Breaking certified defenses: Semantic adversarial examples with spoofed robustness certificates
Ghiasi, Amin, Shafahi, Ali, Goldstein, Tom
To deflect adversarial attacks, a range of "certified" classifiers have been proposed. In addition to labeling an image, certified classifiers produce (when possible) a certificate guaranteeing that the input image is not an $\ell_p$-bounded adversarial example. We present a new attack that exploits not only the labelling function of a classifier, but also the certificate generator. The proposed method applies large perturbations that place images far from a class boundary while maintaining the imperceptibility property of adversarial examples. The proposed "Shadow Attack" causes certifiably robust networks to mislabel an image and simultaneously produce a "spoofed" certificate of robustness.
Mar-19-2020
- Country:
- North America
- United States > Maryland (0.04)
- Canada > Ontario
- Toronto (0.04)
- Asia > Middle East
- Jordan (0.04)
- North America
- Genre:
- Research Report (0.64)
- Industry:
- Government > Military (0.35)
- Information Technology > Security & Privacy (0.34)
- Technology: