Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods

05/20/2017 ∙ by Nicholas Carlini, et al. ∙ 0

Neural networks are known to be vulnerable to adversarial examples: inputs that are close to natural inputs but classified incorrectly. In order to better understand the space of adversarial examples, we survey ten recent proposals that are designed for detection and compare their efficacy. We show that all can be defeated by constructing new loss functions. We conclude that adversarial examples are significantly harder to detect than previously appreciated, and the properties believed to be intrinsic to adversarial examples are in fact not. Finally, we propose several simple guidelines for evaluating future proposed defenses.



There are no comments yet.


page 14

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

Recent years have seen rapid growth in the area of machine learning. Neural networks, an idea that dates back decades, have been a driving force behind this rapid advancement. Their successes have been demonstrated in a wide set of domains, from classifying images

(Szegedy et al., 2016), to beating humans at Go (Silver et al., 2016), to NLP (Wu et al., 2016; Petrov, 2016), to self driving cars (Bojarski et al., 2016).

In this paper, we study neural networks applied to image classification. While neural networks are the most accurate machine learning approach known to date, they are against an adversary who attempts to fool the classifier (Biggio et al., 2013). That is, given a natural image , an adversary can easily produce a visually similar image that has a different classification. Such an instance is known as an adversarial example (Szegedy et al., 2014), and they have been shown to exist in nearly all domains that neural networks are used.

The research community has reacted to this observation in force, proposing many defenses that attempt to classify adversarial examples correctly (Gu and Rigazio, 2014; Jin et al., 2015; Papernot et al., 2016c; Zheng et al., 2016; Rozsa et al., 2016; Huang et al., 2015; Shaham et al., 2015; Bastani et al., 2016). Unfortunately, most of these defenses are not effective at classifying adversarial examples correctly.

Due to this difficulty, recent work has turned to attempting to detect them instead. We study ten detection schemes proposed in seven papers over the last year (Hendrik Metzen et al., 2017; Li and Li, 2016; Grosse et al., 2017; Hendrycks and Gimpel, 2017; Feinman et al., 2017; Bhagoji et al., 2017; Gong et al., 2017), and compare their efficacy with the other defenses in a consistent manner. With new attacks, we show that in every case the defense can be evaded by an adversary who targets that specific defense. On simple datasets, the attacks slightly increase the distortion required, but on more complex datasets, adversarial examples remain completely indistinguishable from the original images.

By studying these recent schemes that detect adversarial examples, we challenge the assumption that adversarial examples have intrinsic differences from natural images. We also use these experiments to obtain a better understanding of the space of adversarial examples.

We evaluate these defenses under three threat models. We first consider a generic attacks that don’t take any specific measures to fool any particular detector. We show six of the ten defenses are significantly less effective than believed under this threat model. Second, we introduce novel white-box attacks that break each defense when tailored to the given defense; five of the defenses provide no increase in robustness; three increase robustness only slightly; the final two increase effective only on simple datasets. Our attacks work by defining a special attacker-loss function that captures the requirement that the adversarial examples must fool the defense, and optimizing for this loss function. We discover that the specific loss function chosen is critical to effectively defeating the defense: choosing the immediately obvious loss function often results in the defense appearing significantly more robust than it actually is. Finally, we leverage the transferability (Szegedy et al., 2014) property to work even when the adversary does not have knowledge of the defense’s model parameters.

Our results further suggest that there is a need for better ways to evaluate potential defenses. We believe our approach would be a useful baseline: to be worth considering, a proposed defense should follow the approach used here as a first step towards arguing robustness.

The code to reproduce our results is available online at

We make the following contributions:

  • We find that many defenses are unable to detect adversarial examples, even when the attacker is oblivious to the specific defense used.

  • We break all existing detection methods in the white-box (and black-box) setting by showing how to pick good attacker-loss functions for each defense.

  • We draw conclusions about the space of adversarial examples, and offer a note of caution about evaluating solely on MNIST; it appears that MNIST has somewhat different security properties than CIFAR.

  • We provide recommendations for evaluating defenses.

2. Background

The remainder of this section contains a brief survey of the field of neural networks and adversarial machine learning. We encourage readers unfamiliar with this area to read the following papers (in this order):

(Szegedy et al., 2014), (Goodfellow et al., 2014), (Papernot et al., 2016a), and (Carlini and Wagner, 2017).

2.1. Notation


denote a neural network used for classification. The final layer in this network is a softmax activation, so that the output is a probability distribution where

represents the probability that object is labeled with class .

All neural networks we study are feed-forward networks consisting of multiple layers

taking as input the result of previous layers. The outputs of the final layer are known as logits; we represent them by

. Some layers involve the non-linear ReLU

(Nair and Hinton, 2010) activation. Thus the th layer computes

where is a matrix and

is a vector. Let

denote the output of the last layer (before the softmax), i.e., . Then the final output of the network is

When we write we mean the classification of on :

Along with the neural network, we are given a set of training instances with their corresponding labels .

2.2. Adversarial Examples

The security of machine learning is a well studied field: early work considered this problem mostly on linear classifiers (Dalvi et al., 2004; Lowd and Meek, 2005); later work more generally examined the security of machine learning (Barreno et al., 2006; Barreno et al., 2010) to both evasion and poising attacks.

More recently, Biggio et al. and Szegedy et al. (Biggio et al., 2013; Szegedy et al., 2014) demonstrated test-time evasion attacks on neural networks. They were able to produce visually similar images that had different labels assigned by the classifier.

