Adversarial attacks to image classification systems present challenges to convolutional networks and opportunities for understanding them. This study suggests that adversarial perturbations on images lead to noise in the features constructed by these networks. Motivated by this observation, we develop new network architectures that increase adversarial robustness by performing feature denoising. Specifically, our networks contain blocks that denoise the features using non-local means or other filters; the entire networks are trained end-to-end. When combined with adversarial training, our feature denoising networks substantially improve the state-of-the-art in adversarial robustness in both white-box and black-box attack settings. On ImageNet, under 10-iteration PGD white-box attacks where prior art has 27.9% accuracy, our method achieves 55.7%; even under extreme 2000-iteration PGD white-box attacks, our method secures 42.6% accuracy. Our method was ranked first in Competition on Adversarial Attacks and Defenses (CAAD) 2018 -it achieved 50.6% classification accuracy on a secret, ImageNet-like test dataset against 48 unknown attackers, surpassing the runner-up approach by ∼10%. Code is available at https://github.com/facebookresearch/ ImageNet-Adversarial-Training.

Neural networks are vulnerable to adversarial examples, which poses a threat to their application in security sensitive systems. We propose high-level representation guided denoiser (HGD) as a defense for image classification. Standard denoiser suffers from the error amplification effect, in which small residual adversarial noise is progressively amplified and leads to wrong classifications. HGD overcomes this problem by using a loss function defined as the difference between the target model's outputs activated by the clean image and denoised image. Compared with ensemble adversarial training which is the state-of-the-art defending method on large images, HGD has three advantages. First, with HGD as a defense, the target model is more robust to either white-box or black-box adversarial attacks. Second, HGD can be trained on a small subset of the images and generalizes well to other images and unseen classes. Third, HGD can be transferred to defend models other than the one guiding it. In NIPS competition on defense against adversarial attacks, our HGD solution won the first place and outperformed other models by a large margin. 1 * Equal contribution.

我们提出了一种新颖且有效的纯化基于纯化的普通防御方法，用于预处理盲目的白色和黑匣子攻击。我们的方法仅在一般图像上进行了自我监督学习，在计算上效率和培训，而不需要对分类模型的任何对抗训练或再培训。我们首先显示对原始图像与其对抗示例之间的残余的对抗噪声的实证分析，几乎均为对称分布。基于该观察，我们提出了一种非常简单的迭代高斯平滑（GS），其可以有效地平滑对抗性噪声并实现大大高的鲁棒精度。为了进一步改进它，我们提出了神经上下文迭代平滑（NCIS），其以自我监督的方式列举盲点网络（BSN）以重建GS也平滑的原始图像的辨别特征。从我们使用四种分类模型对大型想象成的广泛实验，我们表明我们的方法既竞争竞争标准精度和最先进的强大精度，则针对最强大的净化器 - 盲目的白色和黑匣子攻击。此外，我们提出了一种用于评估基于商业图像分类API的纯化方法的新基准，例如AWS，Azure，Clarifai和Google。我们通过基于集合转移的黑匣子攻击产生对抗性实例，这可以促进API的完全错误分类，并证明我们的方法可用于增加API的抗逆性鲁棒性。

随着技术的发展，卷积神经网络的应用改善了我们生活的便利。但是，在图像分类字段中，已经发现，当将某些扰动添加到图像中时，CNN会将其错误分类。因此，已经提出了各种防御方法。先前的方法仅考虑了如何将模块合并到网络中以提高鲁棒性，但并未关注模块合并的方式。在本文中，我们设计了一种新的融合方法来增强CNN的鲁棒性。我们使用基于DOT产品的方法将Denoising模块添加到RESNET18和注意机制中，以进一步提高模型的鲁棒性。CIFAR10上的实验结果表明，我们的方法比FGSM和PGD攻击下的最新方法更好，并且更好。

Although deep neural networks (DNNs) have achieved great success in many tasks, they can often be fooled by adversarial examples that are generated by adding small but purposeful distortions to natural examples. Previous studies to defend against adversarial examples mostly focused on refining the DNN models, but have either shown limited success or required expensive computation. We propose a new strategy, feature squeezing, that can be used to harden DNN models by detecting adversarial examples. Feature squeezing reduces the search space available to an adversary by coalescing samples that correspond to many different feature vectors in the original space into a single sample. By comparing a DNN model's prediction on the original input with that on squeezed inputs, feature squeezing detects adversarial examples with high accuracy and few false positives.This paper explores two feature squeezing methods: reducing the color bit depth of each pixel and spatial smoothing. These simple strategies are inexpensive and complementary to other defenses, and can be combined in a joint detection framework to achieve high detection rates against state-of-the-art attacks.

