Deep neural networks (DNNs) achieve state-of-the-art performance in various tasks in machine learning and artificial intelligence, such as image classification, speech recognition, machine translation and game-playing. Despite their effectiveness, recent studies have illustrated the vulnerability of DNNs to adversarial examples[Szegedy et al.2013, Goodfellow, Shlens, and Szegedy2015]. For instance, a carefully designed perturbation to an image can lead a well-trained DNN to misclassify. Even worse, effective adversarial examples can also be made virtually indistinguishable to human perception. For example, Figure 1
shows three adversarial examples of an ostrich image crafted by our algorithm, which are classified as “safe”, “shoe shop” and “vacuum” by the Inception-v3 model[Szegedy et al.2016], a state-of-the-art image classification model.
The lack of robustness exhibited by DNNs to adversarial examples has raised serious concerns for security-critical applications, including traffic sign identification and malware detection, among others. Moreover, moving beyond the digital space, researchers have shown that these adversarial examples are still effective in the physical world at fooling DNNs [Kurakin, Goodfellow, and Bengio2016a, Evtimov et al.2017]. Due to the robustness and security implications, the means of crafting adversarial examples are called attacks to DNNs. In particular, targeted attacks aim to craft adversarial examples that are misclassified as specific target classes, and untargeted attacks aim to craft adversarial examples that are not classified as the original class. Transfer attacks aim to craft adversarial examples that are transferable from one DNN model to another. In addition to evaluating the robustness of DNNs, adversarial examples can be used to train a robust model that is resilient to adversarial perturbations, known as adversarial training [Madry et al.2017]. They have also been used in interpreting DNNs [Koh and Liang2017, Dong et al.2017].
Throughout this paper, we use adversarial examples to attack image classifiers based on deep convolutional neural networks. The rationale behind crafting effective adversarial examples lies in manipulating the prediction results while ensuring similarity to the original image. Specifically, in the literature the similarity between original and adversarial examples has been measured by different distortion metrics. One commonly used distortion metric is thenorm, where denotes the norm of a
-dimensional vectorfor any . In particular, when crafting adversarial examples, the distortion metric is used to evaluate the maximum variation in pixel value changes [Goodfellow, Shlens, and Szegedy2015], while the distortion metric is used to improve the visual quality [Carlini and Wagner2017b]. However, despite the fact that the norm is widely used in problems related to image denoising and restoration [Fu et al.2006], as well as sparse recovery [Candès and Wakin2008], -based adversarial examples have not been rigorously explored. In the context of adversarial examples, distortion accounts for the total variation in the perturbation and serves as a popular convex surrogate function of the metric, which measures the number of modified pixels (i.e., sparsity) by the perturbation. To bridge this gap, we propose an attack algorithm based on elastic-net regularization, which we call elastic-net attacks to DNNs (EAD). Elastic-net regularization is a linear mixture of and
penalty functions, and it has been a standard tool for high-dimensional feature selection problems[Zou and Hastie2005]. In the context of attacking DNNs, EAD opens up new research directions since it generalizes the state-of-the-art attack proposed in [Carlini and Wagner2017b] based on distortion, and is able to craft -oriented adversarial examples that are more effective and fundamentally different from existing attack methods.
To explore the utility of -based adversarial examples crafted by EAD, we conduct extensive experiments on MNIST, CIFAR10 and ImageNet in different attack scenarios. Compared to the state-of-the-art and attacks [Kurakin, Goodfellow, and Bengio2016b, Carlini and Wagner2017b]
, EAD can attain similar attack success rate when breaking undefended and defensively distilled DNNs[Papernot et al.2016b]. More importantly, we find that attacks attain superior performance over and attacks in transfer attacks and complement adversarial training. For the most difficult dataset (MNIST), EAD results in improved attack transferability from an undefended DNN to a defensively distilled DNN, achieving nearly 99% attack success rate. In addition, joint adversarial training with and based examples can further enhance the resilience of DNNs to adversarial perturbations. These results suggest that EAD yields a distinct, yet more effective, set of adversarial examples. Moreover, evaluating attacks based on distortion provides novel insights on adversarial machine learning and security implications of DNNs, suggesting that may complement and based examples toward furthering a thorough adversarial machine learning framework.
Here we summarize related works on attacking and defending DNNs against adversarial examples.
Attacks to DNNs
FGM and I-FGM: Let and denote the original and adversarial examples, respectively, and let denote the target class to attack. Fast gradient methods (FGM) use the gradient of the training loss with respect to for crafting adversarial examples [Goodfellow, Shlens, and Szegedy2015]. For attacks, is crafted by
where specifies the distortion between and , and takes the sign of the gradient. For and attacks, is crafted by
for , where specifies the corresponding distortion. Iterative fast gradient methods (I-FGM) were proposed in [Kurakin, Goodfellow, and Bengio2016b], which iteratively use FGM with a finer distortion, followed by an -ball clipping. Untargeted attacks using FGM and I-FGM can be implemented in a similar fashion.