We begin by defining an input to the classifier natural if it is an instance that was benignly created (e.g., all instances in the training set and testing set are natural instances). Then, given a network and a natural input so that we say that is an (untargeted) adversarial example if is close to and . A more restrictive case is where the adversary picks a target and seeks to find close to such that ; in this case we call a targeted adversarial example. We focus on targeted adversarial examples exclusively in this paper. When we say a neural network is robust we mean that it is difficult to find adversarial examples on it.

To define closeness, most attacks use an distance, defined as . Common choices of include: , a measure of the number of pixels changed (Papernot et al., 2016b); , the standard Euclidean norm (Szegedy et al., 2014; Carlini and Wagner, 2017; Moosavi-Dezfooli et al., 2016); or , a measure of the maximum absolute change to any pixel (Goodfellow et al., 2014). If the total distortion under any of these three distance metrics is small, the images will likely appear visually similar. We quantitatively measure the robustness of a defense in this paper by measuring the distance to the nearest adversarial example under the metric.

One further property of adversarial examples we will make use of is the transferability property (Szegedy et al., 2014; Goodfellow et al., 2014). It is often the case that, when given two models and , an adversarial example on will also be an adversarial example on , even if they are trained in completely different manners, on completely different training sets.

There has been a significant amount of work studying methods to construct adversarial examples (Szegedy et al., 2014; Biggio et al., 2013; Goodfellow et al., 2014; Papernot et al., 2016b; Moosavi-Dezfooli et al., 2016; Carlini and Wagner, 2017) and to make networks robust against adversarial examples (Gu and Rigazio, 2014; Jin et al., 2015; Papernot et al., 2016c; Zheng et al., 2016; Rozsa et al., 2016; Huang et al., 2015; Shaham et al., 2015; Bastani et al., 2016). To date, no defenses has been able to classify adversarial examples correctly.

Given this difficulty in correctly classifying adversarial examples, recent defenses have instead turned to detecting adversarial examples and reject them. We study these defenses in this paper (Hendrik Metzen et al., 2017; Gong et al., 2017; Grosse et al., 2017; Feinman et al., 2017; Li and Li, 2016; Bhagoji et al., 2017; Hendrycks and Gimpel, 2017).

2.3. Threat Model

As done in Biggio et al. (Biggio et al., 2013), we consider three different threat models in this paper:

  1. An Zero-Knowledge Adversary generates adversarial examples on the unsecured model and is not aware that the detector is in place. The detector is successful if it can detect these adversarial examples.

  2. A Perfect-Knowledge Adversary is aware the neural network is being secured with a given detection scheme , knows the model parameters used by , and can use these to attempt to evade both the original network and the detector simultaneously.

  3. A Limited-Knowledge Adversary is aware the neural network is being secured with a given detection scheme, knows how it was trained, but does not have access to the trained detector (or the exact training data).

We evaluate each defense under these three threat models. We discuss our evaluation technique in Section 2.7.

2.4. Datasets

In this paper we consider two datasets used throughout the existing work in this field.

The MNIST dataset (LeCun et al., 1998) consists of greyscale images of handwritten digits from 0 to 9. Our standard convolutional network achieves accuracy on this dataset.

The CIFAR-10 dataset (Krizhevsky and Hinton, 2009) consists of color images of ten different objects (e.g., truck, airplane, etc). This dataset is substantially more difficult: the state of the art approaches achieve accuracy (Springenberg et al., 2015). For comparison with prior work, we use the ResNet (He et al., 2016) architecture from Metzen et al. (Hendrik Metzen et al., 2017) trained in the same manner. This model achieves a accuracy.

The first row of Figure 1 shows natural examples drawn from the test set of these datasets.

2.5. Defenses

In order to better understand what properties are intrinsic of adversarial examples and what properties are only artificially true because of existing attack techniques, we choose the first seven papers released that construct defenses to detect adversarial examples.

Three of the defenses (Grosse et al., 2017; Gong et al., 2017; Hendrik Metzen et al., 2017) use a second neural network to classify images as natural or adversarial. Three use PCA to detect statistical properties of the images or network paramaters (Li and Li, 2016; Hendrycks and Gimpel, 2017; Bhagoji et al., 2017). Two perform other statistical tests (Grosse et al., 2017; Feinman et al., 2017), and the final two perform input-normalization with randomization and blurring (Feinman et al., 2017; Li and Li, 2016).

Reference Unsecured Grosse §3.1 Gong §3.1 Metzen §3.2 Hendrycks §4.1 Bhagoji §4.2 Li §4.3 Grosse §5.1 Feinman §5.2 Feinman §6.1 Li §6.2
Figure 1. Summary of Results: adversarial examples on the MNIST and CIFAR datasets for each defense we study. The first row corresponds to the original images.

We summarize our results in Figure 1. Some defenses can slightly increase distortion required for MNIST digits. However, no defense makes CIFAR adversarial examples visually distinguishable from the original image. We generate adversarial examples as described below.

2.6. Generating Adversarial Examples

We use the attack algorithm of Carlini and Wagner (Carlini and Wagner, 2017) to generate targeted adversarial examples, as it is superior to other published attacks. At a high level it is an iterative attack as done in the initial work on constructing adversarial examples (Biggio et al., 2013; Szegedy et al., 2016). Given a neural network with logits , the attack uses gradient descent to solve

where the loss function is defined as

We now give some intuition behind this loss function. The difference is used to compare the target class with the next-most-likely class. However, this is minimized when the target class is significantly more likely than the second most likely class, which is not a property we want. This is fixed by taking the maximum of this quantity with , which controls the confidence of the adversarial examples. When , the adversarial examples are called low-confidence adversarial examples and are only just classified as the target class. As increases, the model classifies the adversarial example as increasingly more likely, we call these high-confidence adversarial examples.

