In this technical report, we evaluate the adversarial robustness of a very
recent method called "Geometry-aware Instance-reweighted Adversarial
Training"[7]. GAIRAT reports state-of-the-art results on defenses to
adversarial attacks on the CIFAR-10 dataset. In fact, we find that a network
trained with this method, while showing an improvement over regular adversarial
training (AT), is biasing the model towards certain samples by re-scaling the
loss. Indeed, this leads the model to be susceptible to attacks that scale the
logits. The original model shows an accuracy of 59% under AutoAttack - when
trained with additional data with pseudo-labels. We provide an analysis that
shows the opposite. In particular, we craft a PGD attack multiplying the logits
by a positive scalar that decreases the GAIRAT accuracy from from 55% to 44%,
when trained solely on CIFAR-10. In this report, we rigorously evaluate the
model and provide insights into the reasons behind the vulnerability of GAIRAT
to this adversarial attack. The code to reproduce our evaluation is made
available at this https URL

本技术报告评估了一种最近开发的名为 “几何感知实例加权对抗训练” 的方法在 CIFAR-10 数据集上对抗性攻击的鲁棒性。 通过使用 PGD 攻击来计算了该方法的脆弱性，并解释了导致该方法易受攻击的原因。

评估基于几何感知实例重新加权的对抗训练鲁棒性

Evaluating the Robustness of Geometry-Aware Instance-Reweighted  Adversarial Training

Adversarial perturbations dramatically decrease the accuracy of
state-of-the-art image classifiers. In this paper, we propose and analyze a
simple and computationally efficient defense strategy: inject random Gaussian
noise, discretize each pixel, and then feed the result into any pre-trained
classifier. Theoretically, we show that our randomized discretization strategy
reduces the KL divergence between original and adversarial inputs, leading to a
lower bound on the classification accuracy of any classifier against any
(potentially whitebox) $\ell_\infty$-bounded adversarial attack. Empirically,
we evaluate our defense on adversarial examples generated by a strong iterative
PGD attack. On ImageNet, our defense is more robust than adversarially-trained
networks and the winning defenses of the NIPS 2017 Adversarial Attacks &
Defenses competition.

本文提出采用随机离散化和高斯噪声注入的简单有效防御策略，可以显著提高对抗攻击下的图像分类器准确性，相比于其他对抗训练，以及 NIPS 2017 中获胜的防御方法，在 ImageNet 数据集上表现更优。

通过随机离散化防御白盒对抗攻击

Defending against Whitebox Adversarial Attacks via Randomized  Discretization

In this appraisal paper, we evaluate the efficacy of SHIELD, a
compression-based defense framework for countering adversarial attacks on image
classification models, which was published at KDD 2018. Here, we consider
alternative threat models not studied in the original work, where we assume
that an adaptive adversary is aware of the ensemble defense approach, the
defensive pre-processing, and the architecture and weights of the models used
in the ensemble. We define scenarios with varying levels of threat and
empirically analyze the proposed defense by varying the degree of information
available to the attacker, spanning from a full white-box attack to the
gray-box threat model described in the original work. To evaluate the
robustness of the defense against an adaptive attacker, we consider the
targeted-attack success rate of the Projected Gradient Descent (PGD) attack,
which is a strong gradient-based adversarial attack proposed in adversarial
machine learning research. We also experiment with training the SHIELD ensemble
from scratch, which is different from re-training using a pre-trained model as
done in the original work. We find that the targeted PGD attack has a success
rate of 64.3% against the original SHIELD ensemble in the full white box
scenario, but this drops to 48.9% if the models used in the ensemble are
trained from scratch instead of being retrained. Our experiments further reveal
that an ensemble whose models are re-trained indeed have higher correlation in
the cosine similarity space, and models that are trained from scratch are less
vulnerable to targeted attacks in the white-box and gray-box scenarios.

本文评估用于对抗敌对攻击的压缩式防御框架 SHIELD 的效力，并在原有工作的基础上考虑了替代威胁模型，提出了具有不同危险程度的情况，并通过实验结果得出了在白盒和灰盒情景下训练模型的相关性与承受目标攻击成功率的相关性，证明了从零开始训练模型的更强鲁棒性。

不同威胁模型下 SHIELD 的效能

The Efficacy of SHIELD under Different Threat Models

Recently, Kannan et al. [2018] proposed several logit regularization methods
to improve the adversarial robustness of classifiers. We show that the
computationally fast methods they propose - Clean Logit Pairing (CLP) and Logit
Squeezing (LSQ) - just make the gradient-based optimization problem of crafting
adversarial examples harder without providing actual robustness. We find that
Adversarial Logit Pairing (ALP) may indeed provide robustness against
adversarial examples, especially when combined with adversarial training, and
we examine it in a variety of settings. However, the increase in adversarial
accuracy is much smaller than previously claimed. Finally, our results suggest
that the evaluation against an iterative PGD attack relies heavily on the
parameters used and may result in false conclusions regarding robustness of a
model.

通过研究，我们发现 Clean Logit Pairing (CLP) 和 Logit Squeezing (LSQ) 等方法仅仅增加了制造对抗样本的梯度优化难度并未真正提高分类器的对抗鲁棒性；我们提出的 Adversarial Logit Pairing (ALP) 方法可以在对抗训练的情况下提高分类器的对抗鲁棒性，但是这种提高远远低于之前所声明的。我们得出的结论是，模型对迭代 PGD 攻击的评估严重依赖所使用的参数，并可能导致关于模型鲁棒性的错误结论。