Cargando…
Beware the Black-Box: On the Robustness of Recent Defenses to Adversarial Examples
Many defenses have recently been proposed at venues like NIPS, ICML, ICLR and CVPR. These defenses are mainly focused on mitigating white-box attacks. They do not properly examine black-box attacks. In this paper, we expand upon the analyses of these defenses to include adaptive black-box adversarie...
| Autores principales: | , , , |
|---|---|
| Formato: | Online Artículo Texto |
| Lenguaje: | English |
| Publicado: |
MDPI
2021
|
| Materias: | |
| Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8534430/ https://www.ncbi.nlm.nih.gov/pubmed/34682083 http://dx.doi.org/10.3390/e23101359 |
| _version_ | 1784587551050301440 |
|---|---|
| author | Mahmood, Kaleel Gurevin, Deniz van Dijk, Marten Nguyen, Phuoung Ha |
| author_facet | Mahmood, Kaleel Gurevin, Deniz van Dijk, Marten Nguyen, Phuoung Ha |
| author_sort | Mahmood, Kaleel |
| collection | PubMed |
| description | Many defenses have recently been proposed at venues like NIPS, ICML, ICLR and CVPR. These defenses are mainly focused on mitigating white-box attacks. They do not properly examine black-box attacks. In this paper, we expand upon the analyses of these defenses to include adaptive black-box adversaries. Our evaluation is done on nine defenses including Barrage of Random Transforms, ComDefend, Ensemble Diversity, Feature Distillation, The Odds are Odd, Error Correcting Codes, Distribution Classifier Defense, K-Winner Take All and Buffer Zones. Our investigation is done using two black-box adversarial models and six widely studied adversarial attacks for CIFAR-10 and Fashion-MNIST datasets. Our analyses show most recent defenses (7 out of 9) provide only marginal improvements in security (<25%), as compared to undefended networks. For every defense, we also show the relationship between the amount of data the adversary has at their disposal, and the effectiveness of adaptive black-box attacks. Overall, our results paint a clear picture: defenses need both thorough white-box and black-box analyses to be considered secure. We provide this large scale study and analyses to motivate the field to move towards the development of more robust black-box defenses. |
| format | Online Article Text |
| id | pubmed-8534430 |
| institution | National Center for Biotechnology Information |
| language | English |
| publishDate | 2021 |
| publisher | MDPI |
| record_format | MEDLINE/PubMed |
| spelling | pubmed-85344302021-10-23 Beware the Black-Box: On the Robustness of Recent Defenses to Adversarial Examples Mahmood, Kaleel Gurevin, Deniz van Dijk, Marten Nguyen, Phuoung Ha Entropy (Basel) Article Many defenses have recently been proposed at venues like NIPS, ICML, ICLR and CVPR. These defenses are mainly focused on mitigating white-box attacks. They do not properly examine black-box attacks. In this paper, we expand upon the analyses of these defenses to include adaptive black-box adversaries. Our evaluation is done on nine defenses including Barrage of Random Transforms, ComDefend, Ensemble Diversity, Feature Distillation, The Odds are Odd, Error Correcting Codes, Distribution Classifier Defense, K-Winner Take All and Buffer Zones. Our investigation is done using two black-box adversarial models and six widely studied adversarial attacks for CIFAR-10 and Fashion-MNIST datasets. Our analyses show most recent defenses (7 out of 9) provide only marginal improvements in security (<25%), as compared to undefended networks. For every defense, we also show the relationship between the amount of data the adversary has at their disposal, and the effectiveness of adaptive black-box attacks. Overall, our results paint a clear picture: defenses need both thorough white-box and black-box analyses to be considered secure. We provide this large scale study and analyses to motivate the field to move towards the development of more robust black-box defenses. MDPI 2021-10-18 /pmc/articles/PMC8534430/ /pubmed/34682083 http://dx.doi.org/10.3390/e23101359 Text en © 2021 by the authors. https://creativecommons.org/licenses/by/4.0/Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/). |
| spellingShingle | Article Mahmood, Kaleel Gurevin, Deniz van Dijk, Marten Nguyen, Phuoung Ha Beware the Black-Box: On the Robustness of Recent Defenses to Adversarial Examples |
| title | Beware the Black-Box: On the Robustness of Recent Defenses to Adversarial Examples |
| title_full | Beware the Black-Box: On the Robustness of Recent Defenses to Adversarial Examples |
| title_fullStr | Beware the Black-Box: On the Robustness of Recent Defenses to Adversarial Examples |
| title_full_unstemmed | Beware the Black-Box: On the Robustness of Recent Defenses to Adversarial Examples |
| title_short | Beware the Black-Box: On the Robustness of Recent Defenses to Adversarial Examples |
| title_sort | beware the black-box: on the robustness of recent defenses to adversarial examples |
| topic | Article |
| url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8534430/ https://www.ncbi.nlm.nih.gov/pubmed/34682083 http://dx.doi.org/10.3390/e23101359 |
| work_keys_str_mv | AT mahmoodkaleel bewaretheblackboxontherobustnessofrecentdefensestoadversarialexamples AT gurevindeniz bewaretheblackboxontherobustnessofrecentdefensestoadversarialexamples AT vandijkmarten bewaretheblackboxontherobustnessofrecentdefensestoadversarialexamples AT nguyenphuoungha bewaretheblackboxontherobustnessofrecentdefensestoadversarialexamples |