The constant is chosen via binary search. If is too small, the distance function dominates and the optimal solution will not have a different label. If is too large, the objective term dominates and the adversarial example will not be nearby.

Of critical importance is that the loss function operates over the logits , and not the probabilities . As described in (Carlini and Wagner, 2017), the optimal choice of the constant ; therefore, if were used instead of , no “good” constant would exist since varies by several orders of magnitude (and usually only by one). When constructing attacks in later sections, we often choose new loss functions that also do not vary in their magnitude.

Aside from C&W’s attack, the Fast Gradient Sign attack (Goodfellow et al., 2014) and JSMA (Papernot et al., 2016b) are two attacks used by some defenses for evaluation. These attacks are weaker than C&W’s attack and we do not use them for evaluation (Carlini and Wagner, 2017).

2.7. Attack Approach

In order to evaluate the robustness of each of the above defenses, we take three approaches to target each of the three threat models introduced earlier.

Evaluate with a strong attack (Zero-Knowledge):

In this step we generate adversarial examples with C&W’s attack and check whether the defense can detect this strong attack. This evaluation approach has the weakest threat model (the attacker is not even aware the defense is in place), so any defense should trivially be able to detect this attack. Failing this test implies that the second two tests will also fail.

Perform an adaptive, white-box attack (Perfect-Knowledge):

The most powerful threat model, we assume here the adversary has access to the detector and can mount an adaptive attack. To perform this attack, we construct a new loss function, and generate adversarial examples that both fool the classifier and also evade the detector.

The most difficult step in this attack is to construct a loss function that can be used to generate adversarial examples. In some cases, such a loss function might not be readily available. In other cases, one may exist, but it may not be well-suited to performing gradient descent over. It is of critical importance to choose a good loss function, and we describe how to construct such a loss function for each attack.

Construct a black-box attack (Limited-Knowledge):

This attack is the most difficult for the adversary. We assume the adversary knows what type of defense is in place but does not know the detector’s paramaters. This evaluation is only interesting if (a) the zero-knowledge attack failed to generate adversarial examples, and (b) the perfect-knowledge attack succeeded. If the strong attack alone succeeded, when the adversary was not aware of the defense, they could mount the same attack in this black-box case. Conversely, if the white-box attack failed, then a black-box attack will also fail (since the threat model is strictly harder).

In order to mount this attack, we rely on the transferability property: the attacker trains a substitute model in the same way as the original model, but on a separate training set (of similar size, and quality). The attacker can access substitute model’s parameters, and performs a white-box attack on the substitute model. Finally, we evaluate whether these adversarial examples transfer to the original model.

When the classifier and detector are separate models, we assume the adversary has access to the classifier but not the detector (we are analyzing the increase in security by using the detector).

If the detector and classifier are not separable (i.e., the classifier is trained to also act as a detector), then to perform a fair evaluation, we compare the adversarial examples generated with black-box access to the (unsecured) classifier to adversarial examples generated with only black-box access to both the classifier and detector.

3. Secondary Classification Based Detection

We now turn to evaluating the ten defenses. The first category of detection schemes we study build a second classifier which attempts to detect adversarial examples. Three of the approaches take this direction.

For the remainder of this subsection, define to be the classification network and to be the detection network. is defined as in Section 2.1 outputting a probability distribution over the 10 classes, and represent the logits of the likelihood the instance is adversarial. That is, represents the probability the instance is adversarial.

3.1. Adversarial Retraining

Grosse et al. (Grosse et al., 2017) propose a variant on adversarial re-training. Instead of attempting to classify the adversarial examples correctly (by adding adversarial examples to the training set, with their correct labels), they introduce a new st class — solely for adversarial examples — and train the network to detect adversarial examples. Specifically, they propose the following procedure:

  1. Train a model on the training data .

  2. Generate adversarial examples on model for each . Call these examples .

  3. Let where is the new label for adversarial examples.

  4. Train a model on the training data .

Gong et al. (Gong et al., 2017) construct a very similar defense technique. Instead of re-training the model completely, they construct a binary classifier that simply learns to partitions the instances from by training on the training set

We re-implement these two defenses and find that adversarial retraining is able to detect adversarial examples when generated with the fast gradient sign and JSMA attacks with near- accuracy.

Zero-Knowledge Attack Evaluation.

We train these two schemes on the entire MNIST training set, using C&W’s attack to generate adversarial examples. In this way we construct a model and .

We then construct adversarial examples for from each image in the test set using C&W’s attack. Both approaches detect these previously unseen test adversarial examples. Grosse et al. detects of attacks as adversarial. Further, it classifies half of the remaining correctly. Gong et al. achieve accuracy in detecting adversarial examples.

Investigating further, we find that even if we train on adversarial examples generated using an untargeted attack, both schemes can detect targeted adversarial examples.

Neither of these defenses claim robustness against CIFAR, however when we perform this evaluation, we find to achieve a detection rate requires a false positive rate. This alone can be seen as a failure of these approaches on CIFAR.

Perfect-Knowledge Attack Evaluation.

Next, we evaluate these defenses assuming the adversary is aware of these defenses and parameters. That is, we directly attack the defended model. Our experiments revealed that these defenses are ineffective and add almost no increase in robustness.

