturbations and understand the vulnerability of pixels/regions to adversarial attacks. We demonstrate our system to be effective based on extensive experiments and user study.

许多最先进的ML模型在各种任务中具有优于图像分类的人类。具有如此出色的性能，ML模型今天被广泛使用。然而，存在对抗性攻击和数据中毒攻击的真正符合ML模型的稳健性。例如，Engstrom等人。证明了最先进的图像分类器可以容易地被任意图像上的小旋转欺骗。由于ML系统越来越纳入安全性和安全敏感的应用，对抗攻击和数据中毒攻击构成了相当大的威胁。本章侧重于ML安全的两个广泛和重要的领域：对抗攻击和数据中毒攻击。

在这项研究中，我们介绍了机器感知的措施，灵感来自于人类感知的概念（JND）的概念。基于该措施，我们提出了一种对抗性图像生成算法，其通过添加剂噪声迭代地扭曲图像，直到模型通过输出错误标签来检测图像中的变化。添加到原始图像的噪声被定义为模型成本函数的梯度。定义了一种新的成本函数，以明确地最小化应用于输入图像的扰动量，同时强制执行对抗和输入图像之间的感知相似性。为此目的，经过众所周知的总变化和有界范围术语来规范成本函数，以满足对抗图像的自然外观。我们评估我们的算法在CiFar10，ImageNet和MS Coco Datasets上定性和定量地生成的对抗性图像。我们对图像分类和对象检测任务的实验表明，通过我们的JND方法产生的对抗性图像在欺骗识别/检测模型以及与由最先进的方法产生的图像相比，扰动扰动，即， FGV，FSGM和Deepfool方法。

在本文中，我们提出了一种防御策略，以通过合并隐藏的层表示来改善对抗性鲁棒性。这种防御策略的关键旨在压缩或过滤输入信息，包括对抗扰动。而且这种防御策略可以被视为一种激活函数，可以应用于任何类型的神经网络。从理论上讲，我们在某些条件下也证明了这种防御策略的有效性。此外，合并隐藏层表示，我们提出了三种类型的对抗攻击，分别生成三种类型的对抗示例。实验表明，我们的防御方法可以显着改善深神经网络的对抗性鲁棒性，即使我们不采用对抗性训练，也可以实现最新的表现。