Difference between revisions of "Defenses Against Adversarial Attacks"
| Line 8: | Line 8: | ||
______________________________________________________ | ______________________________________________________ | ||
| − | * A method based on a semidefinite relaxation that outputs a certificate that for a given network and test input, no attack can force the error to exceed a certain value. Second, as this certificate is differentiable, we jointly optimize it with the network parameters, providing an adaptive regularizer that encourages robustness against all attacks. On MNIST, our approach produces a network and a certificate that no attack that perturbs each pixel by at most � = 0.1 can cause more than 35 | + | * A method based on a semidefinite relaxation that outputs a certificate that for a given network and test input, no attack can force the error to exceed a certain value. Second, as this certificate is differentiable, we jointly optimize it with the network parameters, providing an adaptive regularizer that encourages robustness against all attacks. On MNIST, our approach produces a network and a certificate that no attack that perturbs each pixel by at most � = 0.1 can cause more than 35 percent test error.[http://arxiv.org/pdf/1801.09344.pdf Certified Defenses against Adversarial Examples | Raghunathan, A., Steinhardt, J., Liang, P.], 29 Jan 2018 |
<youtube>sh6OS6Lssv4</youtube> | <youtube>sh6OS6Lssv4</youtube> | ||
Revision as of 21:51, 5 July 2018
______________________________________________________
- A method based on a semidefinite relaxation that outputs a certificate that for a given network and test input, no attack can force the error to exceed a certain value. Second, as this certificate is differentiable, we jointly optimize it with the network parameters, providing an adaptive regularizer that encourages robustness against all attacks. On MNIST, our approach produces a network and a certificate that no attack that perturbs each pixel by at most � = 0.1 can cause more than 35 percent test error.Certified Defenses against Adversarial Examples | Raghunathan, A., Steinhardt, J., Liang, P., 29 Jan 2018
MagNet
- MagNet includes one or more separate detector networks and a reformer network. The detector networks learn to differentiate between normal and adversarial examples by approximating the manifold of normal examples. Since they assume no specific process for generating adversarial examples, they generalize well. The reformer network moves adversarial examples towards the manifold of normal examples, which is effective for correctly classifying adversarial examples with small perturbation. We discuss the intrinsic difficulties in defending against whitebox attack and propose a mechanism to defend against graybox attack. Inspired by the use of randomness in cryptography, we use diversity to strengthen MagNet. We show empirically that MagNet is effective against the most advanced state-of-the-art attacks in blackbox and graybox scenarios without sacrificing false positive rate on normal examples.MagNet: a Two-Pronged Defense against Adversarial Examples | Meng, D., Chen, H., 11 Sep 2017
- ...we show that adversarial examples crafted based on the L1 distortion metric can easily bypass MagNet On the Limitation of MagNet Defense against L1-based Adversarial Examples | Lu, P., Chen, P., Chen, K., Yu, C., 9 May 2018
- MagNet and "Efficient Defenses..." were recently proposed as a defense to adversarial examples. We find that we can construct adversarial examples that defeat these defenses with only a slight increase in distortion. MagNet and "Efficient Defenses Against Adversarial Attacks" are Not Robust to Adversarial Examples | Carlini, N., Wagner, D., 22 Nov 2017