For Grosse’s defense, we use C&W’s attack on to generate adversarial examples; it succeeds 100% of the time. We computed the mean -distance from the original sample to the adversarial example. Adversarial examples against are at average distance of from the original sample; adversarial examples against have an average distance of . Thus the defense has not reduced the success rate at generating adversarial examples, and has only increased the mean distortion by 10%.

Gong’s defense does not fare any better. To help construct adversarial examples that will simultaneously fool and , we define a new function that represents the combination of the classifier (with logits ) and detector (with logits ). In particular, we define

Effectively, acts as a classifier on classes. It is constructed to have two useful properties: if (i.e., if the detector classifies as malicious) then we will have

(where is the new adversarial class), and if (i.e., if the detector classifies as natural) then we will have

Why did we choose this particular function ?

Recall from earlier that when using a gradient-descent based attack algorithm, there is a constant in the loss function that trades off the relative importance of reducing the distance from the natural instance vs. classifying the input as the target class. If the value of the loss function changes by several orders of magnitude, no value of will be optimal and adversarial examples will be very hard to find. Therefore, we construct so that it is mostly linear.

Now we treat this function as if it were a neural network, and feed it directly into C&W’s attack algorithm instead of the function . It is easy to see that if an instance is classified by as label then both and the detector classifies as natural (non-adversarial). This approach successfully generates adversarial examples against Gong’s defense with 100% success. The mean distortion of these adversarial examples is , an improvement of about over the unprotected scheme.

We therefore conclude neither of these schemes are effective on MNIST. While adversarial examples are detectable with neural networks when not attempting to be evasive, it is possible to construct evasive adversarial examples.

On CIFAR, the above attacks work in an identical manner and give very similar results: the distortion is increased less than .

Limited-Knowledge Attack Evaluation.

For brevity, we only describe the attack on Grosse’s scheme (Gong’s results are identical). We generate transferable adversarial examples as described above. Instead of training one model on the complete training set, we split the training set in half. We assume the first half is known to the attacker and the second half is used by the defender to train their network. Thus, we construct two models and each trained on half of the training data. We treat as the defender’s model (the target model for which we want to produce adversarial examples) and give the attacker white-box access to all parameters of model . Then we apply the C&W attack to each instance in the test set to generate adversarial examples for , and we test whether they fool .

As a baseline, we applied this procedure to the unsecured model. The attack succeeded of the time, with a mean distortion of . Then, we generated two secured models and implementing Grosse’s defense, and applied the same attack. We observed a success rate, with a mean distortion of , which is only higher than the baseline. Therefore, we conclude that Grosse’s defense is ineffective and can be attacked even by an attacker who does not the exact model parameters of the secured model.

3.2. Examining Convolutional Layers

In contrast to the prior approach, which attempts to detect adversarial examples based on the contents of the image itself, Metzen et al. (Hendrik Metzen et al., 2017) detect adversarial examples by looking at the inner convolutional layers of the network. They augment the classification neural network with a detection neural network that takes its input from various intermediate layers of the classification network. This detection network is trained identically to Gong’s defense above. We refer interested readers to the original paper for complete details on the detector setup (Hendrik Metzen et al., 2017). This defense only argues robustness against CIFAR, since it looks at the inner layers of a ResNet (which are not usually used for MNIST).

We then train the detector by attaching it to the output of the first residual block as done in (Hendrik Metzen et al., 2017). We confirmed that their detector is able to detect adversarial examples with probability on simple attacks (fast gradient sign or JSMA).

Zero-Knowledge Attack Evaluation.

We found training the detector to be very difficult and highly sensitive; we experimented with different optimizers, hyper-parameters, and initializers to reduce the effect of this.

For evaluation, we generate adversarial examples for each instance in the test set, using the C&W attack. The best detector we were able to train correctly obtains an true positive rate at false positive rate. This is in stark contrast to the success at detecting simpler attacks, which highlights that weak attacks give a biased view of defense robustness.

Similar to the prior defense (that also had a high false positive rate), this defense is unable to perform well even when the adversary is not attempting to evade it.

Perfect-Knowledge Attack Evaluation.

Our white-box attack completely defeats Metzen’s defense: it is able to produce adversarial examples that simultaneously are mis-classified by the original network and evade the detector. We generate adversarial examples using C&W’s attack applied to the same function defined in Section 3.1. The mean distance to adversarial examples increases from distortion on the unsecured model to on the secured scheme, an improvement of . However, in absolute terms, the adversarial examples generated are still indistinguishable from the original inputs.

Limited-Knowledge Attack Evaluation.

To investigate if this defense is robust to attacks in a black-box setting, we perform a standard transferability test as done above. We split the training data in half, and train two detector models, one on each half of the training data. Then, we attack the second detector given only white-box access to the first detector.

On MNIST, we found that even low-confidence adversarial examples transfer of the time between the two detectors when the classifier network is known by the adversary. By using high-confidence adversarial examples, the attack success rate can be increased to at the cost of increasing the mean distortion by a further , which is small enough that adversarial examples remain indistinguishable from the original images.

4. Principal Component Analysis Detection

Principal Component Analysis (PCA) transforms a set of points in a -dimensional space to a new set of points in a -dimensional space (

) through a linear transformation. We assume the reader is familiar with PCA for the remainder of this section.

4.1. Input Image PCA

Hendrycks & Gimpel (Hendrycks and Gimpel, 2017) use PCA to detect natural images from adversarial examples, finding that adversarial examples place a higher weight on the larger principal components than natural images (and lower weight on the earlier principal components).

Zero-Knowledge Attack Evaluation.

