Recent model inversion attack algorithms permit adversaries to reconstruct a
neural network's private training data just by repeatedly querying the network
and inspecting its outputs. In this work, we develop a novel network
architecture that leverages sparse-coding layers to obtain superior robustness
to this class of attacks. Three decades of computer science research has
studied sparse coding in the context of image denoising, object recognition,
and adversarial misclassification settings, but to the best of our knowledge,
its connection to state-of-the-art privacy vulnerabilities remains unstudied.
However, sparse coding architectures suggest an advantageous means to defend
against model inversion attacks because they allow us to control the amount of
irrelevant private information encoded in a network's intermediate
representations in a manner that can be computed efficiently during training
and that is known to have little effect on classification accuracy.
Specifically, compared to networks trained with a variety of state-of-the-art
defenses, our sparse-coding architectures maintain comparable or higher
classification accuracy while degrading state-of-the-art training data
reconstructions by factors of 1.1 to 18.3 across a variety of reconstruction
quality metrics (PSNR, SSIM, FID). This performance advantage holds across 5
datasets ranging from CelebA faces to medical images and CIFAR-10, and across
various state-of-the-art SGD-based and GAN-based inversion attacks, including
Plug-&-Play attacks. We provide a cluster-ready PyTorch codebase to promote
research and standardize defense evaluations.

近期的模型反演攻击算法允许攻击者通过多次查询神经网络并检查其输出来重建网络的私密训练数据。本文开发了一种新型网络架构，利用稀疏编码层来提高对此类攻击的抵御能力。相比于多种最先进的防御方法，我们的稀疏编码网络架构在保持相当或更高分类准确性的同时，能够将最先进的训练数据重构质量降低 1.1 至 18.3 倍。此性能优势适用于从 CelebA 脸部到医学图像和 CIFAR-10 的 5 个数据集，以及包括 Plug-&-Play 攻击在内的各种最先进的基于 SGD 和 GAN 的反演攻击。我们提供了一个可用于集群的 PyTorch 代码库，以推动研究并标准化防御评估。

通过稀疏编码架构提高对模型反转攻击的鲁棒性

Improving Robustness to Model Inversion Attacks via Sparse Coding  Architectures

Hundreds of defenses have been proposed to make deep neural networks robust
against minimal (adversarial) input perturbations. However, only a handful of
these defenses held up their claims because correctly evaluating robustness is
extremely challenging: Weak attacks often fail to find adversarial examples
even if they unknowingly exist, thereby making a vulnerable network look
robust. In this paper, we propose a test to identify weak attacks, and thus
weak defense evaluations. Our test slightly modifies a neural network to
guarantee the existence of an adversarial example for every sample.
Consequentially, any correct attack must succeed in breaking this modified
network. For eleven out of thirteen previously-published defenses, the original
evaluation of the defense fails our test, while stronger attacks that break
these defenses pass it. We hope that attack unit tests - such as ours - will be
a major component in future robustness evaluations and increase confidence in
an empirical field that is currently riddled with skepticism.

该研究提出了一种测试方法以识别弱攻击和防御评估，为了增强透明和信心，将攻击单元测试作为未来强度评估的重要组成部分。

加强对抗性容错性评估的置信度

Increasing Confidence in Adversarial Robustness Evaluations

Speaker recognition systems (SRSs) have recently been shown to be vulnerable
to adversarial attacks, raising significant security concerns. In this work, we
systematically investigate transformation and adversarial training based
defenses for securing SRSs. According to the characteristic of SRSs, we present
22 diverse transformations and thoroughly evaluate them using 7 recent
promising adversarial attacks (4 white-box and 3 black-box) on speaker
recognition. With careful regard for best practices in defense evaluations, we
analyze the strength of transformations to withstand adaptive attacks. We also
evaluate and understand their effectiveness against adaptive attacks when
combined with adversarial training. Our study provides lots of useful insights
and findings, many of them are new or inconsistent with the conclusions in the
image and speech recognition domains, e.g., variable and constant bit rate
speech compressions have different performance, and some non-differentiable
transformations remain effective against current promising evasion techniques
which often work well in the image domain. We demonstrate that the proposed
novel feature-level transformation combined with adversarial training is rather
effective compared to the sole adversarial training in a complete white-box
setting, e.g., increasing the accuracy by 13.62% and attack cost by two orders
of magnitude, while other transformations do not necessarily improve the
overall defense capability. This work sheds further light on the research
directions in this field. We also release our evaluation platform SPEAKERGUARD
to foster further research.

本文系统地探究了基于转换和对抗训练的防御策略，提出了 22 种不同的转换方法，深入评估它们在主要攻击手段下的防御能力，以及对其作用的理解，为进一步的研究提供了有用的洞见和发现，并创建了评估平台 SPEAKERGUARD。