On Adaptive Attacks to Adversarial Example Defenses
This work addresses the issue of robust model evaluation for the machine learning security community, offering incremental improvements by systematizing attack methodologies.
The paper tackles the problem of incomplete adaptive attack evaluations for adversarial example defenses, demonstrating that 13 recent defenses from major conferences can be circumvented despite such evaluations, and provides methodological guidance for performing proper adaptive attacks.
Adaptive attacks have (rightfully) become the de facto standard for evaluating defenses to adversarial examples. We find, however, that typical adaptive evaluations are incomplete. We demonstrate that thirteen defenses recently published at ICLR, ICML and NeurIPS---and chosen for illustrative and pedagogical purposes---can be circumvented despite attempting to perform evaluations using adaptive attacks. While prior evaluation papers focused mainly on the end result---showing that a defense was ineffective---this paper focuses on laying out the methodology and the approach necessary to perform an adaptive attack. We hope that these analyses will serve as guidance on how to properly perform adaptive attacks against defenses to adversarial examples, and thus will allow the community to make further progress in building more robust models.