深度神经网络已成为现代图像识别系统的驱动力。然而，神经网络对抗对抗性攻击的脆弱性对受这些系统影响的人构成严重威胁。在本文中，我们专注于一个真实的威胁模型，中间对手恶意拦截和erturbs网页用户上传在线。这种类型的攻击可以在简单的性能下降之上提高严重的道德问题。为了防止这种攻击，我们设计了一种新的双层优化算法，该算法在对抗对抗扰动的自然图像附近找到点。CiFar-10和Imagenet的实验表明我们的方法可以有效地强制在给定的修改预算范围内的自然图像。我们还显示所提出的方法可以在共同使用随机平滑时提高鲁棒性。

Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples-inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. 1

This paper investigates recently proposed approaches for defending against adversarial examples and evaluating adversarial robustness. We motivate adversarial risk as an objective for achieving models robust to worst-case inputs. We then frame commonly used attacks and evaluation metrics as defining a tractable surrogate objective to the true adversarial risk. This suggests that models may optimize this surrogate rather than the true adversarial risk. We formalize this notion as obscurity to an adversary, and develop tools and heuristics for identifying obscured models and designing transparent models. We demonstrate that this is a significant problem in practice by repurposing gradient-free optimization techniques into adversarial attacks, which we use to decrease the accuracy of several recently proposed defenses to near zero. Our hope is that our formulations and results will help researchers to develop more powerful defenses.

在本讨论文件中，我们调查了有关机器学习模型鲁棒性的最新研究。随着学习算法在数据驱动的控制系统中越来越流行，必须确保它们对数据不确定性的稳健性，以维持可靠的安全至关重要的操作。我们首先回顾了这种鲁棒性的共同形式主义，然后继续讨论训练健壮的机器学习模型的流行和最新技术，以及可证明这种鲁棒性的方法。从强大的机器学习的这种统一中，我们识别并讨论了该地区未来研究的迫切方向。

We identify a trade-off between robustness and accuracy that serves as a guiding principle in the design of defenses against adversarial examples. Although this problem has been widely studied empirically, much remains unknown concerning the theory underlying this trade-off. In this work, we decompose the prediction error for adversarial examples (robust error) as the sum of the natural (classification) error and boundary error, and provide a differentiable upper bound using the theory of classification-calibrated loss, which is shown to be the tightest possible upper bound uniform over all probability distributions and measurable predictors. Inspired by our theoretical analysis, we also design a new defense method, TRADES, to trade adversarial robustness off against accuracy. Our proposed algorithm performs well experimentally in real-world datasets. The methodology is the foundation of our entry to the NeurIPS 2018 Adversarial Vision Challenge in which we won the 1st place out of ~2,000 submissions, surpassing the runner-up approach by 11.41% in terms of mean 2 perturbation distance.

我们提出了一种新颖且有效的纯化基于纯化的普通防御方法，用于预处理盲目的白色和黑匣子攻击。我们的方法仅在一般图像上进行了自我监督学习，在计算上效率和培训，而不需要对分类模型的任何对抗训练或再培训。我们首先显示对原始图像与其对抗示例之间的残余的对抗噪声的实证分析，几乎均为对称分布。基于该观察，我们提出了一种非常简单的迭代高斯平滑（GS），其可以有效地平滑对抗性噪声并实现大大高的鲁棒精度。为了进一步改进它，我们提出了神经上下文迭代平滑（NCIS），其以自我监督的方式列举盲点网络（BSN）以重建GS也平滑的原始图像的辨别特征。从我们使用四种分类模型对大型想象成的广泛实验，我们表明我们的方法既竞争竞争标准精度和最先进的强大精度，则针对最强大的净化器 - 盲目的白色和黑匣子攻击。此外，我们提出了一种用于评估基于商业图像分类API的纯化方法的新基准，例如AWS，Azure，Clarifai和Google。我们通过基于集合转移的黑匣子攻击产生对抗性实例，这可以促进API的完全错误分类，并证明我们的方法可用于增加API的抗逆性鲁棒性。

