Open AccessPosted Content
Square Attack: a query-efficient black-box adversarial attack via random search
Reads0
Chats0
TLDR
The Square Attack is a score-based black-box attack that does not rely on local gradient information and thus is not affected by gradient masking, and can outperform gradient-based white-box attacks on the standard benchmarks achieving a new state-of-the-art in terms of the success rate.Abstract:
We propose the Square Attack, a score-based black-box $l_2$- and $l_\infty$-adversarial attack that does not rely on local gradient information and thus is not affected by gradient masking. Square Attack is based on a randomized search scheme which selects localized square-shaped updates at random positions so that at each iteration the perturbation is situated approximately at the boundary of the feasible set. Our method is significantly more query efficient and achieves a higher success rate compared to the state-of-the-art methods, especially in the untargeted setting. In particular, on ImageNet we improve the average query efficiency in the untargeted setting for various deep networks by a factor of at least $1.8$ and up to $3$ compared to the recent state-of-the-art $l_\infty$-attack of Al-Dujaili & O'Reilly. Moreover, although our attack is black-box, it can also outperform gradient-based white-box attacks on the standard benchmarks achieving a new state-of-the-art in terms of the success rate. The code of our attack is available at this https URL.read more
Citations
More filters
Posted Content
Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks.
Francesco Croce,Matthias Hein +1 more
TL;DR: Two extensions of the PGD-attack overcoming failures due to suboptimal step size and problems of the objective function are proposed and combined with two complementary existing ones to form a parameter-free, computationally affordable and user-independent ensemble of attacks to test adversarial robustness.
Posted Content
Adversarial Weight Perturbation Helps Robust Generalization
TL;DR: This paper proposes a simple yet effective Adversarial Weight Perturbation (AWP) to explicitly regularize the flatness of weight loss landscape, forming a double-perturbation mechanism in the adversarial training framework that adversarially perturbs both inputs and weights.
Posted Content
RobustBench: a standardized adversarial robustness benchmark.
Francesco Croce,Maksym Andriushchenko,Vikash Sehwag,Edoardo Debenedetti,Nicolas Flammarion,Mung Chiang,Prateek Mittal,Matthias Hein +7 more
TL;DR: This work evaluates robustness of models for their benchmark with AutoAttack, an ensemble of white- and black-box attacks which was recently shown in a large-scale study to improve almost all robustness evaluations compared to the original publications.
Posted Content
Uncovering the Limits of Adversarial Training against Norm-Bounded Adversarial Examples
TL;DR: This paper systematically study the effect of different training losses, model sizes, activation functions, the addition of unlabeled data (through pseudo-labeling) and other factors on adversarial robustness, and discovers that it is possible to train robust models that go well beyond state-of-the-art results.
Proceedings Article
Confidence-Calibrated Adversarial Training: Generalizing to Unseen Attacks
TL;DR: The confidence-calibrated adversarial training (CCAT) tackles this problem by biasing the model towards low confidence predictions on adversarial examples, allowing to reject examples with low confidence, which generalizes beyond the threat model employed during training.
References
More filters
Book
Convex Optimization
Stephen Boyd,Lieven Vandenberghe +1 more
TL;DR: In this article, the focus is on recognizing convex optimization problems and then finding the most appropriate technique for solving them, and a comprehensive introduction to the subject is given. But the focus of this book is not on the optimization problem itself, but on the problem of finding the appropriate technique to solve it.
Posted Content
Towards Deep Learning Models Resistant to Adversarial Attacks
TL;DR: This work studies the adversarial robustness of neural networks through the lens of robust optimization, and suggests the notion of security against a first-order adversary as a natural and broad security guarantee.
Proceedings Article
Towards Deep Learning Models Resistant to Adversarial Attacks.
TL;DR: This article studied the adversarial robustness of neural networks through the lens of robust optimization and identified methods for both training and attacking neural networks that are reliable and, in a certain sense, universal.
Book
Problem complexity and method efficiency in optimization
TL;DR: In this article, problem complexity and method efficiency in optimisation are discussed in terms of problem complexity, method efficiency, and method complexity in the context of OO optimization, respectively.
Proceedings ArticleDOI
Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods
Nicholas Carlini,David Wagner +1 more
TL;DR: In this paper, the authors survey ten recent proposals for adversarial examples and compare their efficacy, concluding that all can be defeated by constructing new loss functions, and propose several simple guidelines for evaluating future proposed defenses.