Accurate, reliable and fast robustness evaluation

by   Wieland Brendel, et al.

Throughout the past five years, the susceptibility of neural networks to minimal adversarial perturbations has moved from a peculiar phenomenon to a core issue in Deep Learning. Despite much attention, however, progress towards more robust models is significantly impaired by the difficulty of evaluating the robustness of neural network models. Today's methods are either fast but brittle (gradient-based attacks), or they are fairly reliable but slow (score- and decision-based attacks). We here develop a new set of gradient-based adversarial attacks which (a) are more reliable in the face of gradient-masking than other gradient-based attacks, (b) perform better and are more query efficient than current state-of-the-art gradient-based attacks, (c) can be flexibly adapted to a wide range of adversarial criteria and (d) require virtually no hyperparameter tuning. These findings are carefully validated across a diverse set of six different models and hold for L2 and L_infinity in both targeted as well as untargeted scenarios. Implementations will be made available in all major toolboxes (Foolbox, CleverHans and ART). Furthermore, we will soon add additional content and experiments, including L0 and L1 versions of our attack as well as additional comparisons to other L2 and L_infinity attacks. We hope that this class of attacks will make robustness evaluations easier and more reliable, thus contributing to more signal in the search for more robust machine learning models.


page 6

page 8


Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models

Many machine learning algorithms are vulnerable to almost imperceptible ...

Performance Evaluation of Adversarial Attacks: Discrepancies and Solutions

Recently, adversarial attack methods have been developed to challenge th...

Contextual Fusion For Adversarial Robustness

Mammalian brains handle complex reasoning tasks in a gestalt manner by i...

Comment on "Biologically inspired protection of deep networks from adversarial attacks"

A recent paper suggests that Deep Neural Networks can be protected from ...

Combatting Adversarial Attacks through Denoising and Dimensionality Reduction: A Cascaded Autoencoder Approach

Machine Learning models are vulnerable to adversarial attacks that rely ...

Improved Gradient based Adversarial Attacks for Quantized Networks

Neural network quantization has become increasingly popular due to effic...

Standalone Neural ODEs with Sensitivity Analysis

This paper presents the Standalone Neural ODE (sNODE), a continuous-dept...

1 Introduction

Manipulating just a few pixels in an input can easily derail the predictions of a deep neural network (DNN). This susceptibility threatens deployed machine learning models and highlights a gap between human and machine perception. This phenomenon has been intensely studied since its discovery in Deep Learning (Szegedy et al., 2014) but progress has been slow (Athalye et al., 2018a).

One core issue behind this lack of progress is the shortage of tools to reliably evaluate the robustness of machine learning models. Almost all published defenses against adversarial perturbations have later been found to be ineffective (Athalye et al., 2018a): the models just appeared robust on the surface because standard adversarial attacks failed to find the true minimal adversarial perturbations against them. State-of-the-art attacks like PGD (Madry et al., 2018) or C&W (Carlini and Wagner, 2016)

may fail for a number of reasons, ranging from (1) suboptimal hyperparameters over (2) an insufficient number of optimization steps to (3) masking of the backpropagated gradients.

In this paper, we adopt ideas from the decision-based boundary attack (Brendel et al., 2018)

and combine them with gradient-based estimates of the boundary. The resulting class of gradient-based attacks surpasses current state-of-the-art methods in terms of attack success, query efficiency and reliability. Like the decision-based boundary attack, but unlike existing gradient-based attacks, our attacks start from a point far away from the clean input and follow the boundary between the adversarial and non-adversarial region towards the clean input, Figure

1 (middle). This approach has several advantages: first, we always stay close to the decision boundary of the model, the most likely region to feature reliable gradient information. Second, instead of minimizing some surrogate loss (e.g. a weighted combination of the cross-entropy and the distance loss), we can formulate a clean quadratic optimization problem. Its solution relies on the local plane of the boundary to estimate the optimal step towards the clean input under the given norm and the pixel bounds, see Figure 1 (right). Third, because we always stay close to the boundary, our method features only a single hyperparameter (the trust region) but no other trade-off parameters as in C&W or a fixed norm ball as in PGD. We tested our attacks against the current state-of-the-art in the and metric on two conditions (targeted and untargeted) on six different models across three different data sets. To make all comparisons as fair as possible, we conducted a large-scale hyperparameter tuning for each attack. In all cases tested, we find that our attacks outperform the current state-of-the-art in terms of attack success, query efficiency and robustness to suboptimal hyperparameter settings. We hope that these improvements will facilitate progress towards robust machine learning models.

