评估对抗性鲁棒性的量，以找到有输入样品被错误分类所需的最小扰动。底层优化的固有复杂性需要仔细调整基于梯度的攻击，初始化，并且可能为许多计算苛刻的迭代而被执行，即使专门用于给定的扰动模型也是如此。在这项工作中，我们通过提出使用不同$ \ ell_p $ -norm扰动模型（$ p = 0，1,2，\ idty $）的快速最小规范（FMN）攻击来克服这些限制（FMN）攻击选择，不需要对抗性起点，并在很少的轻量级步骤中收敛。它通过迭代地发现在$ \ ell_p $ -norm的最大信心被错误分类的样本进行了尺寸的尺寸$ \ epsilon $的限制，同时适应$ \ epsilon $，以最小化当前样本到决策边界的距离。广泛的实验表明，FMN在收敛速度和计算时间方面显着优于现有的攻击，同时报告可比或甚至更小的扰动尺寸。

The evaluation of robustness against adversarial manipulation of neural networks-based classifiers is mainly tested with empirical attacks as methods for the exact computation, even when available, do not scale to large networks. We propose in this paper a new white-box adversarial attack wrt the l p -norms for p ∈ {1, 2, ∞} aiming at finding the minimal perturbation necessary to change the class of a given input. It has an intuitive geometric meaning, yields quickly high quality results, minimizes the size of the perturbation (so that it returns the robust accuracy at every threshold with a single run). It performs better or similar to stateof-the-art attacks which are partially specialized to one l p -norm, and is robust to the phenomenon of gradient masking.

The field of defense strategies against adversarial attacks has significantly grown over the last years, but progress is hampered as the evaluation of adversarial defenses is often insufficient and thus gives a wrong impression of robustness. Many promising defenses could be broken later on, making it difficult to identify the state-of-the-art. Frequent pitfalls in the evaluation are improper tuning of hyperparameters of the attacks, gradient obfuscation or masking. In this paper we first propose two extensions of the PGD-attack overcoming failures due to suboptimal step size and problems of the objective function. We then combine our novel attacks with two complementary existing ones to form a parameter-free, computationally affordable and user-independent ensemble of attacks to test adversarial robustness. We apply our ensemble to over 50 models from papers published at recent top machine learning and computer vision venues. In all except one of the cases we achieve lower robust test accuracy than reported in these papers, often by more than 10%, identifying several broken defenses.

We propose the Square Attack, a score-based black-box l2and l∞-adversarial attack that does not rely on local gradient information and thus is not affected by gradient masking. Square Attack is based on a randomized search scheme which selects localized squareshaped updates at random positions so that at each iteration the perturbation is situated approximately at the boundary of the feasible set. Our method is significantly more query efficient and achieves a higher success rate compared to the state-of-the-art methods, especially in the untargeted setting. In particular, on ImageNet we improve the average query efficiency in the untargeted setting for various deep networks by a factor of at least 1.8 and up to 3 compared to the recent state-ofthe-art l∞-attack of Al-Dujaili & OReilly (2020). Moreover, although our attack is black-box, it can also outperform gradient-based white-box attacks on the standard benchmarks achieving a new state-of-the-art in terms of the success rate. The code of our attack is available at https://github.com/max-andr/square-attack.

Adaptive attacks have (rightfully) become the de facto standard for evaluating defenses to adversarial examples. We find, however, that typical adaptive evaluations are incomplete. We demonstrate that thirteen defenses recently published at ICLR, ICML and NeurIPS-and which illustrate a diverse set of defense strategies-can be circumvented despite attempting to perform evaluations using adaptive attacks. While prior evaluation papers focused mainly on the end result-showing that a defense was ineffective-this paper focuses on laying out the methodology and the approach necessary to perform an adaptive attack. Some of our attack strategies are generalizable, but no single strategy would have been sufficient for all defenses. This underlines our key message that adaptive attacks cannot be automated and always require careful and appropriate tuning to a given defense. We hope that these analyses will serve as guidance on how to properly perform adaptive attacks against defenses to adversarial examples, and thus will allow the community to make further progress in building more robust models.