C&W attack: Instead of leveraging the training loss, Carlini and Wagner designed anCarlini and Wagner2017b]. Its formulation turns out to be a special case of our EAD formulation, which will be discussed in the following section. The C&W attack is considered to be one of the strongest attacks to DNNs, as it can successfully break undefended and defensively distilled DNNs and can attain remarkable attack transferability.
JSMA: Papernot et al. proposed a Jacobian-based saliency map algorithm (JSMA) for characterizing the input-output relation of DNNs [Papernot et al.2016a]. It can be viewed as a greedy attack algorithm that iteratively modifies the most influential pixel for crafting adversarial examples.
DeepFool: DeepFool is an untargeted attack algorithm [Moosavi-Dezfooli, Fawzi, and Frossard2016]
based on the theory of projection to the closest separating hyperplane in classification. It is also used to craft a universal perturbation to mislead DNNs trained on natural images[Moosavi-Dezfooli et al.2016].
Black-box attacks: Crafting adversarial examples in the black-box case is plausible if one allows querying of the target DNN. In [Papernot et al.2017], JSMA is used to train a substitute model for transfer attacks. In [CPY17_zoo_2], an effective black-box C&W attack is made possible using zeroth order optimization (ZOO). In the more stringent attack scenario where querying is prohibited, ensemble methods can be used for transfer attacks [Liu et al.2016].
Defenses in DNNs
to retrain the same network with class probabilities predicted by the original network. It also introduces the temperature parameter
in the softmax layer to enhance the robustness to adversarial perturbations.
Adversarial training: Adversarial training can be implemented in a few different ways. A standard approach is augmenting the original training dataset with the label-corrected adversarial examples to retrain the network. Modifying the training loss or the network architecture to increase the robustness of DNNs to adversarial examples has been proposed in [Zheng et al.2016, Madry et al.2017, Tramèr et al.2017, Zantedeschi, Nicolae, and Rawat2017].
Detection methods: Detection methods utilize statistical tests to differentiate adversarial from benign examples [Feinman et al.2017, Grosse et al.2017, Lu, Issaranon, and Forsyth2017, Xu, Evans, and Qi2017]. However, 10 different detection methods were unable to detect the C&W attack [Carlini and Wagner2017a].
EAD: Elastic-Net Attacks to DNNs
Preliminaries on Elastic-Net Regularization
Elastic-net regularization is a widely used technique in solving high-dimensional feature selection problems [Zou and Hastie2005]. It can be viewed as a regularizer that linearly combines and penalty functions. In general, elastic-net regularization is used in the following minimization problem:
where is a vector of optimization variables, indicates the set of feasible solutions, denotes a loss function, denotes the norm of , and are the and regularization parameters, respectively. The term in (3) is called the elastic-net regularizer of . For standard regression problems, the loss function is the mean squared error, the vector represents the weights (coefficients) on the features, and the set . In particular, the elastic-net regularization in (3) degenerates to the LASSO formulation when
, and becomes the ridge regression formulation when. It is shown in [Zou and Hastie2005] that elastic-net regularization is able to select a group of highly correlated features, which overcomes the shortcoming of high-dimensional feature selection when solely using the LASSO or ridge regression techniques.
EAD Formulation and Generalization
Inspired by the C&W attack [Carlini and Wagner2017b], we adopt the same loss function for crafting adversarial examples. Specifically, given an image and its correct label denoted by , let denote the adversarial example of with a target class . The loss function for targeted attacks is defined as
where is the logit layer (the layer prior to the softmax layer) representation of in the considered DNN, is the number of classes for classification, and is a confidence parameter that guarantees a constant gap between and .
It is worth noting that the term is proportional to the probability of predicting as label , since by the softmax classification rule,
Consequently, the loss function in (4) aims to render the label the most probable class for , and the parameter controls the separation between and the next most likely prediction among all classes other than . For untargeted attacks, the loss function in (4) can be modified as
In this paper, we focus on targeted attacks since they are more challenging than untargeted attacks. Our EAD algorithm (Algorithm 1) can directly be applied to untargeted attacks by replacing in (4) with in (6).