This paper investigates strategies that defend against adversarial-example attacks on image-classification systems by transforming the inputs before feeding them to the system. Specifically, we study applying image transformations such as bit-depth reduction, JPEG compression, total variance minimization, and image quilting before feeding the image to a convolutional network classifier. Our experiments on ImageNet show that total variance minimization and image quilting are very effective defenses in practice, in particular, when the network is trained on transformed images. The strength of those defenses lies in their non-differentiable nature and their inherent randomness, which makes it difficult for an adversary to circumvent the defenses. Our best defense eliminates 60% of strong gray-box and 90% of strong black-box attacks by a variety of major attack methods.

我们从频道明智激活的角度调查CNN的对抗性鲁棒性。通过比较\ Textit {非鲁棒}（通常训练）和\ exingit {REXITIT {REARUSTIFIED}（普及培训的）模型，我们观察到对抗性培训（AT）通过将频道明智的数据与自然的渠道和自然的对抗激活对齐来强调CNN同行。然而，在处理逆势数据时仍仍会过度激活以\ texit {excy-computive}（nr）的频道仍会过度激活。此外，我们还观察到，在所有课程上不会导致类似的稳健性。对于强大的类，具有较大激活大小的频道通常是更长的\ extedit {正相关}（pr）到预测，但这种对齐不适用于非鲁棒类。鉴于这些观察结果，我们假设抑制NR通道并对齐PR与其相关性进一步增强了在其下的CNN的鲁棒性。为了检查这个假设，我们介绍了一种新的机制，即\下划线{C} Hannel-Wise \ Underline {i} Mportance的\下划线{F} eature \ Underline {s}选举（CIFS）。 CIFS通过基于与预测的相关性产生非负乘法器来操纵某些层的激活。在包括CIFAR10和SVHN的基准数据集上的广泛实验明确验证了强制性CNN的假设和CIFS的有效性。 \ url {https://github.com/hanshuyan/cifs}

通过对数据集的样本应用小而有意的最差情况扰动可以产生对抗性输入，这导致甚至最先进的深神经网络，以高信任输出不正确的答案。因此，开发了一些对抗防御技术来提高模型的安全性和稳健性，并避免它们被攻击。逐渐，攻击者和捍卫者之间的游戏类似的竞争，其中两个玩家都会试图在最大化自己的收益的同时互相反对发挥最佳策略。为了解决游戏，每个玩家都基于对对手的战略选择的预测来选择反对对手的最佳策略。在这项工作中，我们正处于防守方面，以申请防止攻击的游戏理论方法。我们使用两个随机化方法，随机初始化和随机激活修剪，以创造网络的多样性。此外，我们使用一种去噪技术，超级分辨率，通过在攻击前预处理图像来改善模型的鲁棒性。我们的实验结果表明，这三种方法可以有效提高深度学习神经网络的鲁棒性。

Adversarial training, in which a network is trained on adversarial examples, is one of the few defenses against adversarial attacks that withstands strong attacks. Unfortunately, the high cost of generating strong adversarial examples makes standard adversarial training impractical on large-scale problems like ImageNet. We present an algorithm that eliminates the overhead cost of generating adversarial examples by recycling the gradient information computed when updating model parameters.Our "free" adversarial training algorithm achieves comparable robustness to PGD adversarial training on the CIFAR-10 and CIFAR-100 datasets at negligible additional cost compared to natural training, and can be 7 to 30 times faster than other strong adversarial training methods. Using a single workstation with 4 P100 GPUs and 2 days of runtime, we can train a robust model for the large-scale ImageNet classification task that maintains 40% accuracy against PGD attacks. The code is available at https://github.com/ashafahi/free_adv_train.

已知深度神经网络（DNN）容易受到用不可察觉的扰动制作的对抗性示例的影响，即，输入图像的微小变化会引起错误的分类，从而威胁着基于深度学习的部署系统的可靠性。经常采用对抗训练（AT）来通过训练损坏和干净的数据的混合物来提高DNN的鲁棒性。但是，大多数基于AT的方法在处理\ textit {转移的对抗示例}方面是无效的，这些方法是生成以欺骗各种防御模型的生成的，因此无法满足现实情况下提出的概括要求。此外，对抗性训练一般的国防模型不能对具有扰动的输入产生可解释的预测，而不同的领域专家则需要一个高度可解释的强大模型才能了解DNN的行为。在这项工作中，我们提出了一种基于Jacobian规范和选择性输入梯度正则化（J-SIGR）的方法，该方法通过Jacobian归一化提出了线性化的鲁棒性，还将基于扰动的显着性图正规化，以模仿模型的可解释预测。因此，我们既可以提高DNN的防御能力和高解释性。最后，我们评估了跨不同体系结构的方法，以针对强大的对抗性攻击。实验表明，提出的J-Sigr赋予了针对转移的对抗攻击的鲁棒性，我们还表明，来自神经网络的预测易于解释。