虽然深度神经网络在各种任务中表现出前所未有的性能，但对对抗性示例的脆弱性阻碍了他们在安全关键系统中的部署。许多研究表明，即使在黑盒设置中也可能攻击，其中攻击者无法访问目标模型的内部信息。大多数黑匣子攻击基于查询，每个都可以获得目标模型的输入输出，并且许多研究侧重于减少所需查询的数量。在本文中，我们注意了目标模型的输出完全对应于查询输入的隐含假设。如果将某些随机性引入模型中，它可以打破假设，因此，基于查询的攻击可能在梯度估计和本地搜索中具有巨大的困难，这是其攻击过程的核心。从这种动机来看，我们甚至观察到一个小的添加剂输入噪声可以中和大多数基于查询的攻击和名称这个简单但有效的方法小噪声防御（SND）。我们分析了SND如何防御基于查询的黑匣子攻击，并展示其与CIFAR-10和ImageNet数据集的八种最先进的攻击有效性。即使具有强大的防御能力，SND几乎保持了原始的分类准确性和计算速度。通过在推断下仅添加一行代码，SND很容易适用于预先训练的模型。

深度卷积神经网络（CNN）很容易被输入图像的细微，不可察觉的变化所欺骗。为了解决此漏洞，对抗训练会创建扰动模式，并将其包括在培训设置中以鲁棒性化模型。与仅使用阶级有限信息的现有对抗训练方法（例如，使用交叉渗透损失）相反，我们建议利用功能空间中的其他信息来促进更强的对手，这些信息又用于学习强大的模型。具体来说，我们将使用另一类的目标样本的样式和内容信息以及其班级边界信息来创建对抗性扰动。我们以深入监督的方式应用了我们提出的多任务目标，从而提取了多尺度特征知识，以创建最大程度地分开对手。随后，我们提出了一种最大边缘对抗训练方法，该方法可最大程度地减少源图像与其对手之间的距离，并最大程度地提高对手和目标图像之间的距离。与最先进的防御能力相比，我们的对抗训练方法表明了强大的鲁棒性，可以很好地推广到自然发生的损坏和数据分配变化，并保留了清洁示例的模型准确性。

深度卷积神经网络可以准确地分类各种自然图像，但是在设计时可能很容易被欺骗，图像中嵌入了不可察觉的扰动。在本文中，我们设计了一种多管齐下的培训，输入转换和图像集成系统，该系统是攻击不可知论的，不容易估计。我们的系统结合了两个新型功能。第一个是一个转换层，该转换层从集体级训练数据示例中计算级别的多项式内核，并且迭代更新在推理时间上基于其特征内核差异的输入图像副本，以创建转换后的输入集合。第二个是一个分类系统，该系统将未防御网络的预测结合在一起，对被过滤图像的合奏进行了硬投票。我们在CIFAR10数据集上的评估显示，我们的系统提高了未防御性网络在不同距离指标下的各种有界和无限的白色盒子攻击的鲁棒性，同时牺牲了清洁图像的精度很小。反对自适应的全知攻击者创建端到端攻击，我们的系统成功地增强了对抗训练的网络的现有鲁棒性，为此，我们的方法最有效地应用了。

到目前为止对抗训练是抵御对抗例子的最有效的策略。然而，由于每个训练步骤中的迭代对抗性攻击，它遭受了高的计算成本。最近的研究表明，通过随机初始化执行单步攻击，可以实现快速的对抗训练。然而，这种方法仍然落后于稳定性和模型稳健性的最先进的对手训练算法。在这项工作中，我们通过观察随机平滑的随机初始化来更好地优化内部最大化问题，对快速对抗培训进行新的理解。在这种新的视角之后，我们还提出了一种新的初始化策略，向后平滑，进一步提高单步强大培训方法的稳定性和模型稳健性。多个基准测试的实验表明，我们的方法在使用更少的训练时间（使用相同的培训计划时，使用更少的培训时间（$ \ sim $ 3x改进）时，我们的方法达到了类似的模型稳健性。

Adversarial examples are perturbed inputs designed to fool machine learning models. Adversarial training injects such examples into training data to increase robustness. To scale this technique to large datasets, perturbations are crafted using fast single-step methods that maximize a linear approximation of the model's loss. We show that this form of adversarial training converges to a degenerate global minimum, wherein small curvature artifacts near the data points obfuscate a linear approximation of the loss. The model thus learns to generate weak perturbations, rather than defend against strong ones. As a result, we find that adversarial training remains vulnerable to black-box attacks, where we transfer perturbations computed on undefended models, as well as to a powerful novel single-step attack that escapes the non-smooth vicinity of the input data via a small random step. We further introduce Ensemble Adversarial Training, a technique that augments training data with perturbations transferred from other models. On ImageNet, Ensemble Adversarial Training yields models with stronger robustness to blackbox attacks. In particular, our most robust model won the first round of the NIPS 2017 competition on Defenses against Adversarial Attacks (Kurakin et al., 2017c). However, subsequent work found that more elaborate black-box attacks could significantly enhance transferability and reduce the accuracy of our models.

