On Evaluating Adversarial Robustness

Carlini, Nicholas; Athalye, Anish; Papernot, Nicolas; Brendel, Wieland; Rauber, Jonas; Tsipras, Dimitris; Goodfellow, Ian; Madry, Aleksander; Kurakin, Alexey

doi:10.48550/arxiv.1902.06705

Cited by 174 publications

(300 citation statements)

References 32 publications

Supporting

Mentioning

297

Contrasting

Order By: Relevance

“…; Cubuk et al (2018); Calian et al (2021) proposed augmentation methods to improve the corruption robustness in 2D vision tasks. On the adversarial robustness benchmarking front, Carlini et al (2019) discussed the methodological foundations, reviewed commonly accepted best practices, and suggested new methods for evaluating defenses to adversarial examples. proposed a standardized leaderboard called RobustBench, which evaluates the adversarial robustness with AutoAttack , a comprehensive ensemble of white-and black-box attacks.…”

Section: Related Workmentioning

confidence: 99%

Benchmarking Robustness of 3D Point Cloud Recognition Against Common Corruptions

Sun¹,

Zhang²,

Kailkhura³

et al. 2022

Preprint

View full text Add to dashboard Cite

Deep neural networks on 3D point cloud data have been widely used in the real world, especially in safety-critical applications. However, their robustness against corruptions is less studied. In this paper, we present ModelNet40-C, the first comprehensive benchmark on 3D point cloud corruption robustness, consisting of 15 common and realistic corruptions. Our evaluation shows a significant gap between the performances on ModelNet40 and ModelNet40-C for state-of-the-art (SOTA) models. To reduce the gap, we propose a simple but effective method by combining PointCutMix-R and TENT after evaluating a wide range of augmentation and testtime adaptation strategies. We identify a number of critical insights for future studies on corruption robustness in point cloud recognition. For instance, we unveil that Transformer-based architectures with proper training recipes achieve the strongest robustness. We hope our in-depth analysis will motivate the development of robust training strategies or architecture designs in the 3D point cloud domain. Our codebase and dataset are included in https://github. com/jiachens/ModelNet40-C.

show abstract

Section: Related Workmentioning

confidence: 99%

Benchmarking Robustness of 3D Point Cloud Recognition Against Common Corruptions

Sun¹,

Zhang²,

Kailkhura³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…The model architecture and parameters are exposed to the adversaries, but the defense mechanism is kept confidential (non-adaptive) [9], [45].…”

Section: White-box Attackmentioning

confidence: 99%

“…Adversaries have full knowledge of both the target model and the defense mechanism, and could craft attacks accordingly [9].…”

Section: Adaptive Attackmentioning

confidence: 99%

“…Further, in the adaptive attacks 2 , we assume that the adversary has full access to the proposed defense, i.e., ContraNet, including the detection algorithm, the Encoder E, the Generator G, and the Similarity Measurement Model, but not the discriminators, i.e., D Φ and D aux , which are only used in training 3 . This adaptive attack scenario represents the most potent adversaries; as informed in [7], [9], a substantial number of existing defenses are broken under adaptive attacks.…”

Section: A Threat Modelmentioning

confidence: 99%

“…As evidenced in [9], [10], it is critical to choose the proper loss function for adaptive attacks. On the one hand, an adaptive attack aims to simultaneously bypass the detector and fool the classifier.…”

Section: B Customizable Adaptive Objective Loss Functionmentioning

confidence: 99%

See 2 more Smart Citations

What You See is Not What the Network Infers: Detecting Adversarial Examples Based on Semantic Contradiction

Yang,

Gao,

et al. 2022

Preprint

View full text Add to dashboard Cite

Adversarial examples (AEs) pose severe threats to the applications of deep neural networks (DNNs) to safety-critical domains, e.g., autonomous driving. While there has been a vast body of AE defense solutions, to the best of our knowledge, they all suffer from some weaknesses, e.g., defending against only a subset of AEs or causing a relatively high accuracy loss for legitimate inputs. Moreover, most existing solutions cannot defend against adaptive attacks, wherein attackers are knowledgeable about the defense mechanisms and craft AEs accordingly.In this paper, we propose a novel AE detection framework based on the very nature of AEs, i.e., their semantic information is inconsistent with the discriminative features extracted by the target DNN model. To be specific, the proposed solution, namely ContraNet 1 , models such contradiction by first taking both the input and the inference result to a generator to obtain a synthetic output and then comparing it against the original input. For legitimate inputs that are correctly inferred, the synthetic output tries to reconstruct the input. On the contrary, for AEs, instead of reconstructing the input, the synthetic output would be created to conform to the wrong label whenever possible. Consequently, by measuring the distance between the input and the synthetic output with metric learning, we can differentiate AEs from legitimate inputs. We perform comprehensive evaluations under various AE attack scenarios, and experimental results show that ContraNet outperforms existing solutions by a large margin, especially under adaptive attacks. Moreover, our analysis shows that successful AEs that can bypass ContraNet tend to have much-weakened adversarial semantics. We have also shown that ContraNet can be easily combined with adversarial training techniques to achieve further improved AE defense capabilities.

show abstract

Some statistical challenges in automated driving systems

Caballero

Insua

Naveiro

2023

Appl Stoch Models Bus & Ind

View full text Add to dashboard Cite

Automated driving systems are rapidly developing. However, numerous open problems remain to be resolved to ensure this technology progresses before its widespread adoption. A large subset of these problems are, or can be framed as, statistical decision problems. Therefore, we present herein several important statistical challenges that emerge when designing and operating automated driving systems. In particular, we focus on those that relate to request‐to‐intervene decisions, ethical decision support, operations in heterogeneous traffic, and algorithmic robustification. For each of these problems, earlier solution approaches are reviewed and alternative solutions are provided with accompanying empirical testing. We also highlight open avenues of inquiry for which applied statistical investigation can help ensure the maturation of automated driving systems. In so doing, we showcase the relevance of statistical research and practice within the context of this revolutionary technology.

show abstract

On Evaluating Adversarial Robustness

Cited by 174 publications

References 32 publications

Benchmarking Robustness of 3D Point Cloud Recognition Against Common Corruptions

Benchmarking Robustness of 3D Point Cloud Recognition Against Common Corruptions

What You See is Not What the Network Infers: Detecting Adversarial Examples Based on Semantic Contradiction

Some statistical challenges in automated driving systems

Contact Info

Product

Resources

About