深度学习是高能物理学领域的标准工具，可促进许多分析策略的敏感性增强。特别是，在识别物理对象（例如喷气味标记）时，复杂的神经网络体系结构起着重要作用。但是，这些方法依赖于准确的模拟。不隔材料会导致需要测量和校准的数据的性能差异不可忽略。我们研究了对输入数据的分类器响应，并通过应用对抗性攻击来探测风味标记算法的脆弱性。随后，我们提出了一种对抗性训练策略，以减轻这种模拟攻击的影响并改善分类器的鲁棒性。我们研究了性能与脆弱性之间的关系，并表明该方法构成了一种有希望的方法，可以减少对差建模的脆弱性。

在2015年和2019年之间，地平线的成员2020年资助的创新培训网络名为“Amva4newphysics”，研究了高能量物理问题的先进多变量分析方法和统计学习工具的定制和应用，并开发了完全新的。其中许多方法已成功地用于提高Cern大型Hadron撞机的地图集和CMS实验所执行的数据分析的敏感性;其他几个人，仍然在测试阶段，承诺进一步提高基本物理参数测量的精确度以及新现象的搜索范围。在本文中，在研究和开发的那些中，最相关的新工具以及对其性能的评估。

Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples-inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. 1

The authors thank Nicholas Carlini (UC Berkeley) and Dimitris Tsipras (MIT) for feedback to improve the survey quality. We also acknowledge X. Huang (Uni. Liverpool), K. R. Reddy (IISC), E. Valle (UNICAMP), Y. Yoo (CLAIR) and others for providing pointers to make the survey more comprehensive.

深度神经网络很容易被称为对抗攻击的小扰动都愚弄。对抗性培训（AT）是一种近似解决了稳健的优化问题，以最大限度地减少最坏情况损失，并且被广泛认为是对这种攻击的最有效的防御。由于产生了强大的对抗性示例的高计算时间，已经提出了单步方法来减少培训时间。然而，这些方法遭受灾难性的过度装备，在训练期间侵犯准确度下降。虽然提出了改进，但它们增加了培训时间和稳健性远非多步骤。我们为FW优化（FW-AT）开发了对抗的对抗培训的理论框架，揭示了损失景观与$ \ ell_2 $失真之间的几何连接。我们分析地表明FW攻击的高变形相当于沿攻击路径的小梯度变化。然后在各种深度神经网络架构上进行实验证明，$ \ ell \ infty $攻击对抗强大的模型实现近乎最大的$ \ ell_2 $失真，而标准网络具有较低的失真。此外，实验表明，灾难性的过度拟合与FW攻击的低变形强烈相关。为了展示我们理论框架的效用，我们开发FW-AT-Adap，这是一种新的逆势训练算法，它使用简单的失真度量来调整攻击步骤的数量，以提高效率而不会影响鲁棒性。 FW-AT-Adapt提供培训时间以单步快速分配方法，并改善了在白色盒子和黑匣子设置中的普发内精度的最小损失和多步PGD之间的差距。

已知深度神经网络（DNN）容易受到用不可察觉的扰动制作的对抗性示例的影响，即，输入图像的微小变化会引起错误的分类，从而威胁着基于深度学习的部署系统的可靠性。经常采用对抗训练（AT）来通过训练损坏和干净的数据的混合物来提高DNN的鲁棒性。但是，大多数基于AT的方法在处理\ textit {转移的对抗示例}方面是无效的，这些方法是生成以欺骗各种防御模型的生成的，因此无法满足现实情况下提出的概括要求。此外，对抗性训练一般的国防模型不能对具有扰动的输入产生可解释的预测，而不同的领域专家则需要一个高度可解释的强大模型才能了解DNN的行为。在这项工作中，我们提出了一种基于Jacobian规范和选择性输入梯度正则化（J-SIGR）的方法，该方法通过Jacobian归一化提出了线性化的鲁棒性，还将基于扰动的显着性图正规化，以模仿模型的可解释预测。因此，我们既可以提高DNN的防御能力和高解释性。最后，我们评估了跨不同体系结构的方法，以针对强大的对抗性攻击。实验表明，提出的J-Sigr赋予了针对转移的对抗攻击的鲁棒性，我们还表明，来自神经网络的预测易于解释。

