Formulating Robustness Against Unforeseen Attacks

“…From Figure 1a, we find that some existing defenses achieve both high clean accuracy and high CR ind-avg . Interestingly, we find that the 2 best models in terms of CR ind-avg Overall, we find that CR ind-avg are uncorrelated; for example, the rank 4, 5, and 6 models in terms of CR ind-avg (models using LPIPS threat model (Laidlaw et al, 2021;Dai et al, 2022) and no knowledge (Jin & Rinard, 2020)) have the lowest clean accuracies out of all defenses present on the leaderboard.…”

“…One line of works focuses on improving robustness against the union of known attacks (typically the union of p -balls) (Maini et al, 2020;Tramèr & Boneh, 2019;Croce & Hein, 2020a;Madaan et al, 2020). Another line of works looks at defending against attacks that are not used during training (Laidlaw et al, 2021;Dai et al, 2022;Jin & Rinard, 2020). We provide a framework that unifies both of these research directions and provides metrics and a leaderboard for benchmarking these defenses.…”

“…While prior works have studied problems relating to robustness against multiple attacks (Tramèr & Boneh, 2019;Maini et al, 2020;Croce & Hein, 2020a;Laidlaw et al, 2021;Dai et al, 2022;Jin & Rinard, 2020;Hsiung et al, 2022a), these works have studied specific instances of multiattack robustness (i.e. robustness against unions of known threat models, unforeseen attack robustness), but have not provided a unified framework for modelling problems in multiattack robustness.…”

“…We provide 2 leaderboards for the CIFAR-10 dataset, one for average case performance, which ranks defenses based on CR ind-avg , and one for worst case performance, which ranks defenses based on CR ind-worst . Our leaderboard contains evaluations for 16 pretrained models, all of which use training-based defenses, including techniques for training on unions of p norms (Maini et al, 2020;Tramèr & Boneh, 2019;Madaan et al, 2020), training with novel threat models (Laidlaw et al, 2021), regularization based approaches (Jin & Rinard, 2020;Dai et al, 2022), and p norm adversarial training (Madry et al, 2018;Zhang et al, 2019;Rebuffi et al, 2021). We include details of the models present on the leaderboard in Appendix D. We note that these models are trained with either 2 attacks with = 0.5, ∞ attacks with = 8 255 , LPIPS attacks with = 1, or the union of 1 , = 2000 255 , 2 , = 128 255 and ∞ , = 8 255 attacks.…”

“…These test-time adversaries can potentially use multiple (and unforeseen) attack types, motivating the need to study multiattack robustness. Several works (Maini et al, 2020;Tramèr & Boneh, 2019;Croce & Hein, 2020a;Dai et al, 2022;Jin & Rinard, 2020;Laidlaw et al, 2021;Hsi-Preprint. Under review.…”

Parameterizing Activation Functions for Adversarial Robustness

“…From Figure 1a, we find that some existing defenses achieve both high clean accuracy and high CR ind-avg . Interestingly, we find that the 2 best models in terms of CR ind-avg Overall, we find that CR ind-avg are uncorrelated; for example, the rank 4, 5, and 6 models in terms of CR ind-avg (models using LPIPS threat model (Laidlaw et al, 2021;Dai et al, 2022) and no knowledge (Jin & Rinard, 2020)) have the lowest clean accuracies out of all defenses present on the leaderboard.…”

“…One line of works focuses on improving robustness against the union of known attacks (typically the union of p -balls) (Maini et al, 2020;Tramèr & Boneh, 2019;Croce & Hein, 2020a;Madaan et al, 2020). Another line of works looks at defending against attacks that are not used during training (Laidlaw et al, 2021;Dai et al, 2022;Jin & Rinard, 2020). We provide a framework that unifies both of these research directions and provides metrics and a leaderboard for benchmarking these defenses.…”

“…While prior works have studied problems relating to robustness against multiple attacks (Tramèr & Boneh, 2019;Maini et al, 2020;Croce & Hein, 2020a;Laidlaw et al, 2021;Dai et al, 2022;Jin & Rinard, 2020;Hsiung et al, 2022a), these works have studied specific instances of multiattack robustness (i.e. robustness against unions of known threat models, unforeseen attack robustness), but have not provided a unified framework for modelling problems in multiattack robustness.…”

“…We provide 2 leaderboards for the CIFAR-10 dataset, one for average case performance, which ranks defenses based on CR ind-avg , and one for worst case performance, which ranks defenses based on CR ind-worst . Our leaderboard contains evaluations for 16 pretrained models, all of which use training-based defenses, including techniques for training on unions of p norms (Maini et al, 2020;Tramèr & Boneh, 2019;Madaan et al, 2020), training with novel threat models (Laidlaw et al, 2021), regularization based approaches (Jin & Rinard, 2020;Dai et al, 2022), and p norm adversarial training (Madry et al, 2018;Zhang et al, 2019;Rebuffi et al, 2021). We include details of the models present on the leaderboard in Appendix D. We note that these models are trained with either 2 attacks with = 0.5, ∞ attacks with = 8 255 , LPIPS attacks with = 1, or the union of 1 , = 2000 255 , 2 , = 128 255 and ∞ , = 8 255 attacks.…”

“…These test-time adversaries can potentially use multiple (and unforeseen) attack types, motivating the need to study multiattack robustness. Several works (Maini et al, 2020;Tramèr & Boneh, 2019;Croce & Hein, 2020a;Dai et al, 2022;Jin & Rinard, 2020;Laidlaw et al, 2021;Hsi-Preprint. Under review.…”

Parameterizing Activation Functions for Adversarial Robustness