Practical Evaluation of Adversarial Robustness via Adaptive Auto Attack

被引:27
作者
Liu, Ye [1 ,2 ]
Cheng, Yaya [1 ,2 ]
Gao, Lianli [1 ,2 ]
Liu, Xianglong [3 ]
Zhang, Qilong [1 ,2 ]
Song, Jingkuan [1 ,2 ]
机构
[1] Univ Elect Sci & Technol China, Ctr Future Media, Chengdu, Peoples R China
[2] Univ Elect Sci & Technol China, Sch Comp Sci & Engn, Chengdu, Peoples R China
[3] Beihang Univ, Beijing, Peoples R China
来源
2022 IEEE/CVF CONFERENCE ON COMPUTER VISION AND PATTERN RECOGNITION (CVPR 2022) | 2022年
基金
中国国家自然科学基金;
关键词
D O I
10.1109/CVPR52688.2022.01468
中图分类号
TP18 [人工智能理论];
学科分类号
081104 ; 0812 ; 0835 ; 1405 ;
摘要
Defense models against adversarial attacks have grown significantly, but the lack of practical evaluation methods has hindered progress. Evaluation can be defined as looking for defense models' lower bound of robustness given a budget number of iterations and a test dataset. A practical evaluation method should be convenient (i.e., parameterfree), efficient (i.e., fewer iterations) and reliable (i.e., approaching the lower bound of robustness). Towards this target, we propose a parameter-free Adaptive Auto Attack (A3) evaluation method which addresses the efficiency and reliability in a test-time-training fashion. Specifically, by observing that adversarial examples to a specific defense model follow some regularities in their starting points, we design an Adaptive Direction Initialization strategy to speed up the evaluation. Furthermore, to approach the lower bound of robustness under the budget number of iterations, we propose an online statistics-based discarding strategy that automatically identifies and abandons hard-to-attack images. Extensive experiments on nearly 50 widely-used defense models demonstrate the effectiveness of our A3. By consuming much fewer iterations than existing methods, i.e., 1/10 on average (10x speed up), we achieve lower robust accuracy in all cases. Notably, we won first place out of 1681 teams in CVPR 2021 White-box Adversarial Attacks on Defense Models competitions with this method. Code is available at: https://github.com/liuye6666/adaptive_auto_attack
引用
收藏
页码:15084 / 15093
页数:10
相关论文
共 62 条
[1]  
Addepalli S., 2021, ICML 2021 WORKSHOP A
[2]  
[Anonymous], 2009, CIFAR-100 Dataset
[3]  
Athalye A, 2018, PR MACH LEARN RES, V80
[4]  
Atzmon M, 2019, ADV NEUR IN, V32
[5]   Towards Evaluating the Robustness of Neural Networks [J].
Carlini, Nicholas ;
Wagner, David .
2017 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP), 2017, :39-57
[6]  
Carmon Y, 2019, 33 C NEURAL INFORM P, V32
[7]  
Croce F, 2019, 25TH AMERICAS CONFERENCE ON INFORMATION SYSTEMS (AMCIS 2019)
[8]  
Croce F, 2020, PR MACH LEARN RES, V119
[9]  
Cui Jiequan, 2021, P IEEECVF INT C COMP, P15721
[10]  
Dhillon G.S., 2018, INT C LEARN REPR