评估机器学习模型对对抗性示例的鲁棒性是一个具有挑战性的问题。已经证明，许多防御能力通过导致基于梯度的攻击失败，从而提供了一种错误的鲁棒感，并且在更严格的评估下它们已被打破。尽管已经提出了指南和最佳实践来改善当前的对抗性鲁棒性评估，但缺乏自动测试和调试工具，使以系统的方式应用这些建议变得困难。在这项工作中，我们通过以下方式克服了这些局限性：（i）根据它们如何影响基于梯度的攻击的优化对攻击失败进行分类，同时还揭示了两种影响许多流行攻击实施和过去评估的新型故障； （ii）提出了六个新的失败指标，以自动检测到攻击优化过程中这种失败的存在； （iii）建议采用系统协议来应用相应的修复程序。我们广泛的实验分析涉及3个不同的应用域中的15多个模型，表明我们的失败指标可用于调试和改善当前的对抗性鲁棒性评估，从而为自动化和系统化它们提供了第一步。我们的开源代码可在以下网址获得：https：//github.com/pralab/indicatorsofattackfailure。

Although deep learning has made remarkable progress in processing various types of data such as images, text and speech, they are known to be susceptible to adversarial perturbations: perturbations specifically designed and added to the input to make the target model produce erroneous output. Most of the existing studies on generating adversarial perturbations attempt to perturb the entire input indiscriminately. In this paper, we propose ExploreADV, a general and flexible adversarial attack system that is capable of modeling regional and imperceptible attacks, allowing users to explore various kinds of adversarial examples as needed. We adapt and combine two existing boundary attack methods, DeepFool and Brendel\&Bethge Attack, and propose a mask-constrained adversarial attack system, which generates minimal adversarial perturbations under the pixel-level constraints, namely ``mask-constraints''. We study different ways of generating such mask-constraints considering the variance and importance of the input features, and show that our adversarial attack system offers users good flexibility to focus on sub-regions of inputs, explore imperceptible perturbations and understand the vulnerability of pixels/regions to adversarial attacks. We demonstrate our system to be effective based on extensive experiments and user study.

Designing powerful adversarial attacks is of paramount importance for the evaluation of $\ell_p$-bounded adversarial defenses. Projected Gradient Descent (PGD) is one of the most effective and conceptually simple algorithms to generate such adversaries. The search space of PGD is dictated by the steepest ascent directions of an objective. Despite the plethora of objective function choices, there is no universally superior option and robustness overestimation may arise from ill-suited objective selection. Driven by this observation, we postulate that the combination of different objectives through a simple loss alternating scheme renders PGD more robust towards design choices. We experimentally verify this assertion on a synthetic-data example and by evaluating our proposed method across 25 different $\ell_{\infty}$-robust models and 3 datasets. The performance improvement is consistent, when compared to the single loss counterparts. In the CIFAR-10 dataset, our strongest adversarial attack outperforms all of the white-box components of AutoAttack (AA) ensemble, as well as the most powerful attacks existing on the literature, achieving state-of-the-art results in the computational budget of our study ($T=100$, no restarts).

Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples-inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. 1

The goal of a decision-based adversarial attack on a trained model is to generate adversarial examples based solely on observing output labels returned by the targeted model. We develop HopSkipJumpAttack, a family of algorithms based on a novel estimate of the gradient direction using binary information at the decision boundary. The proposed family includes both untargeted and targeted attacks optimized for 2 and ∞ similarity metrics respectively. Theoretical analysis is provided for the proposed algorithms and the gradient direction estimate. Experiments show HopSkipJumpAttack requires significantly fewer model queries than several state-of-the-art decision-based adversarial attacks. It also achieves competitive performance in attacking several widely-used defense mechanisms.

机器学习模型严重易于来自对抗性示例的逃避攻击。通常，对逆势示例的修改输入类似于原始输入的修改输入，在WhiteBox设置下由对手的WhiteBox设置构成，完全访问模型。然而，最近的攻击已经显示出使用BlackBox攻击的对逆势示例的查询号显着减少。特别是，警报是从越来越多的机器学习提供的经过培训的模型的访问界面中利用分类决定作为包括Google，Microsoft，IBM的服务提供商，并由包含这些模型的多种应用程序使用的服务提供商来利用培训的模型。对手仅利用来自模型的预测标签的能力被区别为基于决策的攻击。在我们的研究中，我们首先深入潜入最近的ICLR和SP的最先进的决策攻击，以突出发现低失真对抗采用梯度估计方法的昂贵性质。我们开发了一种强大的查询高效攻击，能够避免在梯度估计方法中看到的嘈杂渐变中的局部最小和误导中的截留。我们提出的攻击方法，ramboattack利用随机块坐标下降的概念来探索隐藏的分类器歧管，针对扰动来操纵局部输入功能以解决梯度估计方法的问题。重要的是，ramboattack对对对手和目标类别可用的不同样本输入更加强大。总的来说，对于给定的目标类，ramboattack被证明在实现给定查询预算的较低失真时更加强大。我们使用大规模的高分辨率ImageNet数据集来策划我们的广泛结果，并在GitHub上开源我们的攻击，测试样本和伪影。