We first reproduce their results by running PCA on MNIST. To see if adversarial examples really do use larger principal components more often, we compute how much each component is used. Let be the training set instances. We define the score of the th PCA component as

We train a classification network on the training set and compute the component scores . Then, for each image in the test set, we find the nearest adversarial example with C&W’s attack and we compute the component scores on these adversarial examples. The results are plotted in Figure 2.

Figure 2. PCA on the MNIST dataset reveals a difference between natural images and adversarial images, however this is caused by an artifact of MNIST: border pixels on natural images are often 0 but slightly-positive on adversarial examples.

Our results agree with Hendrycks et. al (Hendrycks and Gimpel, 2017): there is no difference on the first principal components, but there is a substantial difference between natural and adversarial instances on the later components. On the MNIST data set, their defense does detect zero-knowledge attacks, if the attacker does not attempt to defeat the defense.

Looking Deeper.

At first glance, this might lead us to believe that PCA is a powerful and effective method for detecting adversarial examples. However, whenever there are large abnormalities in the data, one must be careful to understand their cause.

In this case, the reason for the difference is that there are pixels on the MNIST dataset that are almost always set to 0. Since the MNIST dataset is constructed by taking 24x24 images and centering them (by center-of-mass) on a 28x28 grid, the majority of the pixels on the boundary of natural images are zero. Because these border pixels are essentially always zero for natural instances, the last principal components are heavily concentrated on these border pixels. This explains why the last 74 principal components ( of the components) contribute less than

of the variance on the training set.

In short, the detected difference between the natural and adversarial examples is because the border pixels are nearly always zero for natural MNIST instances, whereas typical adversarial examples have non-zero values on the border. While adversarial examples are different from natural images on MNIST in this way, this is not an intrinsic property of adversarial examples; it is instead due to an artifact of the MNIST dataset. When we perform the above evaluation on CIFAR, there is no detectable difference between adversarial examples and natural data. As a result, the Hendrycks defense is not effective for CIFAR — it is specific to MNIST. Also, this deeper understanding of why the defense works on MNIST suggests that adaptive attacks might be able to avoid detection by simply leaving those pixels unchanged.

Perfect-Knowledge Attack Evaluation.

We found that the Hendrycks defense can be broken by a white-box attacker with knowledge of the defense. Details are deferred to Section 4.2, where we break a strictly stronger defense. In particular, we found in our experiments that we can generate adversarial examples that are restricted to change only the first principal components (i.e., leave all later components unchanged), and these adversarial examples that are not detected by the Hendrycks defense.

4.2. Dimensionality Reduction

Bhagoji et al. (Bhagoji et al., 2017) propose a defense based on dimensionality reduction: instead of training a classifier on the original training data, they reduce the -dimensional input (e.g., 784 for MNIST) to a much smaller -dimensional input (e.g., 20) and train a classifier on this smaller input. The classifier uses a fully-connected neural network: PCA loses spatial locality, so a convolutional network cannot be used (we therefore consider only MNIST).

This defense restricts the attacker so they can only manipulate the first components: the classifier ignores other components. If adversarial examples rely on the last principal components (as hypothesized), then restricting the attack to only the first principal components should dramatically increase the required distortion to produce an adversarial example. We test this prediction empirically.

We reimplement their algorithm with their same model (a fully-connected network with two hidden layers of 100 units). We train 26 models with different values of , ranging from 9 to 784 dimensions. Models with fewer than 25 dimensions have lower accuracy; all models with more than 25 dimensions have or higher accuracy.

Figure 3. Performing dimensionality reduction increases the robustness of a 100-100-10 fully-connected neural network, but is still less secure than just using an unsecured CNN (the baseline). Dimensionality reduction does not help on a network that is already convolutional.

Perfect-Knowledge Attack Evaluation.

We evaluate Bhagoji’s defense by constructing targeted attacks against all 26 models we trained. We show the mean distortion for each model in Figure 3. The most difficult model to attack uses only the first 25 principal components; it is nearly more robust than the model that keeps all 784 principal components.

However, crucially, we find that even the model that keeps the first 25 principal components is less

robust than almost any standard, unsecured convolutional neural network; an unprotected network achieves both higher accuracy (

accuracy) and better robustness to adversarial examples (measured by the mean distortion). In summary, Bhagoji’s defense is not secure against white-box attacks.

Looking Deeper.

Next, we show that this result is not an artifact of the network architecture — it is not caused just because fully-connected network are less robust than convolutional networks. We study a second algorithm that Bhagoji et al. present but did not end up using, which combines PCA with a convolutional neural network architecture. This allows us to perform an experiment where the network architecture is held fixed, and the only change is whether dimensionality reduction is used or not. In particular, instead of using the first principal components as features for a fully-connected network, they use PCA to map each image into the reduced-dimensionality PCA space, and then immediately map it back to the image space. This effectively projects the image into a reduced-dimension manifold. They train a convolutional classifier on the projected images. This classifier achieves a higher accuracy ( when using at least 25 dimensions).

In our experiments we found that this approach is no more robust than an unsecured convolutional network (applied to the original image), despite only using a limited number of the principal components. We conclude that defenses based on limiting the adversary to only the first principal components are not effective. It follows that Hendrycks et. al’s defense is broken as well, as the adversarial images generated in this way change only the first components and leave all later components unchanged.

4.3. Hidden Layer PCA

Li et al. (Li and Li, 2016) apply PCA to the values after inner convolutional layers of the neural network, and use a cascade classifier to detect adversarial examples. Specifically, they propose building a cascade classifier that accepts the input as natural only if all classifiers accept the input, but rejects it if any do. Each classifier a linear SVM that acts on the PCA of the th convolutional layer of the network.