2 Related work

Gradient-based attacks are the most widely used tools to evaluate model robustness due to their efficiency and success rate relative to other classes of attacks with less model information (like decision-based, score-based or transfer-based attacks, see (Brendel et al., 2018)). This class includes many of the best-known attacks such as L-BFGS (Szegedy et al., 2014), FGSM (Goodfellow et al., 2015), JSMA (Papernot et al., 2016), DeepFool (Moosavi-Dezfooli et al., 2016), PGD (Kurakin et al., 2016; Madry et al., 2018), C&W (Carlini and Wagner, 2016), EAD (Chen et al., 2017) and SparseFool (Modas et al., 2019). Nowadays, the two most important ones are PGD with a random starting point (Madry et al., 2018) and C&W (Carlini and Wagner, 2016). They are usually considered the state of the art for (PGD) and (CW). The other ones are either much weaker (FGSM, DeepFool) or minimize other norms, e.g. (JSMA, SparseFool) or (EAD).

More recently, there have been some improvements to PGD that aim at making it more effective and/or more query-efficient by changing its update rule to Adam (Uesato et al., 2018) or momentum (Dong et al., 2018). Initial comparisons to these attacks (not shown) do not suggest any changes in our conclusions w.r.t. to our results on but we will add a full comparison in the next version of the manuscript.

3 Attack algorithm

Figure 1: Schematic of our approach. Consider a two-pixel input which a model either interprets as a dog (shaded region) or as a cat

(white region). Given a clean dog image (solid triangle), we search for the closest image classified as a cat. Standard gradient-based attacks start somewhere near the clean image and perform gradient descent towards the boundary (left). Our attacks start from an adversarial image far away from the clean image and walk along the boundary towards the closest adversarial (middle). In each step, we solve an optimization problem to find the optimal descent direction along the boundary that stays within the valid pixel bounds and the trust region (right).

Our attacks are inspired by the decision-based boundary attack (Brendel et al., 2018) but use gradients to estimate the local boundary between adversarial and non-adversarial inputs. We will refer to this boundary as the adversarial boundary for the rest of this manuscript. In a nutshell, the attack starts from an adversarial input (which may be far away from the clean sample) and then follows the adversarial boundary towards the clean input , see Figure 1 (middle). To compute the optimal step in each iteration, Figure 1 (right), we solve a quadratic trust region optimization problem. The goal of this optimization problem is to find a step such that (1) the updated perturbation has a smaller distance to the clean input , (2) the size of the step is smaller than a given trust region radius , (3) the updated perturbation stays within the box-constraints of the valid input value range (e.g. or for input) and (4) the updated perturbation is approximately placed on the adversarial boundary.

Optimization problem

In mathematical terms, this optimization problem can be phrased as


where denotes the norm and

denotes the estimate of the normal vector of the local boundary (see Figure

1) around (see below for details). For , Eq. (1) is a quadratically-constrained quadratic program (QCQP) while for , it is straight-forward to write Equation (1

) as a linear program with quadratic constraints (LPQC), see the supplementary material. Both problems can be solved with off-the-shelf solvers like ECOS

(Domahidi et al., 2013) or SCS (O’Donoghue et al., 2016) but the runtime of these solvers as well as their numerical instabilities in high dimensions prohibits their use in practice. We therefore derived efficient iterative algorithms to solve Eq. (1) for and . The additional optimization step has little to no impact on the runtime of our attack compared to standard iterative gradient-based attacks like PGD. We report the details of the derivation and the resulting algorithms in the supplements.

For , the algorithm to solve Equation (1) is basically an active-set method: in each iteration, we first ignore the pixel bounds, solve the residual QCQP analytically, and then project the solution back into the pixel bounds. In practice, the algorithm converges after a few iterations to the optimal solution .

For , we note that the optimization problem in Eq. (1) can be reduced to the problem for a fixed norm of size . We then perform a simple and fast binary search to minimize .