我们表明，当考虑到图像域$ [0,1] ^ D $时，已建立$ L_1 $ -Projected梯度下降（PGD）攻击是次优，因为它们不认为有效的威胁模型是交叉点$ l_1 $ -ball和$ [0,1] ^ d $。我们研究了这种有效威胁模型的最陡渐进步骤的预期稀疏性，并表明该组上的确切投影是计算可行的，并且产生更好的性能。此外，我们提出了一种自适应形式的PGD，即使具有小的迭代预算，这也是非常有效的。我们的结果$ l_1 $ -apgd是一个强大的白盒攻击，表明先前的作品高估了他们的$ l_1 $ -trobustness。使用$ l_1 $ -apgd for vercersarial培训，我们获得一个强大的分类器，具有sota $ l_1 $ -trobustness。最后，我们将$ l_1 $ -apgd和平方攻击的适应组合到$ l_1 $ to $ l_1 $ -autoattack，这是一个攻击的集合，可靠地评估$ l_1 $ -ball与$的威胁模型的对抗鲁棒性进行对抗[ 0,1] ^ d $。

深度神经网络针对对抗性例子的脆弱性已成为将这些模型部署在敏感领域中的重要问题。事实证明，针对这种攻击的明确防御是具有挑战性的，依赖于检测对抗样本的方法只有在攻击者忽略检测机制时才有效。在本文中，我们提出了一种原则性的对抗示例检测方法，该方法可以承受规范受限的白色框攻击。受K类分类问题的启发，我们训练K二进制分类器，其中I-th二进制分类器用于区分I类的清洁数据和其他类的对抗性样本。在测试时，我们首先使用训练有素的分类器获取输入的预测标签（例如k），然后使用k-th二进制分类器来确定输入是否为干净的样本（k类）或对抗的扰动示例（其他类）。我们进一步设计了一种生成方法来通过将每个二进制分类器解释为类别条件数据的无标准密度模型来检测/分类对抗示例。我们提供上述对抗性示例检测/分类方法的全面评估，并证明其竞争性能和引人注目的特性。

评估防御模型的稳健性是对抗对抗鲁棒性研究的具有挑战性的任务。僵化的渐变，先前已经发现了一种梯度掩蔽，以许多防御方法存在并导致鲁棒性的错误信号。在本文中，我们确定了一种更细微的情况，称为不平衡梯度，也可能导致过高的对抗性鲁棒性。当边缘损耗的一个术语的梯度主导并将攻击朝向次优化方向推动时，发生不平衡梯度的现象。为了利用不平衡的梯度，我们制定了分解利润率损失的边缘分解（MD）攻击，并通过两阶段过程分别探讨了这些术语的攻击性。我们还提出了一个Multared和Ensemble版本的MD攻击。通过调查自2018年以来提出的17个防御模型，我们发现6种型号易受不平衡梯度的影响，我们的MD攻击可以减少由最佳基线独立攻击评估的鲁棒性另外2％。我们还提供了对不平衡梯度的可能原因和有效对策的深入分析。

许多最先进的ML模型在各种任务中具有优于图像分类的人类。具有如此出色的性能，ML模型今天被广泛使用。然而，存在对抗性攻击和数据中毒攻击的真正符合ML模型的稳健性。例如，Engstrom等人。证明了最先进的图像分类器可以容易地被任意图像上的小旋转欺骗。由于ML系统越来越纳入安全性和安全敏感的应用，对抗攻击和数据中毒攻击构成了相当大的威胁。本章侧重于ML安全的两个广泛和重要的领域：对抗攻击和数据中毒攻击。

This paper investigates recently proposed approaches for defending against adversarial examples and evaluating adversarial robustness. We motivate adversarial risk as an objective for achieving models robust to worst-case inputs. We then frame commonly used attacks and evaluation metrics as defining a tractable surrogate objective to the true adversarial risk. This suggests that models may optimize this surrogate rather than the true adversarial risk. We formalize this notion as obscurity to an adversary, and develop tools and heuristics for identifying obscured models and designing transparent models. We demonstrate that this is a significant problem in practice by repurposing gradient-free optimization techniques into adversarial attacks, which we use to decrease the accuracy of several recently proposed defenses to near zero. Our hope is that our formulations and results will help researchers to develop more powerful defenses.