They evaluate their scheme on ImageNet. In the remainder of this section we demonstrate their defense is not effective on MNIST and CIFAR; others have shown that attacking an ImageNet classifier would be even easier

(Carlini and Wagner, 2017; Moosavi-Dezfooli et al., 2016).

Zero-Knowledge Attack Evaluation.

Li et al. generated adversarial examples with Szegedy et. al’s L-BFGS algorithm (Szegedy et al., 2014) and found that the first linear SVM achieved true positive rate at false positive rate – an ideal use-case for a cascade classifier. We evaluated the effectiveness of their method at detecting adversarial examples generated with C&W’s attack (when trained on adversarial examples generated with the C&W attack). For MNIST, their scheme only achieves a true positive rate at a false positive rate (and at on CIFAR) on the first layer of the cascade classifier. This results causes the cascade classifiers to have a and false positive rates on MNIST/CIFAR. We conclude that Li’s defense is not effective against the C&W attack.

5. Distributional Detection

Next, we study two defenses that detect adversarial examples by comparing the distribution of natural images to the distribution of adversarial examples. They use classical statistical methods to distinguish natural images from adversarial images.

5.1. Maximum Mean Discrepancy

Grosse et al. (Grosse et al., 2017) consider a very powerful threat model: assume we are given two sets of images and , such that we know contains only natural images, and we know that contains either all adversarial examples, or all natural images. They ask the question: can we determine which of these two situations is the case?

To achieve this, they use the Maximum Mean Discrepancy (MMD) test (Borgwardt et al., 2006; Gretton et al., 2012)

, a statistical hypothesis test that answers the question “are these two sets drawn from the same underlying distribution?”

The MMD is a theoretically useful technique that can be formally shown to always detect a difference if one occurs. However, it is computationally infeasible to compute, so a simple polynomial-time approximation is almost always used. In our experiments, we use the same approximation used by Grosse et al. (Gretton et al., 2012).

To test whether and are drawn from the same distribution, Grosse et al. use Fisher’s permutation test (Odén and Wedel, 1975)

with the MMD test statistic. To do this, initially let

. Then, shuffle the elements of and into two new sets and , and let . If

then reject the null hypothesis, and conclude they are drawn from different distributions. Repeat this process many times, and repor the p-value as the fraction of times the null hypothesis is rejected.

As a first step, we verified that MMD correctly detects natural instances as being natural. To do this, we assign and to be random samples from the test set. The procedure above correctly fails to reject the null hypothesis () in distinguishing the two distributions.

Zero-Knowledge Attack Evaluation.

We repeated this experiment, this time producing targeted adversarial examples with C&W’s attack algorithm. Even when using a set of images, MMD fails to reject the null hypothesis (). MMD also fails to detect attacks on CIFAR, even with a set size as large as (which uses every sample in the test set). Since MMD is one of the most powerful multidimensional statistical tests, and even it is not effective, we argue that without significant modification, statistical tests will not be able to detect adversarial examples.

5.2. Kernel Density Estimation

Feinman et al. (Feinman et al., 2017) present a defense they call kernel density estimation

. They use a Gaussian Mixture Model to model outputs from the final hidden layer of a neural network, and argue that adversarial examples belong to a different distribution than that of natural images.

Specifically, given an instance classified as label , kernel density estimation estimates the likelihood of as

where is the set of training instances with label and is the output of the final hidden layer on input . The detector is therefore constructed by selecting a threshold and reporting as adversarial if , otherwise reporting as natural.

The motivation behind this approach is that the later hidden layers of a neural network have been shown to capture high-level semantic information about the input. Therefore, using a simple classifier on this final layer will be more accurate than if it were applied to the original input images, as the prior defense did.

Zero-Knowledge Attack Evaluation.

Feinman’s defense is able to detect C&W adversarial examples on MNIST, but not on CIFAR. Looking deeper, on CIFAR, for each image in the test set and closest adversarial example , we compare to . Surprisingly, we find that of the time, the adversarial example has a higher likelihood score than the original image.Therefore, Feinman’s defense cannot work on CIFAR. In the remainder of this section, we show how to break this defense on MNIST with increased distortion.

Perfect-Knowledge Attack Evaluation.

To mount a white-box attack, we construct a new minimization formulation that differs from the original only in that we introduce a new loss term that penalizes being detected by the detector:

where we define

where controls the likelihood measure of the adversarial examples. In our attack, we set to the median of on the training set, so that if and only if is greater than half of the training instances KDE.

In practice, we mount this attack in two phases. First, we solve the original C&W minimization formulation to obtain an adversarial example . Typically will be detected by the detector, so in the second phase we modify it to no longer be detected: we use this as the initial value of in the above optimization problem and use gradient descent to improve it. Performing this two-step optimization is useful to allow for different constants chosen for initially generating an adversarial example and for making it not detected.

This approach is effective at generating adversarial examples for MNIST that are not detected by Feinman’s defense. The mean distortion is , up from on an unsecured network. In order to implement this attack more efficiently, instead of computing the KDE across all training instances during the inner optimization loop, we randomly sample instances ( of the total) at first and use only those. A distortion of begins to allow humans to notice the adversarial nature of these images (Figure 1).

We believe the reason this defense is so much more effective on MNIST than on CIFAR because this defense is effectively a K-nearest-neighbor classifier with a neural network feature extractor. In fact, prior work has shown that using an RBF kernel SVM (essentially identical to what is done here) is effective at defending MNIST to adversarial examples.

Limited-Knowledge Attack Evaluation.