In addition to manipulating the prediction via the loss function in (4), introducing elastic-net regularization further encourages similarity to the original image when crafting adversarial examples. Our formulation of elastic-net attacks to DNNs (EAD) for crafting an adversarial example with respect to a labeled natural image is as follows:
where is as defined in (4), are the regularization parameters of the loss function and the penalty, respectively. The box constraint restricts to a properly scaled image space, which can be easily satisfied by dividing each pixel value by the maximum attainable value (e.g., 255). Upon defining the perturbation of relative to as , the EAD formulation in (EAD Formulation and Generalization) aims to find an adversarial example that will be classified as the target class while minimizing the distortion in in terms of the elastic-net loss , which is a linear combination of and distortion metrics between and . Notably, the formulation of the C&W attack [Carlini and Wagner2017b] becomes a special case of the EAD formulation in (EAD Formulation and Generalization) when , which disregards the penalty on . However, the penalty is an intuitive regularizer for crafting adversarial examples, as represents the total variation of the perturbation, and is also a widely used surrogate function for promoting sparsity in the perturbation. As will be evident in the performance evaluation section, including the penalty for the perturbation indeed yields a distinct set of adversarial examples, and it leads to improved attack transferability and complements adversarial learning.
When solving the EAD formulation in (EAD Formulation and Generalization) without the penalty (i.e., ), Carlini and Wagner used a change-of-variable (COV) approach via the transformation on in order to remove the box constraint [Carlini and Wagner2017b]. When , we find that the same COV approach is not effective in solving (EAD Formulation and Generalization), since the corresponding adversarial examples are insensitive to the changes in (see the performance evaluation section for details). Since the penalty is a non-differentiable, yet piece-wise linear, function, the failure of the COV approach in solving (EAD Formulation and Generalization) can be explained by its inefficiency in subgradient-based optimization problems [Duchi and Singer2009].
To efficiently solve the EAD formulation in (EAD Formulation and Generalization) for crafting adversarial examples, we propose to use the iterative shrinkage-thresholding algorithm (ISTA) [Beck and Teboulle2009]. ISTA can be viewed as a regular first-order optimization algorithm with an additional shrinkage-thresholding step on each iteration. In particular, let and let be the numerical gradient of computed by the DNN. At the -th iteration, the adversarial example of is computed by
where denotes the step size at the -th iteration, and is an element-wise projected shrinkage-thresholding function, which is defined as
for any . If , it shrinks the element by and projects the resulting element to the feasible box constraint between 0 and 1. On the other hand, if , it thresholds by setting . The proof of optimality of using (8) for solving the EAD formulation in (EAD Formulation and Generalization) is given in the supplementary material111https://arxiv.org/abs/1709.04114. Notably, since is the attack objective function of the C&W method [Carlini and Wagner2017b], the ISTA operation in (8) can be viewed as a robust version of the C&W method that shrinks a pixel value of the adversarial example if the deviation to the original image is greater than , and keeps a pixel value unchanged if the deviation is less than .
Our EAD algorithm for crafting adversarial examples is summarized in Algorithm 1. For computational efficiency, a fast ISTA (FISTA) for EAD is implemented, which yields the optimal convergence rate for first-order optimization methods [Beck and Teboulle2009]. The slack vector in Algorithm 1 incorporates the momentum in for acceleration. In the experiments, we set the initial learning rate with a square-root decay factor in . During the EAD iterations, the iterate is considered as a successful adversarial example of if the model predicts its most likely class to be the target class . The final adversarial example is selected from all successful examples based on distortion metrics. In this paper we consider two decision rules for selecting : the least elastic-net (EN) and distortions relative to . The influence of , and the decision rules on EAD will be investigated in the following section.
In this section, we compare the proposed EAD with the state-of-the-art attacks to DNNs on three image classification datasets - MNIST, CIFAR10 and ImageNet. We would like to show that (i) EAD can attain attack performance similar to the C&W attack in breaking undefended and defensively distilled DNNs, since the C&W attack is a special case of EAD when ; (ii) Comparing to existing -based FGM and I-FGM methods, the adversarial examples using EAD can lead to significantly lower distortion and better attack success rate; (iii) The -based adversarial examples crafted by EAD can achieve improved attack transferability and complement adversarial training.
We compare EAD with the following targeted attacks, which are the most effective methods for crafting adversarial examples in different distortion metrics.
C&W attack: The state-of-the-art targeted attack proposed by Carlini and Wagner [Carlini and Wagner2017b], which is a special case of EAD when .
FGM: The fast gradient method proposed in [Goodfellow, Shlens, and Szegedy2015]. The FGM attacks using different distortion metrics are denoted by FGM-, FGM- and FGM-.