Adversarial criterion

Our attacks move along the adversarial boundary to minimize the distance to the clean input. We assume that this boundary can be defined by a differentiable equality constraint , i.e. the manifold that defines the boundary is given by the set of inputs . No other assumptions about the adversarial boundary are being made. Common choices for are targeted or untargeted adversarials, defined by perturbations that switch the model prediction from the ground-truth label to either a specified target label (targeted scenario) or any other label (untargeted scenario). More precisely, let

be the class-conditional log-probabilities predicted by model

on the input . Then is the criterion for targeted adversarials and for untargeted adversarials.

The direction of the boundary in step at point is defined as the derivative of ,


Hence, any step for which will move the perturbation onto the adversarial boundary (if the linearity assumption holds exactly). In Eq. (1), we defined for brevity. Finally, we note that in the targeted and untargeted scenarios, we compute gradients for the same loss found to be most effective in Carlini and Wagner (2016). In our case, this loss is naturally derived from a geometric perspective of the adversarial boundary.

Starting point

The algorithm always starts from a point that is typically far away from the clean image and lies in the adversarial region. There are several straight-forward ways to find such starting points, e.g. by (1) sampling random noise inputs, (2) choosing a real sample that is part of the adversarial region (e.g. is classified as a given target class) or (3) choosing the output of another adversarial attack.

In all experiments presented in this paper, we choose the starting point as the closest sample (in terms of the norm) to the clean input which was classified differently (in untargeted settings) or classified as the desired target class (in targeted settings) by the given model. After finding a suitable starting point, we perform a binary search with a maximum of 10 steps between the clean input and the starting point to find the adversarial boundary. From this point, we perform an iterative descent along the boundary towards the clean input. Algorithm 1 provides a compact summary of the attack procedure.

Data: clean input , differentiable adversarial criterion , adversarial starting point
Result: adversarial example such that the distance is minimized
       if no is given: s.t. is adversarial (or sample from adv. class) while  maximum number of steps do
               // estimate local geometry of decision boundary
               // estimate distance to decision boundary
             solve optimization problem Eq. (1) for given norm
       end while
Algorithm 1 Schematic of our attacks.

4 Methods

We extensively compare the proposed attack against current state-of-the art attacks in a range of different scenarios. This includes six different models (varying in model architecture, defense mechanism and data set), two different adversarial categories (targeted and untargeted) and two different metrics ( and ). In addition, we perform a large-scale hyperparameter tuning for all attacks we compare against in order to be as fair as possible. The full analysis pipeline is built on top of Foolbox (Rauber et al., 2017) and will be published soon.


We compare against the two attacks which are considered to be the current state-of-the-art in and according to the recently published guidelines (Carlini et al., 2019):

  • [itemsep=1ex, leftmargin=0.5cm]

  • Projected Gradient Descent (PGD) (Madry et al., 2018). Iterative gradient attack that optimizes by minimizing a cross-entropy loss under a fixed norm constraint enforced in each step.

  • C&W (Carlini and Wagner, 2016).

    iterative gradient attack that relies on the Adam optimizer, a tanh-nonlinearity to respect pixel-constraints and a loss function that weighs a classification loss with the distance metric to be minimized.


We test all attacks on all models regardless as to whether the models have been specifically defended against the distance metric the attacks are optimizing. The sole goal is to evaluate all attacks on a maximally broad set of different models to ensure their wide applicability. For all models, we used the official implementations of the authors as available in the Foolbox model zoo (Rauber et al., 2017).

  • [itemsep=1ex, leftmargin=0.5cm]

  • Madry-MNIST (Madry et al., 2018): Adversarially trained model on MNIST. Claim: 89.62% ( perturbation ). Best third-party evaluation: 88.42% (Wang et al., 2018).

  • Madry-CIFAR (Madry et al., 2018): Adversarially trained model on CIFAR-10. Claim: 47.04% ( perturbation ). Best third-party evaluation: 44.71% (Zheng et al., 2018).

  • Distillation (Papernot et al., 2015): Defense (MNIST) with increased softmax temperature. Claim: 99.06% ( perturbation ). Best third-party evaluation: 3.6% (Carlini and Wagner, 2016).

  • Logitpairing (Kannan et al., 2018)

    : Variant of adversarial training on downscaled ImageNET (64 x 64 pixels) using the logit vector instead of cross-entropy. Claim: 27.9% (

    perturbation . Best third-party evaluation: 0.6% (Engstrom et al., 2018).

  • Kolter & Wong (Kolter and Wong, 2017): Provable defense that considers a convex outer approximation of the possible hidden activations within an ball to optimize a worst-case adversarial loss over this region. MNIST claims: 94.2% ( perturbations ).