Again we only demonstrate the vulnerability on MNIST: the defense does not work on CIFAR. Note that our white-box attack algorithm didn’t use the entire training set; it uses only a random sample of 100 instances from the training set (less than of the training instances). This hints that black-box attacks might succeed. This is indeed the case: we found that when the defender uses the first of the training data, and the last of the training data is left for the adversary (who uses it to form their own KDE estimator), the attack still succeeds with equal distortion.

6. Normalization Detection

6.1. Dropout Randomization

Feinman et al. propose a second detection method called Bayesian neural network uncertainty that measures the uncertainty of the neural network on the given input. Instead of relying on the reported confidence of the network (which can easily be controlled by an adversary), they add randomization to the network. The hope is that a natural image will have the same (correct) label regardless of the random values chosen, while adversarial examples won’t always be predicted with the same label. Dropout (Srivastava et al., 2014) is used as the method of adding randomness.

To determine the uncertainty of the network on a given instance, we apply the randomized network (with dropout enabled) to the input times. Then, the uncertainty is defined as

where we take to mean (the squared norm). Notice that if the predictions are the same every time, the uncertainty is . In other words, the uncertainty is the sum of the variances of each component of the output, computed over the outputs from the randomized network.

To classify an input as adversarial or natural, we pick a threshold and a number of times to evaluate the network and compute . We have found the algorithm is not sensitive to the choice of as long as it is greater than 20 (and we pick for the remainder of this section). We return “adversarial” if and “natural” otherwise.

When we run this detection scheme on the adversarial examples generated by the FGS and JSMA attack algorithms on MNIST, it detects of adversarial examples with a false positive rate lower than when .

Zero-Knowledge Attack Evaluation.

We generated adversarial examples with C&W’s attack and find of these adversarial examples are detected by this defense on MNIST. Surprisingly, this defense is even more effective at detecting attacks on CIFAR: it detects of C&W adversarial examples.

Perfect-Knowledge Attack Evaluation.

Our white-box attacks work by defining an objective function that combines the model and detector. In an initial attempt, we follow the approach taken to break the prior detection schemes, let

(where is the new adversarial class). This objective function is defined so that if (i.e., is classified as adversarial by Feinman’s defense) then we will have

and if (i.e., is classified as natural) then

We then attempt to generated adversarial examples by applying C&W’s attack to . However, this attack fails: the defense is still able to detect of adversarial examples.

Looking Deeper.

We investigate why this attack failed. Because values of the function are computed by calling (and not ), there is no good constant that C&W’s algorithm can select. This causes gradient descent to perform poorly and rarely returns successful adversarial examples.

Therefore, for this defense, we abandon the approach of constructing a single function to optimize over and instead change the loss function used by the attack. Recall that the typical loss function used (for a given network ) is

If every prediction of the randomized network produced a very similar result, the uncertainty value would be very small.

We sample different deterministic networks each with different randomness used during dropout. If we were able to have for every network , for big enough, it would be highly likely that would always produce label for any randomness. Thus, we construct a new loss function as the average of the loss functions on each fixed model . Then we use C&W’s attack with this revised loss function.

This approach successfully generates adversarial examples that fool the dropout defense with success. On MNIST, the mean distortion is , up from the baseline of . This is the largest distortion required by any of the defenses we have evaluated; the distortion here is nearing the levels of human perceptibility (Figure 1). On CIFAR the distortion required again increases to , a factor of larger, but is still entirely imperceptible (Figure 1).

Limited-Knowledge Attack Evaluation.

It turns out that adversarial examples generated with the white-box approach transfer with high probability across models. This is due to the fact that our white-box attack assumes we do not know the exact randomization settings, and therefore construct adversarial examples that are effective regardless of randomization. This is similar to the black-box threat model, where the adversary does not have access to the model parameters.

However, to improve the rate of transferability, we again construct two models and on different subsets of the training data. We provide the adversary access to the parameters of and use the white-box attack above to generate adversarial examples for ; we then test whether they fool .

On MNIST, we find that adversarial examples generated with our algorithm transfer to with success. We can increase the transfer rate to at the cost of increasing the mean distortion only , to . While this increase may seem like a failure of this defense under the black-box threat model, we see this instead as a success of defense under the white-box threat model. It has made constructing adaptive white-box attacks nearly as hard as constructing black-box attacks.

In fact, we find that this is the reason why the CIFAR network has such a larger increase in distortion: to obtain transferable cifar adversarial examples requires a distortion of approximately larger than non-transferable attacks. We consider this the only defense we evaluate that is not completely broken (even though we still can generate adversarial examples that are imperceptible on CIFAR).

6.2. Mean Blur

The second detection method proposed by Li et al. applies a average filter to blur the image before applying the classifier. The authors admit this defense is “overly simplistic” but still argue it is effective at alleviating adversarial examples. We confirm this simple defense can remove adversarial examples generated with fast gradient sign, as they found in their paper.

Zero-Knowledge Attack Evaluation.

When we use C&W’s attack, we find that this defense effectively removes low-confidence adversarial examples: of adversarial examples (at a mean distortion of ) are no longer classified incorrectly.

This attack can even partially alleviate high-confidence adversarial examples. To ensure they remain adversarial after blurring, we must increase the distortion by a factor of .

Perfect-Knowledge Attack Evaluation.

Observe that taking the mean over every region on the image is the same as adding another convolutional layer to the beginning of the neural network with one output channel that performs this calculation. Given the network , we define and apply C&W’s attack against . When we do so, we find that the mean distance to adversarial examples does not increase. Therefore, blurring is not an effective defense.