I-FGM: The iterative fast gradient method proposed in [Kurakin, Goodfellow, and Bengio2016b]. The I-FGM attacks using different distortion metrics are denoted by I-FGM-, I-FGM- and I-FGM-.
|Best case||Average case||Worst case|
Experiment Setup and Parameter Setting
Our experiment setup is based on Carlini and Wagner’s framework222https://github.com/carlini/nn˙robust˙attacks. For both the EAD and C&W attacks, we use the default setting11footnotemark: 1, which implements 9 binary search steps on the regularization parameter (starting from 0.001) and runs iterations for each step with the initial learning rate . For finding successful adversarial examples, we use the reference optimizer11footnotemark: 1 (ADAM) for the C&W attack and implement the projected FISTA (Algorithm 1) with the square-root decaying learning rate for EAD. Similar to the C&W attack, the final adversarial example of EAD is selected by the least distorted example among all the successful examples. The sensitivity analysis of the parameter and the effect of the decision rule on EAD will be investigated in the forthcoming paragraph. Unless specified, we set the attack transferability parameter for both attacks.
We implemented FGM and I-FGM using the CleverHans package333https://github.com/tensorflow/cleverhans. The best distortion parameter is determined by a fine-grained grid search - for each image, the smallest in the grid leading to a successful attack is reported. For I-FGM, we perform 10 FGM iterations (the default value) with -ball clipping. The distortion parameter in each FGM iteration is set to be , which has been shown to be an effective attack setting in [Tramèr et al.2017]. The range of the grid and the resolution of these two methods are specified in the supplementary material11footnotemark: 1.
The image classifiers for MNIST and CIFAR10 are trained based on the DNN models provided by Carlini and Wagner11footnotemark: 1. The image classifier for ImageNet is the Inception-v3 model [Szegedy et al.2016]. For MNIST and CIFAR10, 1000 correctly classified images are randomly selected from the test sets to attack an incorrect class label. For ImageNet, 100 correctly classified images and 9 incorrect classes are randomly selected to attack. All experiments are conducted on a machine with an Intel E5-2690 v3 CPU, 40 GB RAM and a single NVIDIA K80 GPU. Our EAD code is publicly available for download444https://github.com/ysharma1126/EAD-Attack.
Following the attack evaluation criterion in [Carlini and Wagner2017b], we report the attack success rate and distortion of the adversarial examples from each method. The attack success rate (ASR) is defined as the percentage of adversarial examples that are classified as the target class (which is different from the original class). The average , and distortion metrics of successful adversarial examples are also reported. In particular, the ASR and distortion of the following attack settings are considered:
Best case: The least difficult attack among targeted attacks to all incorrect class labels in terms of distortion.
Average case: The targeted attack to a randomly selected incorrect class label.
Worst case: The most difficult attack among targeted attacks to all incorrect class labels in terms of distortion.
Sensitivity Analysis and Decision Rule for EAD
We verify the necessity of using Algorithm 1 for solving the elastic-net regularized attack formulation in (EAD Formulation and Generalization) by comparing it to a naive change-of-variable (COV) approach. In [Carlini and Wagner2017b], Carlini and Wagner remove the box constraint by replacing with , where and is a vector of ones. The default ADAM optimizer [Kingma and Ba2014] is then used to solve and obtain . We apply this COV approach to (EAD Formulation and Generalization) and compare with EAD on MNIST with different orders of the regularization parameter in Table 1. Although COV and EAD attain similar attack success rates, it is observed that COV is not effective in crafting -based adversarial examples. Increasing leads to less -distorted adversarial examples for EAD, whereas the distortion (, and ) of COV is insensitive to changes in . Similar insensitivity of COV onterm in the penalty. The insensitivity of COV suggests that it is inadequate for elastic-net optimization, which can be explained by its inefficiency in subgradient-based optimization problems [Duchi and Singer2009]. For EAD, we also find an interesting trade-off between and the other two distortion metrics - adversarial examples with smaller distortion tend to have larger and distortions. This trade-off can be explained by the fact that increasing further encourages sparsity in the perturbation, and hence results in increased and distortion. Similar results are observed on CIFAR10 (see supplementary material11footnotemark: 1).
|EAD (EN rule)||100||17.4||2.001||0.594||100||8.18||0.502||0.097||100||69.47||1.563||0.238|
|EAD ( rule)||100||14.11||2.211||0.768||100||6.066||0.613||0.17||100||40.9||1.598||0.293|
In Table 1, during the attack optimization process the final adversarial example is selected based on the elastic-net loss of all successful adversarial examples in , which we call the elastic-net (EN) decision rule. Alternatively, we can select the final adversarial example with the least distortion, which we call the decision rule. Figure 2 compares the ASR and average-case distortion of these two decision rules with different on MNIST. Both decision rules yield 100% ASR for a wide range of values. For the same , the rule gives adversarial examples with less distortion than those given by the EN rule at the price of larger and distortions. Similar trends are observed on CIFAR10 (see supplementary material11footnotemark: 1). The complete results of these two rules on MNIST and CIFAR10 are given in the supplementary material11footnotemark: 1. In the following experiments, we will report the results of EAD with these two decision rules and set , since on MNIST and CIFAR10 this value significantly reduces the distortion while having comparable and distortions to the case of (i.e., without regularization).
