在测试时间进行优化的自适应防御能力有望改善对抗性鲁棒性。我们对这种自适应测试时间防御措施进行分类，解释其潜在的好处和缺点，并评估图像分类的最新自适应防御能力的代表性。不幸的是，经过我们仔细的案例研究评估时，没有任何显着改善静态防御。有些甚至削弱了基本静态模型，同时增加了推理计算。尽管这些结果令人失望，但我们仍然认为自适应测试时间防御措施是一项有希望的研究途径，因此，我们为他们的彻底评估提供了建议。我们扩展了Carlini等人的清单。（2019年）通过提供针对自适应防御的具体步骤。

The field of defense strategies against adversarial attacks has significantly grown over the last years, but progress is hampered as the evaluation of adversarial defenses is often insufficient and thus gives a wrong impression of robustness. Many promising defenses could be broken later on, making it difficult to identify the state-of-the-art. Frequent pitfalls in the evaluation are improper tuning of hyperparameters of the attacks, gradient obfuscation or masking. In this paper we first propose two extensions of the PGD-attack overcoming failures due to suboptimal step size and problems of the objective function. We then combine our novel attacks with two complementary existing ones to form a parameter-free, computationally affordable and user-independent ensemble of attacks to test adversarial robustness. We apply our ensemble to over 50 models from papers published at recent top machine learning and computer vision venues. In all except one of the cases we achieve lower robust test accuracy than reported in these papers, often by more than 10%, identifying several broken defenses.

Adaptive attacks have (rightfully) become the de facto standard for evaluating defenses to adversarial examples. We find, however, that typical adaptive evaluations are incomplete. We demonstrate that thirteen defenses recently published at ICLR, ICML and NeurIPS-and which illustrate a diverse set of defense strategies-can be circumvented despite attempting to perform evaluations using adaptive attacks. While prior evaluation papers focused mainly on the end result-showing that a defense was ineffective-this paper focuses on laying out the methodology and the approach necessary to perform an adaptive attack. Some of our attack strategies are generalizable, but no single strategy would have been sufficient for all defenses. This underlines our key message that adaptive attacks cannot be automated and always require careful and appropriate tuning to a given defense. We hope that these analyses will serve as guidance on how to properly perform adaptive attacks against defenses to adversarial examples, and thus will allow the community to make further progress in building more robust models.

We identify obfuscated gradients, a kind of gradient masking, as a phenomenon that leads to a false sense of security in defenses against adversarial examples. While defenses that cause obfuscated gradients appear to defeat iterative optimizationbased attacks, we find defenses relying on this effect can be circumvented. We describe characteristic behaviors of defenses exhibiting the effect, and for each of the three types of obfuscated gradients we discover, we develop attack techniques to overcome it. In a case study, examining noncertified white-box-secure defenses at ICLR 2018, we find obfuscated gradients are a common occurrence, with 7 of 9 defenses relying on obfuscated gradients. Our new attacks successfully circumvent 6 completely, and 1 partially, in the original threat model each paper considers.

作为研究界，我们仍然缺乏对对抗性稳健性的进展的系统理解，这通常使得难以识别训练强大模型中最有前途的想法。基准稳健性的关键挑战是，其评估往往是出错的导致鲁棒性高估。我们的目标是建立对抗性稳健性的标准化基准，尽可能准确地反映出考虑在合理的计算预算范围内所考虑的模型的稳健性。为此，我们首先考虑图像分类任务并在允许的型号上引入限制（可能在将来宽松）。我们评估了与AutoAtrack的对抗鲁棒性，白和黑箱攻击的集合，最近在大规模研究中显示，与原始出版物相比，改善了几乎所有稳健性评估。为防止对自动攻击进行新防御的过度适应，我们欢迎基于自适应攻击的外部评估，特别是在自动攻击稳健性潜在高估的地方。我们的排行榜，托管在https://robustbench.github.io/，包含120多个模型的评估，并旨在反映在$ \ ell_ \ infty $的一套明确的任务上的图像分类中的当前状态 - 和$ \ ell_2 $ -Threat模型和共同腐败，未来可能的扩展。此外，我们开源源是图书馆https://github.com/robustbench/robustbench，可以提供对80多个强大模型的统一访问，以方便他们的下游应用程序。最后，根据收集的模型，我们分析了稳健性对分布换档，校准，分配检测，公平性，隐私泄漏，平滑度和可转移性的影响。

This paper investigates recently proposed approaches for defending against adversarial examples and evaluating adversarial robustness. We motivate adversarial risk as an objective for achieving models robust to worst-case inputs. We then frame commonly used attacks and evaluation metrics as defining a tractable surrogate objective to the true adversarial risk. This suggests that models may optimize this surrogate rather than the true adversarial risk. We formalize this notion as obscurity to an adversary, and develop tools and heuristics for identifying obscured models and designing transparent models. We demonstrate that this is a significant problem in practice by repurposing gradient-free optimization techniques into adversarial attacks, which we use to decrease the accuracy of several recently proposed defenses to near zero. Our hope is that our formulations and results will help researchers to develop more powerful defenses.

