Adaptive attacks have (rightfully) become the de facto standard for
evaluating defenses to adversarial examples. We find, however, that typical
adaptive evaluations are incomplete. We demonstrate that thirteen defenses
recently published at ICLR, ICML and NeurIPS---and chosen for illustrative and
pedagogical purposes---can be circumvented despite attempting to perform
evaluations using adaptive attacks. While prior evaluation papers focused
mainly on the end result---showing that a defense was ineffective---this paper
focuses on laying out the methodology and the approach necessary to perform an
adaptive attack. We hope that these analyses will serve as guidance on how to
properly perform adaptive attacks against defenses to adversarial examples, and
thus will allow the community to make further progress in building more robust
models.
Beschreibung
[2002.08347] On Adaptive Attacks to Adversarial Example Defenses
%0 Journal Article
%1 tramer2020adaptive
%A Tramer, Florian
%A Carlini, Nicholas
%A Brendel, Wieland
%A Madry, Aleksander
%D 2020
%K adversarial readings
%T On Adaptive Attacks to Adversarial Example Defenses
%U http://arxiv.org/abs/2002.08347
%X Adaptive attacks have (rightfully) become the de facto standard for
evaluating defenses to adversarial examples. We find, however, that typical
adaptive evaluations are incomplete. We demonstrate that thirteen defenses
recently published at ICLR, ICML and NeurIPS---and chosen for illustrative and
pedagogical purposes---can be circumvented despite attempting to perform
evaluations using adaptive attacks. While prior evaluation papers focused
mainly on the end result---showing that a defense was ineffective---this paper
focuses on laying out the methodology and the approach necessary to perform an
adaptive attack. We hope that these analyses will serve as guidance on how to
properly perform adaptive attacks against defenses to adversarial examples, and
thus will allow the community to make further progress in building more robust
models.
@article{tramer2020adaptive,
abstract = {Adaptive attacks have (rightfully) become the de facto standard for
evaluating defenses to adversarial examples. We find, however, that typical
adaptive evaluations are incomplete. We demonstrate that thirteen defenses
recently published at ICLR, ICML and NeurIPS---and chosen for illustrative and
pedagogical purposes---can be circumvented despite attempting to perform
evaluations using adaptive attacks. While prior evaluation papers focused
mainly on the end result---showing that a defense was ineffective---this paper
focuses on laying out the methodology and the approach necessary to perform an
adaptive attack. We hope that these analyses will serve as guidance on how to
properly perform adaptive attacks against defenses to adversarial examples, and
thus will allow the community to make further progress in building more robust
models.},
added-at = {2020-02-20T16:33:34.000+0100},
author = {Tramer, Florian and Carlini, Nicholas and Brendel, Wieland and Madry, Aleksander},
biburl = {https://www.bibsonomy.org/bibtex/23487b17183511acdcd1ea837489e4327/kirk86},
description = {[2002.08347] On Adaptive Attacks to Adversarial Example Defenses},
interhash = {56016f417238fd81e8cec08d5c7bf919},
intrahash = {3487b17183511acdcd1ea837489e4327},
keywords = {adversarial readings},
note = {cite arxiv:2002.08347},
timestamp = {2020-02-26T02:09:26.000+0100},
title = {On Adaptive Attacks to Adversarial Example Defenses},
url = {http://arxiv.org/abs/2002.08347},
year = 2020
}