Open access
Datum
2022Typ
- Conference Paper
ETH Bibliographie
yes
Altmetrics
Abstract
One popular group of defense techniques against adversarial attacks is based on injecting stochastic noise into the network. The main source of robustness of such stochastic defenses however is often due to the obfuscation of the gradients, offering a false sense of security. Since most of the popular adversarial attacks are optimization-based, obfuscated gradients reduce their attacking ability, while the model is still susceptible to stronger or specifically tailored adversarial attacks. Recently, five characteristics have been identified, which are commonly observed when the improvement in robustness is mainly caused by gradient obfuscation. It has since become a trend to use these five characteristics as a sufficient test, to determine whether or not gradient obfuscation is the main source of robustness. However, these characteristics do not perfectly characterize all existing cases of gradient obfuscation, and therefore can not serve as a basis for a conclusive test. In this work, we present a counterexample, showing this test is not suf- ficient for concluding that gradient obfuscation is not the main cause of improvements in robustness. Mehr anzeigen
Persistenter Link
https://doi.org/10.3929/ethz-b-000588935Publikationsstatus
publishedVerlag
ETH ZurichKonferenz
Organisationseinheit
03514 - Van Gool, Luc / Van Gool, Luc
Anmerkungen
Oral presentation at "The Art of Robustness: Devil and Angel in Adversarial Machine Learning, Workshop" at IEEE Conference on Computer Vision and Pattern Recognition 2022.ETH Bibliographie
yes
Altmetrics