Attack Success Rate and Distortion on MNIST, CIFAR10 and ImageNet
We compare EAD with the comparative methods in terms of attack success rate and different distortion metrics on attacking the considered DNNs trained on MNIST, CIFAR10 and ImageNet. Table 1 summarizes their average-case performance. It is observed that FGM methods fail to yield successful adversarial examples (i.e., low ASR), and the corresponding distortion metrics are significantly larger than other methods. On the other hand, the C&W attack, I-FGM and EAD all lead to 100% attack success rate. Furthermore, EAD, the C&W method, and I-FGM- attain the least , , and distorted adversarial examples, respectively. We note that EAD significantly outperforms the existing -based method (I-FGM-). Compared to I-FGM-, EAD with the EN decision rule reduces the distortion by roughly 47% on MNIST, 53% on CIFAR10 and 87% on ImageNet. We also observe that EAD with the decision rule can further reduce the distortion but at the price of noticeable increase in the and distortion metrics.
Notably, despite having large and distortion metrics, the adversarial examples crafted by EAD with the rule can still attain 100% ASRs in all datasets, which implies the and distortion metrics are insufficient for evaluating the robustness of neural networks. Moreover, the attack results in Table 1 suggest that EAD can yield a set of distinct adversarial examples that are fundamentally different from or based examples. Similar to the C&W method and I-FGM, the adversarial examples from EAD are also visually indistinguishable (see supplementary material11footnotemark: 1).
Breaking Defensive Distillation
In addition to breaking undefended DNNs via adversarial examples, here we show that EAD can also break defensively distilled DNNs. Defensive distillation [Papernot et al.2016b] is a standard defense technique that retrains the network with class label probabilities predicted by the original network, soft labels, and introduces the temperature parameter in the softmax layer to enhance its robustness to adversarial perturbations. Similar to the state-of-the-art attack (the C&W method), Figure 3 shows that EAD can attain 100% attack success rate for different values of on MNIST and CIFAR10. Moreover, since the C&W attack formulation is a special case of the EAD formulation in (EAD Formulation and Generalization) when , successfully breaking defensive distillation using EAD suggests new ways of crafting effective adversarial examples by varying the regularization parameter . The complete attack results are given in the supplementary material11footnotemark: 1.
Improved Attack Transferability
It has been shown in [Carlini and Wagner2017b] that the C&W attack can be made highly transferable from an undefended network to a defensively distilled network by tuning the confidence parameter in (4). Following [Carlini and Wagner2017b], we adopt the same experiment setting for attack transferability on MNIST, as MNIST is the most difficult dataset to attack in terms of the average distortion per image pixel from Table 1.
Fixing , adversarial examples generated from the original (undefended) network are used to attack the defensively distilled network with the temperature parameter [Papernot et al.2016b]. The attack success rate (ASR) of EAD, the C&W method and I-FGM are shown in Figure 4. When , all methods attain low ASR and hence do not produce transferable adversarial examples. The ASR of EAD and the C&W method improves when we set , whereas I-FGM’s ASR remains low (less than 2%) since the attack does not have such a parameter for transferability.
Notably, EAD can attain nearly 99% ASR when , whereas the top ASR of the C&W method is nearly 88% when . This implies improved attack transferability when using the adversarial examples crafted by EAD, which can be explained by the fact that the ISTA operation in (8) is a robust version of the C&W attack via shrinking and thresholding. We also find that setting too large may mitigate the ASR of transfer attacks for both EAD and the C&W method, as the optimizer may fail to find an adversarial example that minimizes the loss function in (4) for large . The complete attack transferability results are given in the supplementary material11footnotemark: 1.
|EAD + C&W||100||27.32||2.513||0.653|
|EAD + C&W||100||16.83||2.66||0.87|
Complementing Adversarial Training
To further validate the difference between -based and -based adversarial examples, we test their performance in adversarial training on MNIST. We randomly select 1000 images from the training set and use the C&W attack and EAD ( rule) to generate adversarial examples for all incorrect labels, leading to 9000 adversarial examples in total for each method. We then separately augment the original training set with these examples to retrain the network and test its robustness on the testing set, as summarized in Table 1. For adversarial training with any single method, although both attacks still attain a 100% success rate in the average case, the network is more tolerable to adversarial perturbations, as all distortion metrics increase significantly when compared to the null case. We also observe that joint adversarial training with EAD and the C&W method can further increase the and distortions against the C&W attack and the distortion against EAD, suggesting that the -based examples crafted by EAD can complement adversarial training.
