English

Randomness in ML Defenses Helps Persistent Attackers and Hinders Evaluators

Machine Learning 2023-02-28 v1 Cryptography and Security

Abstract

It is becoming increasingly imperative to design robust ML defenses. However, recent work has found that many defenses that initially resist state-of-the-art attacks can be broken by an adaptive adversary. In this work we take steps to simplify the design of defenses and argue that white-box defenses should eschew randomness when possible. We begin by illustrating a new issue with the deployment of randomized defenses that reduces their security compared to their deterministic counterparts. We then provide evidence that making defenses deterministic simplifies robustness evaluation, without reducing the effectiveness of a truly robust defense. Finally, we introduce a new defense evaluation framework that leverages a defense's deterministic nature to better evaluate its adversarial robustness.

Keywords

Cite

@article{arxiv.2302.13464,
  title  = {Randomness in ML Defenses Helps Persistent Attackers and Hinders Evaluators},
  author = {Keane Lucas and Matthew Jagielski and Florian Tramèr and Lujo Bauer and Nicholas Carlini},
  journal= {arXiv preprint arXiv:2302.13464},
  year   = {2023}
}
R2 v1 2026-06-28T08:50:04.231Z