Automated Discovery of Adaptive Attacks on Adversarial Defenses

To address this challenge, two recent works approach the problem from different perspectives. Tramer et al. (2020) Reliable evaluation of adversarial defenses is a outlines an approach for manually crafting adaptive attacks challenging task, currently limited to an expert that exploit the weak points of each defense. Here, a domain who manually crafts attacks that exploit the defense's expert starts with an existing attack, such as PGD (Madry inner workings, or to approaches based et al., 2018) (denoted as - in Figure 1), and adapts it based on on ensemble of fixed attacks, none of which may knowledge of the defense's inner workings. Common modifications be effective for the specific defense at hand. Our include: (i) tuning attack parameters (e.g., number key observation is that custom attacks are composed of steps), (ii) replacing network components to simplify the from a set of reusable building blocks, attack (e.g., removing randomization or non-differentiable such as fine-tuning relevant attack parameters, network components), and (iii) replacing the loss function optimized transformations, and custom loss functions.