We proposed an elastic-net regularized attack framework for crafting adversarial examples to attack deep neural networks. Experimental results on MNIST, CIFAR10 and ImageNet show that the -based adversarial examples crafted by EAD can be as successful as the state-of-the-art and attacks in breaking undefended and defensively distilled networks. Furthermore, EAD can improve attack transferability and complement adversarial training. Our results corroborate the effectiveness of EAD and shed new light on the use of -based adversarial examples toward adversarial learning and security implications of deep neural networks.
Acknowledgment Cho-Jui Hsieh and Huan Zhang acknowledge the support of NSF via IIS-1719097.
- [Beck and Teboulle2009] Beck, A., and Teboulle, M. 2009. A fast iterative shrinkage-thresholding algorithm for linear inverse problems. SIAM journal on imaging sciences 2(1):183–202.
- [Candès and Wakin2008] Candès, E. J., and Wakin, M. B. 2008. An introduction to compressive sampling. IEEE signal processing magazine 25(2):21–30.
- [Carlini and Wagner2017a] Carlini, N., and Wagner, D. 2017a. Adversarial examples are not easily detected: Bypassing ten detection methods. arXiv preprint arXiv:1705.07263.
- [Carlini and Wagner2017b] Carlini, N., and Wagner, D. 2017b. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy (SP), 39–57.
- [Dong et al.2017] Dong, Y.; Su, H.; Zhu, J.; and Bao, F. 2017. Towards interpretable deep neural networks by leveraging adversarial examples. arXiv preprint arXiv:1708.05493.
- [Duchi and Singer2009] Duchi, J., and Singer, Y. 2009. Efficient online and batch learning using forward backward splitting. Journal of Machine Learning Research 10(Dec):2899–2934.
- [Evtimov et al.2017] Evtimov, I.; Eykholt, K.; Fernandes, E.; Kohno, T.; Li, B.; Prakash, A.; Rahmati, A.; and Song, D. 2017. Robust physical-world attacks on machine learning models. arXiv preprint arXiv:1707.08945.
- [Feinman et al.2017] Feinman, R.; Curtin, R. R.; Shintre, S.; and Gardner, A. B. 2017. Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410.
- [Fu et al.2006] Fu, H.; Ng, M. K.; Nikolova, M.; and Barlow, J. L. 2006. Efficient minimization methods of mixed l2-l1 and l1-l1 norms for image restoration. SIAM Journal on scientific computing 27(6):1881–1902.
- [Goodfellow, Shlens, and Szegedy2015] Goodfellow, I. J.; Shlens, J.; and Szegedy, C. 2015. Explaining and harnessing adversarial examples. ICLR’15; arXiv preprint arXiv:1412.6572.
- [Grosse et al.2017] Grosse, K.; Manoharan, P.; Papernot, N.; Backes, M.; and McDaniel, P. 2017. On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280.
- [Hinton, Vinyals, and Dean2015] Hinton, G.; Vinyals, O.; and Dean, J. 2015. Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531.
- [Kingma and Ba2014] Kingma, D., and Ba, J. 2014. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980.
- [Koh and Liang2017] Koh, P. W., and Liang, P. 2017. Understanding black-box predictions via influence functions. ICML; arXiv preprint arXiv:1703.04730.
- [Kurakin, Goodfellow, and Bengio2016a] Kurakin, A.; Goodfellow, I.; and Bengio, S. 2016a. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533.
- [Kurakin, Goodfellow, and Bengio2016b] Kurakin, A.; Goodfellow, I.; and Bengio, S. 2016b. Adversarial machine learning at scale. ICLR’17; arXiv preprint arXiv:1611.01236.
- [Liu et al.2016] Liu, Y.; Chen, X.; Liu, C.; and Song, D. 2016. Delving into transferable adversarial examples and black-box attacks. arXiv preprint arXiv:1611.02770.
- [Lu, Issaranon, and Forsyth2017] Lu, J.; Issaranon, T.; and Forsyth, D. 2017. Safetynet: Detecting and rejecting adversarial examples robustly. arXiv preprint arXiv:1704.00103.
- [Madry et al.2017] Madry, A.; Makelov, A.; Schmidt, L.; Tsipras, D.; and Vladu, A. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083.
- [Moosavi-Dezfooli et al.2016] Moosavi-Dezfooli, S.-M.; Fawzi, A.; Fawzi, O.; and Frossard, P. 2016. Universal adversarial perturbations. arXiv preprint arXiv:1610.08401.
- [Moosavi-Dezfooli, Fawzi, and Frossard2016] Moosavi-Dezfooli, S.-M.; Fawzi, A.; and Frossard, P. 2016. Deepfool: a simple and accurate method to fool deep neural networks. In , 2574–2582.
[Papernot et al.2016a]
Papernot, N.; McDaniel, P.; Jha, S.; Fredrikson, M.; Celik, Z. B.; and Swami,
The limitations of deep learning in adversarial settings.In IEEE European Symposium on Security and Privacy (EuroS&P), 372–387.
- [Papernot et al.2016b] Papernot, N.; McDaniel, P.; Wu, X.; Jha, S.; and Swami, A. 2016b. Distillation as a defense to adversarial perturbations against deep neural networks. In IEEE Symposium on Security and Privacy (SP), 582–597.
- [Papernot et al.2017] Papernot, N.; McDaniel, P.; Goodfellow, I.; Jha, S.; Celik, Z. B.; and Swami, A. 2017. Practical black-box attacks against machine learning. In ACM Asia Conference on Computer and Communications Security, 506–519.
- [Parikh, Boyd, and others2014] Parikh, N.; Boyd, S.; et al. 2014. Proximal algorithms. Foundations and Trends® in Optimization 1(3):127–239.
- [Szegedy et al.2013] Szegedy, C.; Zaremba, W.; Sutskever, I.; Bruna, J.; Erhan, D.; Goodfellow, I.; and Fergus, R. 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199.
- [Szegedy et al.2016] Szegedy, C.; Vanhoucke, V.; Ioffe, S.; Shlens, J.; and Wojna, Z. 2016. Rethinking the inception architecture for computer vision. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2818–2826.
- [Tramèr et al.2017] Tramèr, F.; Kurakin, A.; Papernot, N.; Boneh, D.; and McDaniel, P. 2017. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204.
- [Xu, Evans, and Qi2017] Xu, W.; Evans, D.; and Qi, Y. 2017. Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv preprint arXiv:1704.01155.
- [Zantedeschi, Nicolae, and Rawat2017] Zantedeschi, V.; Nicolae, M.-I.; and Rawat, A. 2017. Efficient defenses against adversarial attacks. arXiv preprint arXiv:1707.06728.
- [Zheng et al.2016] Zheng, S.; Song, Y.; Leung, T.; and Goodfellow, I. 2016. Improving the robustness of deep neural networks via stability training. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 4480–4488.
- [Zou and Hastie2005] Zou, H., and Hastie, T. 2005. Regularization and variable selection via the elastic net. Journal of the Royal Statistical Society: Series B (Statistical Methodology) 67(2):301–320.
Since the penalty in (3) is a non-differentiable yet smooth function, we use the proximal gradient method [Parikh, Boyd, and others2014] for solving the EAD formulation in (3). Define to be the indicator function of an interval such that if and if . Using , the EAD formulation in (3) can be rewritten as
where . The proximal operator of constrained to is
where the mapping function is defined in (9). Consequently, using (Proof of Optimality of (8) for Solving EAD in (3)), the proximal gradient algorithm for solving (EAD Formulation and Generalization) is iterated by
which completes the proof.
Grid Search for FGM and I-FGM (Table 4)
To determine the optimal distortion parameter for FGM and I-FGM methods, we adopt a fine grid search on . For each image, the best parameter is the smallest in the grid leading to a successful targeted attack. If the grid search fails to find a successful adversarial example, the attack is considered in vain. The selected range for grid search covers the reported distortion statistics of EAD and the C&W attack. The resolution of the grid search for FGM is selected such that it will generate 1000 candidates of adversarial examples during the grid search per input image. The resolution of the grid search for I-FGM is selected such that it will compute gradients for 10000 times in total (i.e., 1000 FGM operations 10 iterations) during the grid search per input image, which is more than the total number of gradients (9000) computed by EAD and the C&W attack.
Comparison of COV and EAD on CIFAR10 (Table 5)
Table 5 compares the attack performance of using EAD (Algorithm 1)) and the change-of-variable (COV) approach for solving the elastic-net formulation in (EAD Formulation and Generalization) on CIFAR10. Similar to the MNIST results in Table 1, although COV and EAD attain similar attack success rates, we find that COV is not effective in crafting -based adversarial examples. Increasing leads to less -distorted adversarial examples for EAD, whereas the distortion (, and ) of COV is insensitive to changes in . The insensitivity of COV suggests that it is inadequate for elastic-net optimization, which can be explained by its inefficiency in subgradient-based optimization problems [Duchi and Singer2009].
|Best case||Average case||Worst case|
Figure 5 compares the average-case distortion of these two decision rules with different values of on CIFAR10. For the same , the rule gives less distorted adversarial examples than those given by the EN rule at the price of larger and distortions. We also observe that the distortion does not decrease monotonically with . In particular, large values (e.g., ) may lead to increased distortion due to excessive shrinking and thresholding. Table 6 and Table 7 displays the complete attack results of these two decision rules on MNIST and CIFAR10, respectively.
|Best case||Average case||Worst case|
|Best case||Average case||Worst case|
Complete Attack Results and Visual Illustration on MNIST, CIFAR10 and ImageNet (Tables 8, 9 and 10 and Figures 6, 7 and 8)
Tables 8, 9 and 10 summarize the complete attack results of all the considered attack methods on MNIST, CIFAR10 and ImageNet, respectively. EAD, the C&W attack and I-FGM all lead to 100% attack success rate in the average case. Among the three image classification datasets, ImageNet is the easiest one to attack due to low distortion per image pixel, and MNIST is the most difficult one to attack. For the purpose of visual illustration, the adversarial examples of selected benign images from the test sets are displayed in Figures 6, 7 and 8. On CIFAR10 and ImageNet, the adversarial examples are visually indistinguishable. On MNIST, the I-FGM examples are blurrier than EAD and the C&W attack.
|Best case||Average case||Worst case|
|EAD (EN rule)||100||9.808||1.427||0.452||100||17.4||2.001||0.594||100||25.52||2.582||0.748|
|EAD ( rule)||100||7.153||1.639||0.593||100||14.11||2.211||0.768||100||22.05||2.747||0.934|
|Best case||Average case||Worst case|
|EAD (EN rule)||100||4.014||0.261||0.047||100||8.18||0.502||0.097||100||12.11||0.69||0.147|
|EAD ( rule)||100||2.597||0.359||0.103||100||6.066||0.613||0.17||100||8.986||0.871||0.27|
|Best case||Average case||Worst case|
|EAD (EN rule)||100||29.56||1.007||0.128||100||69.47||1.563||0.238||100||160.3||2.3||0.351|
|EAD ( rule)||100||22.11||1.167||0.195||100||40.9||1.598||0.293||100||100||2.391||0.423|
Tables 11 and 12 display the complete attack results of EAD and the C&W method on breaking defensive distillation with different temperature parameter on MNIST and CIFAR10. Although defensive distillation is a standard defense technique for DNNs, EAD and the C&W attack can successfully break defensive distillation with a wide range of temperature parameters.
|Best case||Average case||Worst case|
|Best case||Average case||Worst case|
Complete Attack Transferability Results on MNIST (Table 13 )
Table 13 summarizes the transfer attack results from an undefended DNN to a defensively distilled DNN on MNIST using EAD, the C&W attack and I-FGM. I-FGM methods have poor performance in attack transferability. The average attack success rate (ASR) of I-FGM is below 2%. On the other hand, adjusting the transferability parameter in EAD and the C&W attack can significantly improve ASR. Tested on a wide range of values, the top average-case ASR for EAD is 98.6% using the EN rule and 98.1% using the rule. The top average-case ASR for the C&W attack is 87.4%. This improvement is significantly due to the improvement in the worst case, where the top worst-case ASR for EAD is 87% using the EN rule and 85.8% using the rule, while the top worst-case ASR for the C&W attack is 30.5%. The results suggest that -based adversarial examples have better attack transferability.
|Best case||Average case||Worst case|
Complete Results on Adversarial Training with and examples (Table 14)
Table 14 displays the complete results of adversarial training on MNIST using the -based adversarial examples crafted by the C&W attack and the -based adversarial examples crafted by EAD with the EN or the decision rule. It can be observed that adversarial training with any single method can render the DNN more difficult to attack in terms of increased distortion metrics when compared with the null case. Notably, in the average case, joint adversarial training using and examples lead to increased and distortion against the C&W attack and EAD (EN), and increased distortion against EAD (). The results suggest that EAD can complement adversarial training toward resilient DNNs. We would like to point out that in our experiments, adversarial training maintains comparable test accuracy. All the adversarially trained DNNs in Table 14 can still attain at least 99% test accuracy on MNIST.
|Best case||Average case||Worst case|
|EAD + C&W||100||16.54||1.73||0.502||100||27.32||2.513||0.653||99.8||37.83||3.229||0.795|
|EAD + C&W||100||8.936||1.975||0.711||100||16.83||2.66||0.87||99.9||25.55||3.288||0.979|
|EAD + C&W||100||11.14||1.76||0.602||100||20.09||2.5||0.75||100||28.91||3.193||0.882|