Though CNNs have achieved the state-of-the-art performance on various vision tasks, they are vulnerable to adversarial examples -crafted by adding human-imperceptible perturbations to clean images. However, most of the existing adversarial attacks only achieve relatively low success rates under the challenging black-box setting, where the attackers have no knowledge of the model structure and parameters. To this end, we propose to improve the transferability of adversarial examples by creating diverse input patterns. Instead of only using the original images to generate adversarial examples, our method applies random transformations to the input images at each iteration. Extensive experiments on ImageNet show that the proposed attack method can generate adversarial examples that transfer much better to different networks than existing baselines. By evaluating our method against top defense solutions and official baselines from NIPS 2017 adversarial competition, the enhanced attack reaches an average success rate of 73.0%, which outperforms the top-1 attack submission in the NIPS competition by a large margin of 6.6%. We hope that our proposed attack strategy can serve as a strong benchmark baseline for evaluating the robustness of networks to adversaries and the effectiveness of different defense methods in the future. Code is available at https: //github.com/cihangxie/DI-2-FGSM .

We propose the Square Attack, a score-based black-box l2and l∞-adversarial attack that does not rely on local gradient information and thus is not affected by gradient masking. Square Attack is based on a randomized search scheme which selects localized squareshaped updates at random positions so that at each iteration the perturbation is situated approximately at the boundary of the feasible set. Our method is significantly more query efficient and achieves a higher success rate compared to the state-of-the-art methods, especially in the untargeted setting. In particular, on ImageNet we improve the average query efficiency in the untargeted setting for various deep networks by a factor of at least 1.8 and up to 3 compared to the recent state-ofthe-art l∞-attack of Al-Dujaili & OReilly (2020). Moreover, although our attack is black-box, it can also outperform gradient-based white-box attacks on the standard benchmarks achieving a new state-of-the-art in terms of the success rate. The code of our attack is available at https://github.com/max-andr/square-attack.

Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples-inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. 1

Adversarial training (AT) is one of the most effective ways for improving the robustness of deep convolution neural networks (CNNs). Just like common network training, the effectiveness of AT relies on the design of basic network components. In this paper, we conduct an in-depth study on the role of the basic ReLU activation component in AT for robust CNNs. We find that the spatially-shared and input-independent properties of ReLU activation make CNNs less robust to white-box adversarial attacks with either standard or adversarial training. To address this problem, we extend ReLU to a novel Sparta activation function (Spatially attentive and Adversarially Robust Activation), which enables CNNs to achieve both higher robustness, i.e., lower error rate on adversarial examples, and higher accuracy, i.e., lower error rate on clean examples, than the existing state-of-the-art (SOTA) activation functions. We further study the relationship between Sparta and the SOTA activation functions, providing more insights about the advantages of our method. With comprehensive experiments, we also find that the proposed method exhibits superior cross-CNN and cross-dataset transferability. For the former, the adversarially trained Sparta function for one CNN (e.g., ResNet-18) can be fixed and directly used to train another adversarially robust CNN (e.g., ResNet-34). For the latter, the Sparta function trained on one dataset (e.g., CIFAR-10) can be employed to train adversarially robust CNNs on another dataset (e.g., SVHN). In both cases, Sparta leads to CNNs with higher robustness than the vanilla ReLU, verifying the flexibility and versatility of the proposed method.

深度神经网络已被证明容易受到对抗图像的影响。常规攻击努力争取严格限制扰动的不可分割的对抗图像。最近，研究人员已采取行动探索可区分但非奇异的对抗图像，并证明色彩转化攻击是有效的。在这项工作中，我们提出了对抗颜色过滤器（ADVCF），这是一种新颖的颜色转换攻击，在简单颜色滤波器的参数空间中通过梯度信息进行了优化。特别是，明确指定了我们的颜色滤波器空间，以便从攻击和防御角度来对对抗性色转换进行系统的鲁棒性分析。相反，由于缺乏这种明确的空间，现有的颜色转换攻击并不能为系统分析提供机会。我们通过用户研究进一步进行了对成功率和图像可接受性的不同颜色转化攻击之间的广泛比较。其他结果为在另外三个视觉任务中针对ADVCF的模型鲁棒性提供了有趣的新见解。我们还强调了ADVCF的人类解剖性，该advcf在实际使用方案中有希望，并显示出比对图像可接受性和效率的最新人解释的色彩转化攻击的优越性。

