English

Increasing Confidence in Adversarial Robustness Evaluations

Machine Learning 2022-06-29 v1 Cryptography and Security Computer Vision and Pattern Recognition

Abstract

Hundreds of defenses have been proposed to make deep neural networks robust against minimal (adversarial) input perturbations. However, only a handful of these defenses held up their claims because correctly evaluating robustness is extremely challenging: Weak attacks often fail to find adversarial examples even if they unknowingly exist, thereby making a vulnerable network look robust. In this paper, we propose a test to identify weak attacks, and thus weak defense evaluations. Our test slightly modifies a neural network to guarantee the existence of an adversarial example for every sample. Consequentially, any correct attack must succeed in breaking this modified network. For eleven out of thirteen previously-published defenses, the original evaluation of the defense fails our test, while stronger attacks that break these defenses pass it. We hope that attack unit tests - such as ours - will be a major component in future robustness evaluations and increase confidence in an empirical field that is currently riddled with skepticism.

Keywords

Cite

@article{arxiv.2206.13991,
  title  = {Increasing Confidence in Adversarial Robustness Evaluations},
  author = {Roland S. Zimmermann and Wieland Brendel and Florian Tramer and Nicholas Carlini},
  journal= {arXiv preprint arXiv:2206.13991},
  year   = {2022}
}

Comments

Oral at CVPR 2022 Workshop (Art of Robustness). Project website https://zimmerrol.github.io/active-tests/

R2 v1 2026-06-24T12:06:55.371Z