7. Lessons

7.1. Properties of adversarial examples

After examining these ten defenses, we now draw conclusions about the nature of the space of adversarial examples and the ability to detect them with different approaches.

Randomization can increase required distortion.

By far the most effective defense technique, dropout randomization, made generating adversarial examples nearly five times more difficult on CIFAR. In particular, it makes generating adversarial examples on the network as difficult as generating transferable adversarial examples, a task known to be harder (Papernot et al., 2016a). Additionally, if it were possible to find a way to eliminate transferability, a randomization-based defense may be able to detect adversarial examples. At this time, we believe this is the most promising direction of future work.

MNIST properties may not hold on CIFAR

Most defenses that increased the distortion on MNIST had a significantly lower distortion increase on CIFAR. In particular, kernel density estimation, the most effective defense on MNIST, was completely ineffective on CIFAR.

Detection neural networks can be bypassed.

Across all of the defenses we evaluate, the least effective schemes used another neural network (or more neural network layers) to attempt to identify adversarial examples. Given that adversarial examples can fool a single classifier, it makes sense that adversarial examples can fool a classifier and detector.

Operating on raw pixel values is ineffective.

Defenses that operated directly on the pixel values were too simple to succeed. On MNIST, these defenses provided reasonable robustness against weak attacks; however when evaluating on stronger attacks, these defenses all failed. This should not be surprising: the reason neural networks are used is that they are able to extract deep and meaningful features from the input data. A simple linear detector is not effective at classification when operating on raw pixel values, so it should not be surprising it does not work at detecting adversarial examples. (This can be seen especially well on CIFAR, where even weak attacks often succeed against defenses that operate on the input pixel space.)

7.2. Recommendations for Defenses

We have several recommendations for how researchers proposing new defenses can better evaluate their proposals. Many of these recommendations may appear to be obvious, however most of the papers we evaluate do not follow any.

Evaluate using a strong attack.

Evaluate proposed defenses using the strongest attacks known. Do not use fast gradient sign or JSMA exclusively: most defenses that detect these attacks fail against stronger attacks. In particular, Fast gradient sign was not even designed to produce high-quality attacks: it was created to demonstrate neural networks are highly linear. Using these algorithms as a first test is reasonable first step, but is not sufficient. We recommend new schemes evaluate against strong iterative attacks.

Demonstrate white-box attacks fail.

It is not sufficient to show that a defense can detect adversarial examples: one must also show that a adversary aware of the defense can not generate attacks that evade detection. We show how to perform that kind of evaluation: construct a differentiable function that is minimized when the image fools the classifier and is treated as natural by the detector, and apply a strong iterative attack (e.g., C&W’s attack) to this function.

Report false positive and true positive rates.

When constructing a detection-based defense, it is not enough to report the accuracy of the detector. A accuracy can either be very useful (e.g., if it achieves a high true-positive rate at a false-positive rate) or entirely useless (e.g., if it detects most adversarial images as adversarial at the cost of many natural images as adversarial). Instead, report both the false positive and true positive rates. To allow for comparisons with other work, we suggest reporting at least the true positive rate at false positive rate; showing a ROC curve would be even better.

Evaluate on more than MNIST

We have found that defenses that only evaluated on the MNIST dataset typically either (a) were unable to produce an accurate classifier on CIFAR, (b) were entirely useless on CIFAR and were not able to detect even the fast gradient sign attack, or (c) were even weaker against attack on CIFAR than the other defenses we evaluated. Future schemes need to be evaluated on multiple data sets — evaluating their security solely on MNIST is not sufficient. While we have found CIFAR to be a reasonable task for evaluating security, in the future as defenses improve it may become necessary to evaluate on harder datasets (such as ImageNet (Deng et al., 2009)).

Release source code.

In order to allow others to build on their work, authors should release the source code of their defenses. Not releasing source code only sets back the research community and hinders future security analysis. Seven of the ten we evaluate did not release their code (even after contacting the authors), requiring us to reimplement the defenses before evaluation.

8. Conclusion

Unlike standard machine-learning tasks, where achieving a higher accuracy on a single benchmark is in itself a useful and interesting result, this is not sufficient for secure machine learning. We must consider how an attacker might react to any proposed defense, and evaluate whether the defense remains secure against an attacker who knows how the defense works.

In this paper we evaluate ten proposed defenses and demonstrate that none of them are able to withstand a white-box attack. We do this by constructing defense-specific loss functions that we minimize with a strong iterative attack algorithm. With these attacks, on CIFAR an adversary can create imperceptible adversarial examples for each defense.

By studying these ten defenses, we have drawn two lessons: existing defenses lack thorough security evaluations, and adversarial examples are much more difficult to detect than previously recognized. We hope that our work will help raise the bar for evaluation of proposed defenses and perhaps help others to construct more effective defenses. Further, our evaluations of these defenses expand on what is believed to be possible with constructing adversarial examples: we have shown that, so far, there are no known intrinsic properties that differentiate adversarial examples from regular images. We believe that constructing defenses to adversarial examples is an important challenge that must be overcome before these networks are used in potentially security-critical domains, and hope our work can bring us closer towards this goal.

9. Acknowledgements

We would like to thank Kathrin Grosse, Reuben Feinman, Fuxin Li, and Metzen Jan Hendrik for discussing their defenses with us, along with the anonymous reviewers for their feedback. This work was supported by the AFOSR under MURI award FA9550-12-1-0040, Intel through the ISTC for Secure Computing, the Hewlett Foundation through the Center for Long-Term Cybersecurity, and Qualcomm.