对对抗性攻击的鲁棒性通常以对抗精度评估。但是，该指标太粗糙，无法正确捕获机器学习模型的所有鲁棒性。当对强烈的攻击进行评估时，许多防御能力并不能提供准确的改进，同时仍会部分贡献对抗性鲁棒性。流行的认证方法遇到了同一问题，因为它们提供了准确性的下限。为了捕获更精细的鲁棒性属性，我们提出了一个针对L2鲁棒性，对抗角稀疏性的新指标，该指标部分回答了“输入周围有多少个对抗性示例”的问题。我们通过评估“强”和“弱”的防御能力来证明其有用性。我们表明，一些最先进的防御能力具有非常相似的精度，在它们不强大的输入上可能具有截然不同的稀疏性。我们还表明，一些弱防御能力实际上会降低鲁棒性，而另一些防御能力则以无法捕获的准确性来加强它。这些差异可以预测这种防御与对抗性训练相结合时的实用性。

虽然深度神经网络在各种任务中表现出前所未有的性能，但对对抗性示例的脆弱性阻碍了他们在安全关键系统中的部署。许多研究表明，即使在黑盒设置中也可能攻击，其中攻击者无法访问目标模型的内部信息。大多数黑匣子攻击基于查询，每个都可以获得目标模型的输入输出，并且许多研究侧重于减少所需查询的数量。在本文中，我们注意了目标模型的输出完全对应于查询输入的隐含假设。如果将某些随机性引入模型中，它可以打破假设，因此，基于查询的攻击可能在梯度估计和本地搜索中具有巨大的困难，这是其攻击过程的核心。从这种动机来看，我们甚至观察到一个小的添加剂输入噪声可以中和大多数基于查询的攻击和名称这个简单但有效的方法小噪声防御（SND）。我们分析了SND如何防御基于查询的黑匣子攻击，并展示其与CIFAR-10和ImageNet数据集的八种最先进的攻击有效性。即使具有强大的防御能力，SND几乎保持了原始的分类准确性和计算速度。通过在推断下仅添加一行代码，SND很容易适用于预先训练的模型。

Neural networks provide state-of-the-art results for most machine learning tasks. Unfortunately, neural networks are vulnerable to adversarial examples: given an input x and any target classification t, it is possible to find a new input x that is similar to x but classified as t. This makes it difficult to apply neural networks in security-critical areas. Defensive distillation is a recently proposed approach that can take an arbitrary neural network, and increase its robustness, reducing the success rate of current attacks' ability to find adversarial examples from 95% to 0.5%.In this paper, we demonstrate that defensive distillation does not significantly increase the robustness of neural networks by introducing three new attack algorithms that are successful on both distilled and undistilled neural networks with 100% probability. Our attacks are tailored to three distance metrics used previously in the literature, and when compared to previous adversarial example generation algorithms, our attacks are often much more effective (and never worse). Furthermore, we propose using high-confidence adversarial examples in a simple transferability test we show can also be used to break defensive distillation. We hope our attacks will be used as a benchmark in future defense attempts to create neural networks that resist adversarial examples.

添加到输入的最小侵犯扰动已被证明在愚弄深度神经网络方面有效。在本文中，我们介绍了几种创新，使白盒子目标攻击遵循攻击者的目标：欺骗模型将更高的目标类概率分配比任何其他更高的概率，同时停留在距原始距离的指定距离内输入。首先，我们提出了一种新的损失函数，明确地捕获了目标攻击的目标，特别是通过使用所有类的Logits而不是仅仅是一个子集。我们表明，具有这种损失功能的自动PGD比与其他常用损耗功能相比发现更多的对抗示例。其次，我们提出了一种新的攻击方法，它使用进一步发发版本的我们的损失函数捕获错误分类目标和$ l _ {\ infty} $距离限制$ \ epsilon $。这种新的攻击方法在CIFAR10 DataSet上比较成功了1.5--4.2％，而在ImageNet DataSet上比下一个最先进的攻击更成功。我们使用统计测试确认，我们的攻击优于最先进的攻击不同数据集和$ \ epsilon $和不同防御的价值。