Attack as defense: characterizing adversarial examples using robustness

  title={Attack as defense: characterizing adversarial examples using robustness},
  author={Zhe Zhao and Guangke Chen and Jingyi Wang and Yiwei Yang and Fu Song and Jun Sun},
  journal={Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis},
  • Zhe Zhao, Guangke Chen, Jun Sun
  • Published 13 March 2021
  • Computer Science
  • Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that… 
Adversarial Attacks on ML Defense Models Competition
The participants were encouraged to develop stronger white-box attack algorithms to find the worst-case robustness of different defenses and established a new adversarial robustness benchmark at ares-bench/, which allows users to upload adversarial attack algorithms and defense models for evaluation.
SEC4SR: A Security Analysis Platform for Speaker Recognition
SEC4SR is presented, the first platform enabling researchers to systematically and comprehensively evaluate adversarial attacks and defenses in SR and provides lots of useful findings that may advance future research.
Towards Understanding and Mitigating Audio Adversarial Examples for Speaker Recognition
It is demonstrated that the proposed novel feature-level transformation combined with adversarial training is rather effective compared to the sole adversarialTraining in a complete white-box setting, while other transformations do not necessarily improve the overall defense capability.
AS2T: Arbitrary Source-To-Target Adversarial Attack on Speaker Recognition Systems
This work presents AS2T, the first attack in this domain which covers all the settings, thus allows the adversary to craft adversarial voices using arbitrary source and target speakers for any of three main recognition tasks and sheds light on future directions of adversarial attacks in the speaker recognition domain.
Taking Care of The Discretization Problem: A Comprehensive Study of the Discretization Problem and A Black-Box Adversarial Attack in Discrete Integer Domain
This work proposes a black-box method which reduces the adversarial example searching problem to a derivative-free optimization problem and achieves significantly higher success rate in terms of adversarial examples in the discrete integer domain than recent black- box methods.
Eager Falsification for Accelerating Robustness Verification of Deep Neural Networks
This paper proposes eager falsification to accelerate the robustness verification of DNNs and integrates it into four state-of-the-art verification tools, i.e., MIPVerify, Neurify, DeepZ, and DeepPoly, and conducts extensive experiments on 8 benchmark datasets.
Free Lunch for Testing: Fuzzing Deep-Learning Libraries from Open Source
This paper proposes FreeFuzz, the first approach to fuzzing DL libraries via mining from open source, which is able to automatically trace valid dynamic information for fuzzing 1158 popular APIs, 9X more than state-of-the-art LEMON with 3.5X lower overhead.
ESampler: Efficient Sampling of Satisfying Assignments for Boolean Formulas
This work proposes a novel approach to derive a large set of satisfying assignments from a given one in an efficient way and implements this approach as an open-source tool ESampler and conducts extensive experiments on real-world benchmarks.
ESampler: Boosting sampling of satisfying assignments for Boolean formulas via derivation


Towards Deep Learning Models Resistant to Adversarial Attacks
This work studies the adversarial robustness of neural networks through the lens of robust optimization, and suggests the notion of security against a first-order adversary as a natural and broad security guarantee.
MagNet: A Two-Pronged Defense against Adversarial Examples
MagNet, a framework for defending neural network classifiers against adversarial examples, is proposed and it is shown empirically that MagNet is effective against the most advanced state-of-the-art attacks in blackbox and graybox scenarios without sacrificing false positive rate on normal examples.
Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks
The study shows that defensive distillation can reduce effectiveness of sample creation from 95% to less than 0.5% on a studied DNN, and analytically investigates the generalizability and robustness properties granted by the use of defensive Distillation when training DNNs.
Towards Evaluating the Robustness of Neural Networks
It is demonstrated that defensive distillation does not significantly increase the robustness of neural networks, and three new attack algorithms are introduced that are successful on both distilled and undistilled neural networks with 100% probability are introduced.
Adversarial Training for Free!
This work presents an algorithm that eliminates the overhead cost of generating adversarial examples by recycling the gradient information computed when updating model parameters, and achieves comparable robustness to PGD adversarial training on the CIFAR-10 and CIFar-100 datasets at negligible additional cost compared to natural training.
Simple Black-Box Adversarial Attacks on Deep Neural Networks
This work focuses on deep convolutional neural networks and demonstrates that adversaries can easily craft adversarial examples even without any internal knowledge of the target network, and proposes schemes that could serve as a litmus test for designing robust networks.
Evaluating the Robustness of Neural Networks: An Extreme Value Theory Approach
This paper provides a theoretical justification for converting robustness analysis into a local Lipschitz constant estimation problem, and proposes to use the Extreme Value Theory for efficient evaluation, which yields a novel robustness metric called CLEVER, which is short for Cross LPschitz Extreme Value for nEtwork Robustness.
Robust Physical-World Attacks on Deep Learning Visual Classification
This work proposes a general attack algorithm, Robust Physical Perturbations (RP2), to generate robust visual adversarial perturbations under different physical conditions and shows that adversarial examples generated using RP2 achieve high targeted misclassification rates against standard-architecture road sign classifiers in the physical world under various environmental conditions, including viewpoints.
Adversarial Sample Detection for Deep Neural Network through Model Mutation Testing
This work proposes a measure of 'sensitivity' and shows empirically that normal samples and adversarial samples have distinguishable sensitivity, and integrates statistical hypothesis testing and model mutation testing to check whether an input sample is likely to be normal or adversarial at runtime by measuring its sensitivity.
Connecting the Digital and Physical World: Improving the Robustness of Adversarial Attacks
This work uses an image- to-image translation network to simulate the digital-to-physical transformation process for generating robust adversarial examples that remain effective in the physical domain and demonstrates a high level of robustness and transferability.