在本讨论文件中，我们调查了有关机器学习模型鲁棒性的最新研究。随着学习算法在数据驱动的控制系统中越来越流行，必须确保它们对数据不确定性的稳健性，以维持可靠的安全至关重要的操作。我们首先回顾了这种鲁棒性的共同形式主义，然后继续讨论训练健壮的机器学习模型的流行和最新技术，以及可证明这种鲁棒性的方法。从强大的机器学习的这种统一中，我们识别并讨论了该地区未来研究的迫切方向。

There has been a concurrent significant improvement in the medical images used to facilitate diagnosis and the performance of machine learning techniques to perform tasks such as classification, detection, and segmentation in recent years. As a result, a rapid increase in the usage of such systems can be observed in the healthcare industry, for instance in the form of medical image classification systems, where these models have achieved diagnostic parity with human physicians. One such application where this can be observed is in computer vision tasks such as the classification of skin lesions in dermatoscopic images. However, as stakeholders in the healthcare industry, such as insurance companies, continue to invest extensively in machine learning infrastructure, it becomes increasingly important to understand the vulnerabilities in such systems. Due to the highly critical nature of the tasks being carried out by these machine learning models, it is necessary to analyze techniques that could be used to take advantage of these vulnerabilities and methods to defend against them. This paper explores common adversarial attack techniques. The Fast Sign Gradient Method and Projected Descent Gradient are used against a Convolutional Neural Network trained to classify dermatoscopic images of skin lesions. Following that, it also discusses one of the most popular adversarial defense techniques, adversarial training. The performance of the model that has been trained on adversarial examples is then tested against the previously mentioned attacks, and recommendations to improve neural networks robustness are thus provided based on the results of the experiment.

Although deep neural networks (DNNs) have achieved great success in many tasks, they can often be fooled by adversarial examples that are generated by adding small but purposeful distortions to natural examples. Previous studies to defend against adversarial examples mostly focused on refining the DNN models, but have either shown limited success or required expensive computation. We propose a new strategy, feature squeezing, that can be used to harden DNN models by detecting adversarial examples. Feature squeezing reduces the search space available to an adversary by coalescing samples that correspond to many different feature vectors in the original space into a single sample. By comparing a DNN model's prediction on the original input with that on squeezed inputs, feature squeezing detects adversarial examples with high accuracy and few false positives.This paper explores two feature squeezing methods: reducing the color bit depth of each pixel and spatial smoothing. These simple strategies are inexpensive and complementary to other defenses, and can be combined in a joint detection framework to achieve high detection rates against state-of-the-art attacks.

我们提出了从大几何附近（LGV）的转移性，这是一种新技术，以提高黑盒对抗攻击的可传递性。LGV从预处理的替代模型开始，并从恒定且高学习率的其他一些训练时期收集了多个重量集。LGV利用了我们与可传递性相关的两个几何特性。首先，属于最佳体重的模型是更好的替代物。其次，我们确定一个能够在此更大最佳中生成有效的替代合奏的子空间。通过广泛的实验，我们表明单独使用LGV优于四个既定测试时间转换的所有（组合）。我们的发现为解释对抗性例子的转移性的几何形状的重要性提供了新的启示。

ICECUBE是一种用于检测1 GEV和1 PEV之间大气和天体中微子的光学传感器的立方公斤阵列，该阵列已部署1.45 km至2.45 km的南极的冰盖表面以下1.45 km至2.45 km。来自ICE探测器的事件的分类和重建在ICeCube数据分析中起着核心作用。重建和分类事件是一个挑战，这是由于探测器的几何形状，不均匀的散射和冰中光的吸收，并且低于100 GEV的光，每个事件产生的信号光子数量相对较少。为了应对这一挑战，可以将ICECUBE事件表示为点云图形，并将图形神经网络（GNN）作为分类和重建方法。 GNN能够将中微子事件与宇宙射线背景区分开，对不同的中微子事件类型进行分类，并重建沉积的能量，方向和相互作用顶点。基于仿真，我们提供了1-100 GEV能量范围的比较与当前ICECUBE分析中使用的当前最新最大似然技术，包括已知系统不确定性的影响。对于中微子事件分类，与当前的IceCube方法相比，GNN以固定的假阳性速率（FPR）提高了信号效率的18％。另外，GNN在固定信号效率下将FPR的降低超过8（低于半百分比）。对于能源，方向和相互作用顶点的重建，与当前最大似然技术相比，分辨率平均提高了13％-20％。当在GPU上运行时，GNN能够以几乎是2.7 kHz的中位数ICECUBE触发速率的速率处理ICECUBE事件，这打开了在在线搜索瞬态事件中使用低能量中微子的可能性。

Adversarial training has been empirically shown to be more prone to overfitting than standard training. The exact underlying reasons still need to be fully understood. In this paper, we identify one cause of overfitting related to current practices of generating adversarial samples from misclassified samples. To address this, we propose an alternative approach that leverages the misclassified samples to mitigate the overfitting problem. We show that our approach achieves better generalization while having comparable robustness to state-of-the-art adversarial training methods on a wide range of computer vision, natural language processing, and tabular tasks.

