Timezone: »

 
Poster
Increasing Confidence in Adversarial Robustness Evaluations
Roland S. Zimmermann · Wieland Brendel · Florian Tramer · Nicholas Carlini

Wed Nov 30 02:30 PM -- 04:00 PM (PST) @ Hall J #512

Hundreds of defenses have been proposed to make deep neural networks robust against minimal (adversarial) input perturbations. However, only a handful of these defenses held up their claims because correctly evaluating robustness is extremely challenging: Weak attacks often fail to find adversarial examples even if they unknowingly exist, thereby making a vulnerable network look robust. In this paper, we propose a test to identify weak attacks and, thus, weak defense evaluations. Our test slightly modifies a neural network to guarantee the existence of an adversarial example for every sample. Consequentially, any correct attack must succeed in breaking this modified network. For eleven out of thirteen previously-published defenses, the original evaluation of the defense fails our test, while stronger attacks that break these defenses pass it. We hope that attack unit tests - such as ours - will be a major component in future robustness evaluations and increase confidence in an empirical field that is currently riddled with skepticism.

Author Information

Roland S. Zimmermann (University of Tübingen, International Max Planck Research School for Intelligent Systems)
Wieland Brendel (AG Bethge, University of Tübingen)
Florian Tramer (ETH Zurich)
Nicholas Carlini (Google)

More from the Same Authors