The evaluation of robustness against adversarial manipulation of neural networks-based classifiers is mainly tested with empirical attacks as methods for the exact computation, even when available, do not scale to large networks. We propose in this paper a new white-box adversarial attack wrt the l p -norms for p ∈ {1, 2, ∞} aiming at finding the minimal perturbation necessary to change the class of a given input. It has an intuitive geometric meaning, yields quickly high quality results, minimizes the size of the perturbation (so that it returns the robust accuracy at every threshold with a single run). It performs better or similar to stateof-the-art attacks which are partially specialized to one l p -norm, and is robust to the phenomenon of gradient masking.

最近的研究表明，深度神经网络（DNNS）极易受到精心设计的对抗例子的影响。对那些对抗性例子的对抗性学习已被证明是防御这种攻击的最有效方法之一。目前，大多数现有的对抗示例生成方法基于一阶梯度，这几乎无法进一步改善模型的鲁棒性，尤其是在面对二阶对抗攻击时。与一阶梯度相比，二阶梯度提供了相对于自然示例的损失格局的更准确近似。受此启发的启发，我们的工作制作了二阶的对抗示例，并使用它们来训练DNNS。然而，二阶优化涉及Hessian Inverse的耗时计算。我们通过将问题转换为Krylov子空间中的优化，提出了一种近似方法，该方法显着降低了计算复杂性以加快训练过程。在矿工和CIFAR-10数据集上进行的广泛实验表明，我们使用二阶对抗示例的对抗性学习优于其他FISRT-阶方法，这可以改善针对广泛攻击的模型稳健性。

对抗培训，培训具有对抗性数据的深层学习模型的过程，是深度学习模型中最成功的对抗性防御方法之一。我们发现，如果我们在推理阶段微调这一模型以适应对抗的输入，可以进一步提高对普遍训练模型的白箱攻击的鲁棒性，以适应对手输入，其中包含额外信息。我们介绍了一种算法，即“邮政列车”在原始输出类和“邻居”类之间的推断阶段的模型，具有现有培训数据。预训练的FAST-FGSM CIFAR10分类器基础模型对白盒预计梯度攻击（PGD）的准确性可以通过我们的算法显着提高46.8％至64.5％。

对抗性的鲁棒性已经成为深度学习的核心目标，无论是在理论和实践中。然而，成功的方法来改善对抗的鲁棒性（如逆势训练）在不受干扰的数据上大大伤害了泛化性能。这可能会对对抗性鲁棒性如何影响现实世界系统的影响（即，如果它可以提高未受干扰的数据的准确性），许多人可能选择放弃鲁棒性）。我们提出内插对抗培训，该培训最近雇用了在对抗培训框架内基于插值的基于插值的培训方法。在CiFar -10上，对抗性训练增加了标准测试错误（当没有对手时）从4.43％到12.32％，而我们的内插对抗培训我们保留了对抗性的鲁棒性，同时实现了仅6.45％的标准测试误差。通过我们的技术，强大模型标准误差的相对增加从178.1％降至仅为45.5％。此外，我们提供内插对抗性培训的数学分析，以确认其效率，并在鲁棒性和泛化方面展示其优势。

随机平滑是目前是最先进的方法，用于构建来自Neural Networks的可认真稳健的分类器，以防止$ \ ell_2 $ - vitersarial扰动。在范例下，分类器的稳健性与预测置信度对齐，即，对平滑分类器的较高的置信性意味着更好的鲁棒性。这使我们能够在校准平滑分类器的信仰方面重新思考准确性和鲁棒性之间的基本权衡。在本文中，我们提出了一种简单的训练方案，Coined Spiremix，通过自我混合来控制平滑分类器的鲁棒性：它沿着每个输入对逆势扰动方向进行样品的凸起组合。该提出的程序有效地识别过度自信，在平滑分类器的情况下，作为有限的稳健性的原因，并提供了一种直观的方法来自适应地在这些样本之间设置新的决策边界，以实现更好的鲁棒性。我们的实验结果表明，与现有的最先进的强大培训方法相比，该方法可以显着提高平滑分类器的认证$ \ ell_2 $ -toSpustness。