  • ResNet-50 (He et al., 2016): Standard vanilla ResNet-50 model trained on ImageNET that reaches 50% for perturbations (Brendel et al., 2018).

Adversarial categories

We test all attacks in two common attack scenarios: untargeted and targeted attacks. In other words, perturbed inputs are classified as adversarials if they are classified differently from the ground-truth label (untargeted) or are classified as a given target class (targeted).

Hyperparameter tuning

We ran PGD, C&W and our attacks on each model/attack combination and each sample with five repetitions and eight different hyperparameter settings. For each attack, we only varied the step sizes and left all other hyperparameters constant. We tested for PGD, for C&W and for our attacks. For C&W, we set the number of steps to 200 and binary search steps to 9. All other hyperparameters were left at their default values222In the next update of the manuscript we additional optimize C&W over its initial tradeoff-constant. Our preliminary results on this, however, do not show any substantial differences to the results presented here..


The success of an attack is typically quantified as the attack success rate within a given norm ball. In other words, the attack is allowed to perturb the clean input with a maximum norm of and one measures the classification accuracy of the model on the perturbed inputs. The smaller the classification accuracy the better performed the attack. PGD (Madry et al., 2018), the current state-of-the-art attack on , is highly adapted to this scenario and expects as an input.

This contrasts with most attacks like C&W (Carlini and Wagner, 2016) which are designed to find minimal adversarial perturbations. In such scenarios, it is more natural to measure the success of an attack as the median over the adversarial perturbation sizes across all tested samples (Schott et al., 2019). The smaller the median perturbations the better the attack.

Figure 2: Randomly selected adversarial examples found by our attacks for each model. The top part shows adversarial examples that minimize the norm while the bottom row shows adversarial examples that minimize the norm.

Our attacks also seek minimal adversarials and thus lend themselves to both evaluation schemes. To make the comparison to the current state-of-the-art as fair as possible, we adopt the success rate criterion on and the median perturbation distance on .

All results reported have been evaluated on 1000 validation samples333Except for the results on ResNet-50, which have been run on 100 samples due to time-constraints. We will report the full results in the next version of the paper.. For the evaluation, we chose for each model and each attack scenario such that the best attack performance reaches roughly 50% accuracy. This makes it easier to compare the performance of different attacks (compared to thresholds at which model accuracy is close to zero or close to clean performance). In the untargeted scenario, we chose in the untargeted and in the targeted scenarios for Madry-MNIST, Kolter & Wong, Distillation, Madry-CIFAR, Logitpairing and ResNet-50, respectively.

5 Results

5.1 Attack success

In both targeted as well as untargeted attack scenarios, our attacks surpass the current state-of-the-art on every single model we tested, see Table 1 (untargeted) and Table 2 (targeted). While the gains are small on some models like Distillation or Madry-CIFAR, we reach quite substantial gains on others: on Madry-MNIST, our untargeted attack reaches median perturbation sizes of 1.15 compared to 3.46 for C&W. In the targeted scenario, the difference is even more pronounced (1.70 vs 5.15). On , our attack further reduces the model accuracy by 0.1% to 9.1% relative to PGD. Adversarial examples produced by our attacks are visualized in Figure 2.

Madry-MNIST K&W Distillation Madry-CIFAR LP ResNet-50
PGD 59.3% 74.5% 30.3% 49.9% 24.1% 53%
Ours- 50.2% 68.4% 29.6% 49.8% 19.3% 41%
C&W 3.46 2.87 1.10 0.76 0.10 0.15
Ours- 1.15 1.62 1.07 0.72 0.09 0.13
Table 1: Attack success in untargeted scenario. Model accuracies (PGD and Ours-) and median perturbation distance (C&W and Ours-) in untargeted attack scenarios. Smaller is better.
Madry-MNIST K&W Distillation Madry-CIFAR LP ResNet-50
PGD 65.5% 46.3% 52.8% 39.1% 1.5% 47%
Ours- 57.7% 38.7% 50.1% 37.3% 0.6% 42%
C&W 5.15 4.21 2.10 1.21 0.54 0.46
Ours- 1.70 2.32 2.06 1.16 0.52 0.4
Table 2: Attack success in targeted scenario. Model accuracies (PGD and Ours-) and median adversarial perturbation distance (C&W and Ours-) in targeted attack scenarios. Smaller is better.
Figure 3: Query-Success curves for all model/attack combinations in the targeted and untargeted scenario. Each curve shows the attack success either in terms of model accuracy (for , left part) or median adversarial perturbation size (for , right part) over the number of queries to the model. In both cases, lower is better. For each point on the curve, we selected the optimal hyperparameter.