神经科学家和机器学习研究人员通常引用对抗的例子，作为计算模型如何从生物感官系统发散的示例。最近的工作已经提出将生物启发组件添加到视觉神经网络中，作为提高其对抗性鲁棒性的一种方式。一种令人惊讶的有效组分，用于减少对抗性脆弱性是响应随机性，例如由生物神经元呈现的响应性随机性。在这里，使用最近开发的从计算神经科学的几何技术，我们研究了对抗性扰动如何影响标准，前列培训和生物学启发的随机网络的内部表示。我们为每种类型的网络找到了不同的几何签名，揭示了实现稳健表示的不同机制。接下来，我们将这些结果概括为听觉域，表明神经插值性也使听觉模型对对抗对抗扰动更鲁棒。随机网络的几何分析揭示了清洁和离前动脉扰动刺激的表示之间的重叠，并且定量表现出随机性的竞争几何效果在对抗和清洁性能之间调解权衡。我们的结果阐明了通过对外内培训和随机网络利用的强大感知的策略，并帮助解释了随机性如何有利于机器和生物计算。

神经形态的神经网络处理器，以记忆中的计算横杆阵列的形式，或以亚阈值模拟和混合信号ASIC的形式，有望在基于NN的ML任务的计算密度和能源效率方面具有巨大优势。但是，由于过程变化和内在的设备物理学，这些技术容易出现计算非理想性。通过将参数噪声引入部署模型中，这会降低部署到处理器的网络的任务性能。虽然可以为每个处理器校准每个设备或单独训练网络，但这些方法对于商业部署而言是昂贵且不切实际的。因此，由于网络体系结构和参数的结果，需要替代方法来训练与参数变化固有强大的网络。我们提出了一种新的对抗网络优化算法，该算法在训练过程中攻击网络参数，并在参数变化时促进推断期间的稳健性能。我们的方法引入了正规化术语，惩罚网络对权重扰动的敏感性。我们将与先前产生参数不敏感的方法进行比较，例如辍学，体重平滑和训练过程中引入参数噪声。我们表明，我们的方法产生的模型对目标参数变化更强大，并且对随机参数变化同样强大。与其他方法相比，我们的方法在减肥景观的平坦位置中发现了最小值，这强调了我们技术发现的网络对参数扰动不太敏感。我们的工作提供了一种将神经网络体系结构部署到遭受计算非理想性的推理设备的方法，而性能的损失最少。 ...

尽管机器学习系统的效率和可扩展性，但最近的研究表明，许多分类方法，尤其是深神经网络（DNN），易受对抗的例子;即，仔细制作欺骗训练有素的分类模型的例子，同时无法区分从自然数据到人类。这使得在安全关键区域中应用DNN或相关方法可能不安全。由于这个问题是由Biggio等人确定的。 （2013）和Szegedy等人。（2014年），在这一领域已经完成了很多工作，包括开发攻击方法，以产生对抗的例子和防御技术的构建防范这些例子。本文旨在向统计界介绍这一主题及其最新发展，主要关注对抗性示例的产生和保护。在数值实验中使用的计算代码（在Python和R）公开可用于读者探讨调查的方法。本文希望提交人们将鼓励更多统计学人员在这种重要的令人兴奋的领域的产生和捍卫对抗的例子。

Adaptive attacks have (rightfully) become the de facto standard for evaluating defenses to adversarial examples. We find, however, that typical adaptive evaluations are incomplete. We demonstrate that thirteen defenses recently published at ICLR, ICML and NeurIPS-and which illustrate a diverse set of defense strategies-can be circumvented despite attempting to perform evaluations using adaptive attacks. While prior evaluation papers focused mainly on the end result-showing that a defense was ineffective-this paper focuses on laying out the methodology and the approach necessary to perform an adaptive attack. Some of our attack strategies are generalizable, but no single strategy would have been sufficient for all defenses. This underlines our key message that adaptive attacks cannot be automated and always require careful and appropriate tuning to a given defense. We hope that these analyses will serve as guidance on how to properly perform adaptive attacks against defenses to adversarial examples, and thus will allow the community to make further progress in building more robust models.