我们表明，当考虑到图像域$ [0,1] ^ D $时，已建立$ L_1 $ -Projected梯度下降（PGD）攻击是次优，因为它们不认为有效的威胁模型是交叉点$ l_1 $ -ball和$ [0,1] ^ d $。我们研究了这种有效威胁模型的最陡渐进步骤的预期稀疏性，并表明该组上的确切投影是计算可行的，并且产生更好的性能。此外，我们提出了一种自适应形式的PGD，即使具有小的迭代预算，这也是非常有效的。我们的结果$ l_1 $ -apgd是一个强大的白盒攻击，表明先前的作品高估了他们的$ l_1 $ -trobustness。使用$ l_1 $ -apgd for vercersarial培训，我们获得一个强大的分类器，具有sota $ l_1 $ -trobustness。最后，我们将$ l_1 $ -apgd和平方攻击的适应组合到$ l_1 $ to $ l_1 $ -autoattack，这是一个攻击的集合，可靠地评估$ l_1 $ -ball与$的威胁模型的对抗鲁棒性进行对抗[ 0,1] ^ d $。

The evaluation of robustness against adversarial manipulation of neural networks-based classifiers is mainly tested with empirical attacks as methods for the exact computation, even when available, do not scale to large networks. We propose in this paper a new white-box adversarial attack wrt the l p -norms for p ∈ {1, 2, ∞} aiming at finding the minimal perturbation necessary to change the class of a given input. It has an intuitive geometric meaning, yields quickly high quality results, minimizes the size of the perturbation (so that it returns the robust accuracy at every threshold with a single run). It performs better or similar to stateof-the-art attacks which are partially specialized to one l p -norm, and is robust to the phenomenon of gradient masking.

Adversarial training, in which a network is trained on adversarial examples, is one of the few defenses against adversarial attacks that withstands strong attacks. Unfortunately, the high cost of generating strong adversarial examples makes standard adversarial training impractical on large-scale problems like ImageNet. We present an algorithm that eliminates the overhead cost of generating adversarial examples by recycling the gradient information computed when updating model parameters.Our "free" adversarial training algorithm achieves comparable robustness to PGD adversarial training on the CIFAR-10 and CIFAR-100 datasets at negligible additional cost compared to natural training, and can be 7 to 30 times faster than other strong adversarial training methods. Using a single workstation with 4 P100 GPUs and 2 days of runtime, we can train a robust model for the large-scale ImageNet classification task that maintains 40% accuracy against PGD attacks. The code is available at https://github.com/ashafahi/free_adv_train.

Designing powerful adversarial attacks is of paramount importance for the evaluation of $\ell_p$-bounded adversarial defenses. Projected Gradient Descent (PGD) is one of the most effective and conceptually simple algorithms to generate such adversaries. The search space of PGD is dictated by the steepest ascent directions of an objective. Despite the plethora of objective function choices, there is no universally superior option and robustness overestimation may arise from ill-suited objective selection. Driven by this observation, we postulate that the combination of different objectives through a simple loss alternating scheme renders PGD more robust towards design choices. We experimentally verify this assertion on a synthetic-data example and by evaluating our proposed method across 25 different $\ell_{\infty}$-robust models and 3 datasets. The performance improvement is consistent, when compared to the single loss counterparts. In the CIFAR-10 dataset, our strongest adversarial attack outperforms all of the white-box components of AutoAttack (AA) ensemble, as well as the most powerful attacks existing on the literature, achieving state-of-the-art results in the computational budget of our study ($T=100$, no restarts).

深度神经网络容易受到称为对抗性攻击的小输入扰动。通过迭代最大限度地减少网络对真正阶级标签的信心来构建这些对手的事实，我们提出了旨在反对这种效果的反对派层。特别地，我们的层在对手1的相反方向上产生输入扰动，并馈送分类器的输入的扰动版本。我们的方法是无培训和理论上的支持。我们通过将我们的层与名义上和强大的培训模型组合来验证我们的方法的有效性，并从黑盒进行大规模实验到CIFAR10，CIFAR100和ImageNet的自适应攻击。我们的层显着提高了模型鲁棒性，同时在清洁准确性上没有成本。

