On the Robustness of Domain Constraints

  title={On the Robustness of Domain Constraints},
  author={Ryan Sheatsley and Blaine Hoak and Eric Pauley and Yohan Beugin and Mike Weisman and Patrick Mcdaniel},
  journal={Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security},
Machine learning is vulnerable to adversarial examples--inputs designed to cause models to perform poorly. However, it is unclear if adversarial examples represent realistic inputs in the modeled domains. Diverse domains such as networks and phishing have domain constraints--complex relationships between features that an adversary must satisfy for an attack to be realized (in addition to any adversary-specific goals). In this paper, we explore how domain constraints limit adversarial… 
Domain Knowledge Alleviates Adversarial Attacks in Multi-Label Classifiers.
This paper shows how to implement an adaptive attack exploiting knowledge of the constraints and provides experimental comparisons with popular state-of-the-art attacks, believing that this approach may provide a significant step towards designing more robust multi-label classifiers.
On The Empirical Effectiveness of Unrealistic Adversarial Hardening Against Realistic Adversarial Attacks
This paper conducts a study on three real-world use cases and five datasets and analyzes the latent representation of the adversarial examples generated with realistic and unrealistic attacks to paves the way for a better understanding of adversarial robustness against realistic attacks.
On the Exploitability of Audio Machine Learning Pipelines to Surreptitious Adversarial Examples
Surreptitious adversarial examples are introduced, a new class of attacks that evades both human and pipeline controls and are shown to be more surreptition than previous attacks that aim solely for imperceptibility.
SoK: Machine Learning Governance
The approach first systematizes research towards ascertaining ownership of data and models, thus fostering a notion of identity specific to ML systems, and uses identities to hold principals accountable for failures of ML systems through both attribution and auditing.


Adversarial Machine Learning at Scale
This research applies adversarial training to ImageNet and finds that single-step attacks are the best for mounting black-box attacks, and resolution of a "label leaking" effect that causes adversarially trained models to perform better on adversarial examples than on clean examples.
Towards Deep Learning Models Resistant to Adversarial Attacks
This work studies the adversarial robustness of neural networks through the lens of robust optimization, and suggests the notion of security against a first-order adversary as a natural and broad security guarantee.
The Space of Transferable Adversarial Examples
It is found that adversarial examples span a contiguous subspace of large (~25) dimensionality, which indicates that it may be possible to design defenses against transfer-based attacks, even for models that are vulnerable to direct attacks.
Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks
A translation-invariant attack method to generate more transferable adversarial examples against the defense models, which fools eight state-of-the-art defenses at an 82% success rate on average based only on the transferability, demonstrating the insecurity of the current defense techniques.
Delving into Transferable Adversarial Examples and Black-box Attacks
This work is the first to conduct an extensive study of the transferability over large models and a large scale dataset, and it is also theFirst to study the transferabilities of targeted adversarial examples with their target labels.
The Limitations of Deep Learning in Adversarial Settings
This work formalizes the space of adversaries against deep neural networks (DNNs) and introduces a novel class of algorithms to craft adversarial samples based on a precise understanding of the mapping between inputs and outputs of DNNs.
A General Framework for Adversarial Examples with Objectives
This article proposes adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives, and demonstrates the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains.
Detecting Adversarial Samples from Artifacts
This paper investigates model confidence on adversarial samples by looking at Bayesian uncertainty estimates, available in dropout neural networks, and by performing density estimation in the subspace of deep features learned by the model, and results show a method for implicit adversarial detection that is oblivious to the attack algorithm.
Provable defenses against adversarial examples via the convex outer adversarial polytope
A method to learn deep ReLU-based classifiers that are provably robust against norm-bounded adversarial perturbations, and it is shown that the dual problem to this linear program can be represented itself as a deep network similar to the backpropagation network, leading to very efficient optimization approaches that produce guaranteed bounds on the robust loss.
On the (Statistical) Detection of Adversarial Examples
It is shown that statistical properties of adversarial examples are essential to their detection, and they are not drawn from the same distribution than the original data, and can thus be detected using statistical tests.