最近，Wong等人。表明，使用单步FGSM的对抗训练导致一种名为灾难性过度拟合（CO）的特征故障模式，其中模型突然变得容易受到多步攻击的影响。他们表明，在FGSM（RS-FGSM）之前添加随机扰动似乎足以防止CO。但是，Andriushchenko和Flammarion观察到RS-FGSM仍会导致更大的扰动，并提出了一个昂贵的常规化器（Gradalign），DEMATER（GARGALIGN）DES昂贵（Gradalign）Dust Forrasiniger（Gradalign）Dust co避免在这项工作中，我们有条不紊地重新审视了噪声和剪辑在单步对抗训练中的作用。与以前的直觉相反，我们发现在干净的样品周围使用更强烈的噪声与不剪接相结合在避免使用大扰动半径的CO方面非常有效。基于这些观察结果，我们提出了噪声-FGSM（N-FGSM），尽管提供了单步对抗训练的好处，但在大型实验套件上没有经验分析，这表明N-FGSM能够匹配或超越以前的单步方法的性能，同时达到3 $ \ times $加速。代码可以在https://github.com/pdejorge/n-fgsm中找到

Despite the success of convolutional neural networks (CNNs) in many academic benchmarks for computer vision tasks, their application in the real-world is still facing fundamental challenges. One of these open problems is the inherent lack of robustness, unveiled by the striking effectiveness of adversarial attacks. Current attack methods are able to manipulate the network's prediction by adding specific but small amounts of noise to the input. In turn, adversarial training (AT) aims to achieve robustness against such attacks and ideally a better model generalization ability by including adversarial samples in the trainingset. However, an in-depth analysis of the resulting robust models beyond adversarial robustness is still pending. In this paper, we empirically analyze a variety of adversarially trained models that achieve high robust accuracies when facing state-of-the-art attacks and we show that AT has an interesting side-effect: it leads to models that are significantly less overconfident with their decisions, even on clean data than non-robust models. Further, our analysis of robust models shows that not only AT but also the model's building blocks (like activation functions and pooling) have a strong influence on the models' prediction confidences. Data & Project website: https://github.com/GeJulia/robustness_confidences_evaluation

Adversarial training is widely used to improve the robustness of deep neural networks to adversarial attack. However, adversarial training is prone to overfitting, and the cause is far from clear. This work sheds light on the mechanisms underlying overfitting through analyzing the loss landscape w.r.t. the input. We find that robust overfitting results from standard training, specifically the minimization of the clean loss, and can be mitigated by regularization of the loss gradients. Moreover, we find that robust overfitting turns severer during adversarial training partially because the gradient regularization effect of adversarial training becomes weaker due to the increase in the loss landscapes curvature. To improve robust generalization, we propose a new regularizer to smooth the loss landscape by penalizing the weighted logits variation along the adversarial direction. Our method significantly mitigates robust overfitting and achieves the highest robustness and efficiency compared to similar previous methods. Code is available at https://github.com/TreeLLi/Combating-RO-AdvLC.

发言人识别系统（SRSS）最近被证明容易受到对抗攻击的影响，从而引发了重大的安全问题。在这项工作中，我们系统地研究了基于确保SRSS的基于对抗性训练的防御。根据SRSS的特征，我们提出了22种不同的转换，并使用扬声器识别的7种最新有前途的对抗攻击（4个白盒和3个Black-Box）对其进行了彻底评估。仔细考虑了国防评估中的最佳实践，我们分析了转换的强度以承受适应性攻击。我们还评估并理解它们与对抗训练相结合的自适应攻击的有效性。我们的研究提供了许多有用的见解和发现，其中许多与图像和语音识别域中的结论是新的或不一致的，例如，可变和恒定的比特率语音压缩具有不同的性能，并且某些不可差的转换仍然有效地抗衡。当前有希望的逃避技术通常在图像域中很好地工作。我们证明，与完整的白色盒子设置中的唯一对抗性训练相比，提出的新型功能级转换与对抗训练相比是相当有效的，例如，将准确性提高了13.62％，而攻击成本则达到了两个数量级，而其他攻击成本则增加了。转型不一定会提高整体防御能力。这项工作进一步阐明了该领域的研究方向。我们还发布了我们的评估平台SpeakerGuard，以促进进一步的研究。