深度卷积神经网络（CNN）很容易被输入图像的细微，不可察觉的变化所欺骗。为了解决此漏洞，对抗训练会创建扰动模式，并将其包括在培训设置中以鲁棒性化模型。与仅使用阶级有限信息的现有对抗训练方法（例如，使用交叉渗透损失）相反，我们建议利用功能空间中的其他信息来促进更强的对手，这些信息又用于学习强大的模型。具体来说，我们将使用另一类的目标样本的样式和内容信息以及其班级边界信息来创建对抗性扰动。我们以深入监督的方式应用了我们提出的多任务目标，从而提取了多尺度特征知识，以创建最大程度地分开对手。随后，我们提出了一种最大边缘对抗训练方法，该方法可最大程度地减少源图像与其对手之间的距离，并最大程度地提高对手和目标图像之间的距离。与最先进的防御能力相比，我们的对抗训练方法表明了强大的鲁棒性，可以很好地推广到自然发生的损坏和数据分配变化，并保留了清洁示例的模型准确性。

对抗性训练遭受了稳健的过度装备，这是一种现象，在训练期间鲁棒测试精度开始减少。在本文中，我们专注于通过使用常见的数据增强方案来减少强大的过度装备。我们证明，与先前的发现相反，当与模型重量平均结合时，数据增强可以显着提高鲁棒精度。此外，我们比较各种增强技术，并观察到空间组合技术适用于对抗性培训。最后，我们评估了我们在Cifar-10上的方法，而不是$ \ ell_ indty $和$ \ ell_2 $ norm-indeded扰动分别为尺寸$ \ epsilon = 8/255 $和$ \ epsilon = 128/255 $。与以前的最先进的方法相比，我们表现出+ 2.93％的绝对改善+ 2.93％，+ 2.16％。特别是，反对$ \ ell_ infty $ norm-indeded扰动尺寸$ \ epsilon = 8/255 $，我们的模型达到60.07％的强劲准确性而不使用任何外部数据。我们还通过这种方法实现了显着的性能提升，同时使用其他架构和数据集如CiFar-100，SVHN和TinyimageNet。

到目前为止对抗训练是抵御对抗例子的最有效的策略。然而，由于每个训练步骤中的迭代对抗性攻击，它遭受了高的计算成本。最近的研究表明，通过随机初始化执行单步攻击，可以实现快速的对抗训练。然而，这种方法仍然落后于稳定性和模型稳健性的最先进的对手训练算法。在这项工作中，我们通过观察随机平滑的随机初始化来更好地优化内部最大化问题，对快速对抗培训进行新的理解。在这种新的视角之后，我们还提出了一种新的初始化策略，向后平滑，进一步提高单步强大培训方法的稳定性和模型稳健性。多个基准测试的实验表明，我们的方法在使用更少的训练时间（使用相同的培训计划时，使用更少的培训时间（$ \ sim $ 3x改进）时，我们的方法达到了类似的模型稳健性。

Adversarial examples are perturbed inputs designed to fool machine learning models. Adversarial training injects such examples into training data to increase robustness. To scale this technique to large datasets, perturbations are crafted using fast single-step methods that maximize a linear approximation of the model's loss. We show that this form of adversarial training converges to a degenerate global minimum, wherein small curvature artifacts near the data points obfuscate a linear approximation of the loss. The model thus learns to generate weak perturbations, rather than defend against strong ones. As a result, we find that adversarial training remains vulnerable to black-box attacks, where we transfer perturbations computed on undefended models, as well as to a powerful novel single-step attack that escapes the non-smooth vicinity of the input data via a small random step. We further introduce Ensemble Adversarial Training, a technique that augments training data with perturbations transferred from other models. On ImageNet, Ensemble Adversarial Training yields models with stronger robustness to blackbox attacks. In particular, our most robust model won the first round of the NIPS 2017 competition on Defenses against Adversarial Attacks (Kurakin et al., 2017c). However, subsequent work found that more elaborate black-box attacks could significantly enhance transferability and reduce the accuracy of our models.

神经网络对攻击的缺乏鲁棒性引起了对安全敏感环境（例如自动驾驶汽车）的担忧。虽然许多对策看起来可能很有希望，但只有少数能够承受严格的评估。使用随机变换（RT）的防御能力显示出令人印象深刻的结果，尤其是Imagenet上的Bart（Raff等，2019）。但是，这种防御尚未经过严格评估，使其稳健性的理解不足。它们的随机特性使评估更具挑战性，并使对确定性模型的许多拟议攻击不可应用。首先，我们表明BART评估中使用的BPDA攻击（Athalye等，2018a）无效，可能高估了其稳健性。然后，我们尝试通过明智的转换和贝叶斯优化来调整其参数来构建最强的RT防御。此外，我们创造了最强烈的攻击来评估我们的RT防御。我们的新攻击极大地胜过基线，与常用的EOT攻击减少19％相比，将准确性降低了83％（$ 4.3 \ times $改善）。我们的结果表明，在Imagenette数据集上的RT防御（ImageNet的十级子集）在对抗性示例上并不强大。进一步扩展研究，我们使用新的攻击来对抗RT防御（称为Advrt），从而获得了巨大的稳健性增长。代码可从https://github.com/wagner-group/demystify-random-transform获得。

