2 research outputs found
An Adaptive View of Adversarial Robustness from Test-time Smoothing Defense
The safety and robustness of learning-based decision-making systems are under
threats from adversarial examples, as imperceptible perturbations can mislead
neural networks to completely different outputs. In this paper, we present an
adaptive view of the issue via evaluating various test-time smoothing defense
against white-box untargeted adversarial examples. Through controlled
experiments with pretrained ResNet-152 on ImageNet, we first illustrate the
non-monotonic relation between adversarial attacks and smoothing defenses. Then
at the dataset level, we observe large variance among samples and show that it
is easy to inflate accuracy (even to 100%) or build large-scale (i.e., with
size ~10^4) subsets on which a designated method outperforms others by a large
margin. Finally at the sample level, as different adversarial examples require
different degrees of defense, the potential advantages of iterative methods are
also discussed. We hope this paper reveal useful behaviors of test-time
defenses, which could help improve the evaluation process for adversarial
robustness in the future.Comment: NeurIPS-2019 Workshop on Safety and Robustness in Decision Makin
Opportunities and Challenges in Deep Learning Adversarial Robustness: A Survey
As we seek to deploy machine learning models beyond virtual and controlled
domains, it is critical to analyze not only the accuracy or the fact that it
works most of the time, but if such a model is truly robust and reliable. This
paper studies strategies to implement adversary robustly trained algorithms
towards guaranteeing safety in machine learning algorithms. We provide a
taxonomy to classify adversarial attacks and defenses, formulate the Robust
Optimization problem in a min-max setting and divide it into 3 subcategories,
namely: Adversarial (re)Training, Regularization Approach, and Certified
Defenses. We survey the most recent and important results in adversarial
example generation, defense mechanisms with adversarial (re)Training as their
main defense against perturbations. We also survey mothods that add
regularization terms that change the behavior of the gradient, making it harder
for attackers to achieve their objective. Alternatively, we've surveyed methods
which formally derive certificates of robustness by exactly solving the
optimization problem or by approximations using upper or lower bounds. In
addition, we discuss the challenges faced by most of the recent algorithms
presenting future research perspectives.Comment: 20 pages, 9 figures, submited to IEEE Transactions on Knowledge and
Data Engineerin