Scaling up the Randomized Gradient-Free Adversarial Attack Reveals Overestimation of Robustness Using Established Attacks

Croce, Francesco; Rauber, Jonas; Hein, Matthias

doi:10.1007/s11263-019-01213-0

Cited by 51 publications

(88 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The most popular method to test adversarial robustness is the PGD (Projected Gradient Descent) attack (Madry et al, 2018), as it is computationally cheap and performs well in many cases. However, it has been shown that even PGD can fail (Mosbach et al, 2018;Croce et al, 2019b) leading to significant overestimation of robustness: we identify i) the fixed step size and ii) the widely used cross-entropy loss as two reasons for potential failure. As remedies we propose i) a new gradient-based scheme, Auto-PGD, which does not require a step size to be chosen (Sec.…”

Section: Introductionmentioning

confidence: 92%

Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks

Croce,

Hein

2020

Preprint

Self Cite

View full text Add to dashboard Cite

The field of defense strategies against adversarial attacks has significantly grown over the last years, but progress is hampered as the evaluation of adversarial defenses is often insufficient and thus gives a wrong impression of robustness. Many promising defenses could be broken later on, making it difficult to identify the state-of-the-art. Frequent pitfalls in the evaluation are improper tuning of hyperparameters of the attacks, gradient obfuscation or masking. In this paper we first propose two extensions of the PGD-attack overcoming failures due to suboptimal step size and problems of the objective function. We then combine our novel attacks with two complementary existing ones to form a parameter-free, computationally affordable and user-independent ensemble of attacks to test adversarial robustness. We apply our ensemble to over 40 models from papers published at recent top machine learning and computer vision venues. In all except one of the cases we achieve lower robust test accuracy than reported in these papers, often by more than 10%, identifying several broken defenses.

show abstract

Section: Introductionmentioning

confidence: 92%

Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks

Croce,

Hein

2020

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Even adversarial training has its problems despite being widely considered a reliable defense strategy. For instance, adversarially trained models with ∞ -norm bounded perturbations are still found vulnerable to p -norm perturbations, where p = ∞ [327], [406]. Certified defenses attempt to provide guarantee that the target model can not be fooled within an p -ball of the clean image.…”

Section: Certified Defensesmentioning

confidence: 99%

Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey

2018

View full text Add to dashboard Cite

Deep learning is at the heart of the current rise of artificial intelligence. In the field of Computer Vision, it has become the workhorse for applications ranging from self-driving cars to surveillance and security. Whereas deep neural networks have demonstrated phenomenal success (often beyond human capabilities) in solving complex problems, recent studies show that they are vulnerable to adversarial attacks in the form of subtle perturbations to inputs that lead a model to predict incorrect outputs. For images, such perturbations are often too small to be perceptible, yet they completely fool the deep learning models. Adversarial attacks pose a serious threat to the success of deep learning in practice. This fact has recently lead to a large influx of contributions in this direction. This article presents the first comprehensive survey on adversarial attacks on deep learning in Computer Vision. We review the works that design adversarial attacks, analyze the existence of such attacks and propose defenses against them. To emphasize that adversarial attacks are possible in practical conditions, we separately review the contributions that evaluate adversarial attacks in the real-world scenarios. Finally, drawing on the reviewed literature, we provide a broader outlook of this research direction.

show abstract

“…To address such a recognition problem, researchers have traditionally had to pretrain their human activity identification algorithms by extracting certain features from different types of descriptors, such as extended SURF [2] and STIPs [24], before they are incorporated into a particular prediction model such as HMM, SVM, etc. Because of their poor performance and memory usage needs, previous approaches are not very robust [7]. e Support Vector Machine (SVM) offers a high classification accuracy as well as good fault tolerance and e Rough Set eory (RST) technique provides the benefit of dealing with vast amounts of data and removing unnecessary material.…”

Section: Support Vector Machine (Svm)mentioning

confidence: 99%

[Retracted] Medicolite‐Machine Learning‐Based Patient Care Model

Khan¹,

Srivastava²,

Gupta³

et al. 2022

Computational Intelligence and Neuroscience

View full text Add to dashboard Cite

This paper discusses the machine learning effect on healthcare and the development of an application named “Medicolite” in which various modules have been developed for convenience with health-related problems like issues with diet. It also provides online doctor appointments from home and medication through the phone. A healthcare system is “Smart” when it can decide on its own and can prescribe patients life-saving drugs. Machine learning helps in capturing data that are large and contain sensitive information about the patients, so data security is one of the important aspects of this system. It is a health system that uses trending technologies and mobile internet to connect people and healthcare institutions to make them aware of their health condition by intelligently responding to their questions. It perceives information through machine learning and processes this information using cloud computing. With the new technologies, the system decreases the manual intervention in healthcare. Every single piece of information has been saved in the system and the user can access it any time. Furthermore, users can take appointments at any time without standing in a queue. In this paper, the authors proposed a CNN-based classifier. This CNN-based classifier is faster than SVM-based classifier. When these two classifiers are compared based on training and testing sessions, it has been found that the CNN has taken less time (30 seconds) compared to SVM (58 seconds).

show abstract

Scaling up the Randomized Gradient-Free Adversarial Attack Reveals Overestimation of Robustness Using Established Attacks

Cited by 51 publications

References 20 publications

Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks

Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks

Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey

[Retracted] Medicolite‐Machine Learning‐Based Patient Care Model

Contact Info

Product

Resources

About