5.2 Query efficiency

On , our attack is drastically more query efficient than C&W, see the query-distortion curves in Figure 3. Each curve represents the maximal attack success (either in terms of model accuracy or median perturbation size) as a function of query budget. For each query (i.e. each point of the curve) and each model, we select the optimal hyperparameter. This ensures that the we tease out how good each attack can perform in limited-query scenarios. We find that our attack generally requires only about 10 to 20 queries to get close to convergence while C&W often needs several hundred iterations.

Similarly, our attack generally surpasses PGD in terms of attack success after around 10 queries. The first few queries are typically required by our attack to find a suitable point on the adversarial boundary. This gives PGD a slight advantage at the very beginning.

Figure 4: Sensitivity of our method to the number of repetitions and suboptimal hyperparameters.

5.3 Hyperparameter robustness

In Figure 4, we show the results of an ablation study. In the full case (8 params + 5 reps), we run all attacks with all eight hyperparameter values and with five repetitions for 1000 steps on each sample and model. We then choose the smallest adversarial input across all hyperparameter values and all repetitions. This is the baseline we compare all ablations against. The results are as follows:

  • Like PGD or C&W, our attacks experience only a 4% performance drop if a single hyperparameter is used instead of eight.

  • Our attacks experience around 15% - 19% drop in performance for a single hyperparameter and only one instead of five repetitions, similar to PGD and C&W.

  • We can even choose the same trust region hyperparameter across all models with no further drop in performance. C&W, in comparison, experiences a further 16% drop in performance, meaning it is more sensitive to per-model hyperparameter tuning.

  • Our attack is extremely insensitive to suboptimal hyperparameter tuning: changing the optimal trust region two orders of magnitude up or down changes performance by less than 15%. In comparison, just one order of magnitude deteriorates C&W performance by almost 50%. Larger deviations from the optimal learning rate disarm C&W completely. PGD is less sensitive than C&W but still experiences large drops if the learning rate gets too small.

6 Discussion & Conclusion

An important obstacle slowing down the search for robust machine learning models is the lack of reliable evaluation tools: out of roughly two hundred defenses proposed and evaluated in the literature, less than a handful are widely accepted as being effective. A more reliable evaluation of adversarial robustness has the potential to more clearly distinguish effective defenses from ineffective ones, thus providing more signal and thereby accelerating progress towards robust models.

In this paper, we introduced a novel class of gradient-based attacks that outperforms the current state-of-the-art in terms of attack success, query efficiency and reliability on and . By moving along the adversarial boundary, our attacks stay in a region with fairly reliable gradient information. Other methods like C&W which move through regions far away from the boundary might get stuck due to obfuscated gradients, a common issue for robustness evaluation (Athalye et al., 2018b).

Further extensions to other metrics like are possible as long as the optimization problem Eq. (1) can be solved efficiently. We are currently working on an extension towards and which we will add in the next iteration of the manuscript. Extensions to other adversarial criteria are trivial as long as the boundary between the adversarial and the non-adversarial region can be described by a differentiable equality constraint. This makes the attack more suitable to scenarios other than targeted or untargeted classification tasks.

Taken together, our methods set a new standard for adversarial attacks that is useful for practitioners and researchers alike to find more robust machine learning models.


This work has been funded, in part, by the German Federal Ministry of Education and Research (BMBF) through the Bernstein Computational Neuroscience Program Tübingen (FKZ: 01GQ1002) as well as the German Research Foundation (DFG CRC 1233 on “Robust Vision”) and the BMBF competence center for machine learning (FKZ 01IS18039A). The authors thank the International Max Planck Research School for Intelligent Systems (IMPRS-IS) for supporting J.R., M.K. and I.U.; J.R. acknowledges support by the Bosch Forschungsstiftung (Stifterverband, T113/30057/17); M.B. acknowledges support by the Centre for Integrative Neuroscience Tübingen (EXC 307); W.B. and M.B. were supported by the Intelligence Advanced Research Projects Activity (IARPA) via Department of Interior / Interior Business Center (DoI/IBC) contract number D16PC00003.