我们表明，当考虑到图像域$ [0,1] ^ D $时，已建立$ L_1 $ -Projected梯度下降（PGD）攻击是次优，因为它们不认为有效的威胁模型是交叉点$ l_1 $ -ball和$ [0,1] ^ d $。我们研究了这种有效威胁模型的最陡渐进步骤的预期稀疏性，并表明该组上的确切投影是计算可行的，并且产生更好的性能。此外，我们提出了一种自适应形式的PGD，即使具有小的迭代预算，这也是非常有效的。我们的结果$ l_1 $ -apgd是一个强大的白盒攻击，表明先前的作品高估了他们的$ l_1 $ -trobustness。使用$ l_1 $ -apgd for vercersarial培训，我们获得一个强大的分类器，具有sota $ l_1 $ -trobustness。最后，我们将$ l_1 $ -apgd和平方攻击的适应组合到$ l_1 $ to $ l_1 $ -autoattack，这是一个攻击的集合，可靠地评估$ l_1 $ -ball与$的威胁模型的对抗鲁棒性进行对抗[ 0,1] ^ d $。

The field of defense strategies against adversarial attacks has significantly grown over the last years, but progress is hampered as the evaluation of adversarial defenses is often insufficient and thus gives a wrong impression of robustness. Many promising defenses could be broken later on, making it difficult to identify the state-of-the-art. Frequent pitfalls in the evaluation are improper tuning of hyperparameters of the attacks, gradient obfuscation or masking. In this paper we first propose two extensions of the PGD-attack overcoming failures due to suboptimal step size and problems of the objective function. We then combine our novel attacks with two complementary existing ones to form a parameter-free, computationally affordable and user-independent ensemble of attacks to test adversarial robustness. We apply our ensemble to over 50 models from papers published at recent top machine learning and computer vision venues. In all except one of the cases we achieve lower robust test accuracy than reported in these papers, often by more than 10%, identifying several broken defenses.

已知深度神经网络（DNN）容易受到用不可察觉的扰动制作的对抗性示例的影响，即，输入图像的微小变化会引起错误的分类，从而威胁着基于深度学习的部署系统的可靠性。经常采用对抗训练（AT）来通过训练损坏和干净的数据的混合物来提高DNN的鲁棒性。但是，大多数基于AT的方法在处理\ textit {转移的对抗示例}方面是无效的，这些方法是生成以欺骗各种防御模型的生成的，因此无法满足现实情况下提出的概括要求。此外，对抗性训练一般的国防模型不能对具有扰动的输入产生可解释的预测，而不同的领域专家则需要一个高度可解释的强大模型才能了解DNN的行为。在这项工作中，我们提出了一种基于Jacobian规范和选择性输入梯度正则化（J-SIGR）的方法，该方法通过Jacobian归一化提出了线性化的鲁棒性，还将基于扰动的显着性图正规化，以模仿模型的可解释预测。因此，我们既可以提高DNN的防御能力和高解释性。最后，我们评估了跨不同体系结构的方法，以针对强大的对抗性攻击。实验表明，提出的J-Sigr赋予了针对转移的对抗攻击的鲁棒性，我们还表明，来自神经网络的预测易于解释。

Any classifier can be "smoothed out" under Gaussian noise to build a new classifier that is provably robust to $\ell_2$-adversarial perturbations, viz., by averaging its predictions over the noise via randomized smoothing. Under the smoothed classifiers, the fundamental trade-off between accuracy and (adversarial) robustness has been well evidenced in the literature: i.e., increasing the robustness of a classifier for an input can be at the expense of decreased accuracy for some other inputs. In this paper, we propose a simple training method leveraging this trade-off to obtain robust smoothed classifiers, in particular, through a sample-wise control of robustness over the training samples. We make this control feasible by using "accuracy under Gaussian noise" as an easy-to-compute proxy of adversarial robustness for an input. Specifically, we differentiate the training objective depending on this proxy to filter out samples that are unlikely to benefit from the worst-case (adversarial) objective. Our experiments show that the proposed method, despite its simplicity, consistently exhibits improved certified robustness upon state-of-the-art training methods. Somewhat surprisingly, we find these improvements persist even for other notions of robustness, e.g., to various types of common corruptions.