深度卷积神经网络可以准确地分类各种自然图像，但是在设计时可能很容易被欺骗，图像中嵌入了不可察觉的扰动。在本文中，我们设计了一种多管齐下的培训，输入转换和图像集成系统，该系统是攻击不可知论的，不容易估计。我们的系统结合了两个新型功能。第一个是一个转换层，该转换层从集体级训练数据示例中计算级别的多项式内核，并且迭代更新在推理时间上基于其特征内核差异的输入图像副本，以创建转换后的输入集合。第二个是一个分类系统，该系统将未防御网络的预测结合在一起，对被过滤图像的合奏进行了硬投票。我们在CIFAR10数据集上的评估显示，我们的系统提高了未防御性网络在不同距离指标下的各种有界和无限的白色盒子攻击的鲁棒性，同时牺牲了清洁图像的精度很小。反对自适应的全知攻击者创建端到端攻击，我们的系统成功地增强了对抗训练的网络的现有鲁棒性，为此，我们的方法最有效地应用了。

尽管机器学习系统的效率和可扩展性，但最近的研究表明，许多分类方法，尤其是深神经网络（DNN），易受对抗的例子;即，仔细制作欺骗训练有素的分类模型的例子，同时无法区分从自然数据到人类。这使得在安全关键区域中应用DNN或相关方法可能不安全。由于这个问题是由Biggio等人确定的。 （2013）和Szegedy等人。（2014年），在这一领域已经完成了很多工作，包括开发攻击方法，以产生对抗的例子和防御技术的构建防范这些例子。本文旨在向统计界介绍这一主题及其最新发展，主要关注对抗性示例的产生和保护。在数值实验中使用的计算代码（在Python和R）公开可用于读者探讨调查的方法。本文希望提交人们将鼓励更多统计学人员在这种重要的令人兴奋的领域的产生和捍卫对抗的例子。

深度神经网络（DNN）容易受到对抗性示例的影响，其中DNN由于含有不可察觉的扰动而被误导为虚假输出。对抗性训练是一种可靠有效的防御方法，可能会大大减少神经网络的脆弱性，并成为强大学习的事实上的标准。尽管许多最近的作品实践了以数据为中心的理念，例如如何生成更好的对抗性示例或使用生成模型来产生额外的培训数据，但我们回顾了模型本身，并从深度特征分布的角度重新审视对抗性的鲁棒性有见地的互补性。在本文中，我们建议分支正交性对抗训练（BORT）获得最先进的性能，仅使用原始数据集用于对抗训练。为了练习我们整合多个正交解决方案空间的设计思想，我们利用一个简单明了的多分支神经网络，可消除对抗性攻击而不会增加推理时间。我们启发提出相应的损耗函数，分支 - 正交丢失，以使多支出模型正交的每个溶液空间。我们分别在CIFAR-10，CIFAR-100和SVHN上评估了我们的方法，分别针对\ ell _ {\ infty}的规范触发尺寸\ epsilon = 8/255。进行了详尽的实验，以表明我们的方法超出了所有最新方法，而无需任何技巧。与所有不使用其他数据进行培训的方法相比，我们的模型在CIFAR-10和CIFAR-100上实现了67.3％和41.5％的鲁棒精度（在最先进的ART上提高了 +7.23％和 +9.07％ ）。我们还使用比我们的训练组胜过比我们的方法的表现要大得多。我们所有的模型和代码均可在https://github.com/huangd1999/bort上在线获得。

对抗性训练（AT）是针对对抗分类系统的对抗性攻击的简单而有效的防御，这是基于增强训练设置的攻击，从而最大程度地提高了损失。但是，AT作为视频分类的辩护的有效性尚未得到彻底研究。我们的第一个贡献是表明，为视频生成最佳攻击需要仔细调整攻击参数，尤其是步骤大小。值得注意的是，我们证明最佳步长随攻击预算线性变化。我们的第二个贡献是表明，在训练时间使用较小（次优的）攻击预算会导致测试时的性能更加强大。根据这些发现，我们提出了三个防御攻击预算的攻击的防御。自适应AT的第一个技术是一种技术，该技术是从随着训练迭代进行的。第二个课程是一项技术，随着训练的迭代进行，攻击预算的增加。第三个生成的AT，与deno的生成对抗网络一起，以提高稳健的性能。 UCF101数据集上的实验表明，所提出的方法改善了针对多种攻击类型的对抗性鲁棒性。