随着图像识别中深度学习模型的快速发展和使用的增加，安全成为其在安全至关重要系统中的部署的主要关注点。由于深度学习模型的准确性和鲁棒性主要归因于训练样本的纯度，因此，深度学习体系结构通常容易受到对抗性攻击的影响。对抗性攻击通常是通过对正常图像的微妙扰动而获得的，正常图像对人类最不可感知，但可能会严重混淆最新的机器学习模型。我们提出了一个名为Apudae的框架，利用DeNoing AutoCoders（DAES）通过以自适应方式使用这些样品来纯化这些样本，从而提高了已攻击目标分类器网络的分类准确性。我们还展示了如何自适应地使用DAE，而不是直接使用它们，而是进一步提高分类精度，并且更强大，可以设计自适应攻击以欺骗它们。我们在MNIST，CIFAR-10，Imagenet数据集上展示了我们的结果，并展示了我们的框架（Apudae）如何在净化对手方面提供可比性和在大多数情况下的基线方法。我们还设计了专门设计的自适应攻击，以攻击我们的净化模型，并展示我们的防御方式如何强大。

深度学习（DL）在许多与人类相关的任务中表现出巨大的成功，这导致其在许多计算机视觉的基础应用中采用，例如安全监控系统，自治车辆和医疗保健。一旦他们拥有能力克服安全关键挑战，这种安全关键型应用程序必须绘制他们的成功部署之路。在这些挑战中，防止或/和检测对抗性实例（AES）。对手可以仔细制作小型，通常是难以察觉的，称为扰动的噪声被添加到清洁图像中以产生AE。 AE的目的是愚弄DL模型，使其成为DL应用的潜在风险。在文献中提出了许多测试时间逃避攻击和对策，即防御或检测方法。此外，还发布了很少的评论和调查，理论上展示了威胁的分类和对策方法，几乎​​没有焦点检测方法。在本文中，我们专注于图像分类任务，并试图为神经网络分类器进行测试时间逃避攻击检测方法的调查。对此类方法的详细讨论提供了在四个数据集的不同场景下的八个最先进的探测器的实验结果。我们还为这一研究方向提供了潜在的挑战和未来的观点。

人类严重依赖于形状信息来识别对象。相反，卷积神经网络（CNNS）偏向于纹理。这也许是CNNS易受对抗性示例的影响的主要原因。在这里，我们探索如何将偏差纳入CNN，以提高其鲁棒性。提出了两种算法，基于边缘不变，以中等难以察觉的扰动。在第一个中，分类器在具有边缘图作为附加信道的图像上进行前列地培训。在推断时间，边缘映射被重新计算并连接到图像。在第二算法中，训练了条件GaN，以将边缘映射从干净和/或扰动图像转换为清洁图像。推断在与输入的边缘图对应的生成图像上完成。超过10个数据集的广泛实验证明了算法对FGSM和$ \ ELL_ infty $ PGD-40攻击的有效性。此外，我们表明a）边缘信息还可以使其他对抗训练方法有益，并且B）在边缘增强输入上培训的CNNS对抗自然图像损坏，例如运动模糊，脉冲噪声和JPEG压缩，而不是仅培训的CNNS RGB图像。从更广泛的角度来看，我们的研究表明，CNN不会充分占对鲁棒性至关重要的图像结构。代码可用：〜\ url {https://github.com/aliborji/shapedefense.git}。

Adaptive attacks have (rightfully) become the de facto standard for evaluating defenses to adversarial examples. We find, however, that typical adaptive evaluations are incomplete. We demonstrate that thirteen defenses recently published at ICLR, ICML and NeurIPS-and which illustrate a diverse set of defense strategies-can be circumvented despite attempting to perform evaluations using adaptive attacks. While prior evaluation papers focused mainly on the end result-showing that a defense was ineffective-this paper focuses on laying out the methodology and the approach necessary to perform an adaptive attack. Some of our attack strategies are generalizable, but no single strategy would have been sufficient for all defenses. This underlines our key message that adaptive attacks cannot be automated and always require careful and appropriate tuning to a given defense. We hope that these analyses will serve as guidance on how to properly perform adaptive attacks against defenses to adversarial examples, and thus will allow the community to make further progress in building more robust models.

深度卷积神经网络（CNN）很容易被输入图像的细微，不可察觉的变化所欺骗。为了解决此漏洞，对抗训练会创建扰动模式，并将其包括在培训设置中以鲁棒性化模型。与仅使用阶级有限信息的现有对抗训练方法（例如，使用交叉渗透损失）相反，我们建议利用功能空间中的其他信息来促进更强的对手，这些信息又用于学习强大的模型。具体来说，我们将使用另一类的目标样本的样式和内容信息以及其班级边界信息来创建对抗性扰动。我们以深入监督的方式应用了我们提出的多任务目标，从而提取了多尺度特征知识，以创建最大程度地分开对手。随后，我们提出了一种最大边缘对抗训练方法，该方法可最大程度地减少源图像与其对手之间的距离，并最大程度地提高对手和目标图像之间的距离。与最先进的防御能力相比，我们的对抗训练方法表明了强大的鲁棒性，可以很好地推广到自然发生的损坏和数据分配变化，并保留了清洁示例的模型准确性。