Towards Evaluating the Robustness of Neural Networks

Nicholas Carlini, David Wagner

Abstract

Neural networks provide state-of-the-art results for most machine learning tasks. Unfortunately, neural networks are vulnerable to adversarial examples: given an input $x$ and any target classification $t$ , it is possible to find a new input $x^{\prime}$ that is similar to $x$ but classified as $t$ . This makes it difficult to apply neural networks in security-critical areas. Defensive distillation is a recently proposed approach that can take an arbitrary neural network, and increase its robustness, reducing the success rate of current attacks’ ability to find adversarial examples from $95\%$ to $0.5\%$ .

In this paper, we demonstrate that defensive distillation does not significantly increase the robustness of neural networks by introducing three new attack algorithms that are successful on both distilled and undistilled neural networks with $100\%$ probability. Our attacks are tailored to three distance metrics used previously in the literature, and when compared to previous adversarial example generation algorithms, our attacks are often much more effective (and never worse). Furthermore, we propose using high-confidence adversarial examples in a simple transferability test we show can also be used to break defensive distillation. We hope our attacks will be used as a benchmark in future defense attempts to create neural networks that resist adversarial examples.

I Introduction

Deep neural networks have become increasingly effective at many difficult machine-learning tasks. In the image recognition domain, they are able to recognize images with near-human accuracy . They are also used for speech recognition , natural language processing , and playing games .

However, researchers have discovered that existing neural networks are vulnerable to attack. Szegedy et al. first noticed the existence of adversarial examples in the image classification domain: it is possible to transform an image by a small amount and thereby change how the image is classified. Often, the total amount of change required can be so small as to be undetectable.

The degree to which attackers can find adversarial examples limits the domains in which neural networks can be used. For example, if we use neural networks in self-driving cars, adversarial examples could allow an attacker to cause the car to take unwanted actions.

The existence of adversarial examples has inspired research on how to harden neural networks against these kinds of attacks. Many early attempts to secure neural networks failed or provided only marginal robustness improvements .

Defensive distillation is one such recent defense proposed for hardening neural networks against adversarial examples. Initial analysis proved to be very promising: defensive distillation defeats existing attack algorithms and reduces their success probability from $95\%$ to $0.5\%$ . Defensive distillation can be applied to any feed-forward neural network and only requires a single re-training step, and is currently one of the only defenses giving strong security guarantees against adversarial examples.

In general, there are two different approaches one can take to evaluate the robustness of a neural network: attempt to prove a lower bound, or construct attacks that demonstrate an upper bound. The former approach, while sound, is substantially more difficult to implement in practice, and all attempts have required approximations . On the other hand, if the attacks used in the the latter approach are not sufficiently strong and fail often, the upper bound may not be useful.

In this paper we create a set of attacks that can be used to construct an upper bound on the robustness of neural networks. As a case study, we use these attacks to demonstrate that defensive distillation does not actually eliminate adversarial examples. We construct three new attacks (under three previously used distance metrics: $L_{0}$ , $L_{2}$ , and $L_{\infty}$ ) that succeed in finding adversarial examples for $100\%$ of images on defensively distilled networks. While defensive distillation stops previously published attacks, it cannot resist the more powerful attack techniques we introduce in this paper.

This case study illustrates the general need for better techniques to evaluate the robustness of neural networks: while distillation was shown to be secure against the current state-of-the-art attacks, it fails against our stronger attacks. Furthermore, when comparing our attacks against the current state-of-the-art on standard unsecured models, our methods generate adversarial examples with less total distortion in every case. We suggest that our attacks are a better baseline for evaluating candidate defenses: before placing any faith in a new possible defense, we suggest that designers at least check whether it can resist our attacks.

We additionally propose using high-confidence adversarial examples to evaluate the robustness of defenses. Transferability is the well-known property that adversarial examples on one model are often also adversarial on another model. We demonstrate that adversarial examples from our attacks are transferable from the unsecured model to the defensively distilled (secured) model. In general, we argue that any defense must demonstrate it is able to break the transferability property.

We evaluate our attacks on three standard datasets: MNIST , a digit-recognition task (0-9); CIFAR-10 , a small-image recognition task, also with 10 classes; and ImageNet , a large-image recognition task with 1000 classes.

Figure 1 shows examples of adversarial examples our techniques generate on defensively distilled networks trained on the MNIST and CIFAR datasets.

In one extreme example for the ImageNet classification task, we can cause the Inception v3 network to incorrectly classify images by changing only the lowest order bit of each pixel. Such changes are impossible to detect visually.

To enable others to more easily use our work to evaluate the robustness of other defenses, all of our adversarial example generation algorithms (along with code to train the models we use, to reproduce the results we present) are available online at http://nicholas.carlini.com/code/nn_robust_attacks.

This paper makes the following contributions:

We introduce three new attacks for the $L_{0}$ , $L_{2}$ , and $L_{\infty}$ distance metrics. Our attacks are significantly more effective than previous approaches. Our $L_{0}$ attack is the first published attack that can cause targeted misclassification on the ImageNet dataset.

We apply these attacks to defensive distillation and discover that distillation provides little security benefit over un-distilled networks.

We propose using high-confidence adversarial examples in a simple transferability test to evaluate defenses, and show this test breaks defensive distillation.

We systematically evaluate the choice of the objective function for finding adversarial examples, and show that the choice can dramatically impact the efficacy of an attack.

II Background

Machine learning is being used in an increasing array of settings to make potentially security critical decisions: self-driving cars , drones , robots , anomaly detection , malware classification , speech recognition and recognition of voice commands , NLP , and many more. Consequently, understanding the security properties of deep learning has become a crucial question in this area. The extent to which we can construct adversarial examples influences the settings in which we may want to (or not want to) use neural networks.

In the speech recognition domain, recent work has shown it is possible to generate audio that sounds like speech to machine learning algorithms but not to humans. This can be used to control user’s devices without their knowledge. For example, by playing a video with a hidden voice command, it may be possible to cause a smart phone to visit a malicious webpage to cause a drive-by download. This work focused on conventional techniques (Gaussian Mixture Models and Hidden Markov Models), but as speech recognition is increasingly using neural networks, the study of adversarial examples becomes relevant in this domain. Strictly speaking, hidden voice commands are not adversarial examples because they are not similar to the original input .

In the space of malware classification, the existence of adversarial examples not only limits their potential application settings, but entirely defeats its purpose: an adversary who is able to make only slight modifications to a malware file that cause it to remain malware, but become classified as benign, has entirely defeated the malware classifier .

Turning back to the threat to self-driving cars introduced earlier, this is not an unrealistic attack: it has been shown that adversarial examples are possible in the physical world after taking pictures of them.

The key question then becomes exactly how much distortion we must add to cause the classification to change. In each domain, the distance metric that we must use is different. In the space of images, which we focus on in this paper, we rely on previous work that suggests that various $L_{p}$ norms are reasonable approximations of human perceptual distance (see Section II-D for more information).

We assume in this paper that the adversary has complete access to a neural network, including the architecture and all paramaters, and can use this in a white-box manner. This is a conservative and realistic assumption: prior work has shown it is possible to train a substitute model given black-box access to a target model, and by attacking the substitute model, we can then transfer these attacks to the target model.

Given these threats, there have been various attempts at constructing defenses that increase the robustness of a neural network, defined as a measure of how easy it is to find adversarial examples that are close to their original input.

In this paper we study one of these, distillation as a defense , that hopes to secure an arbitrary neural network. This type of defensive distillation was shown to make generating adversarial examples nearly impossible for existing attack techniques . We find that although the current state-of-the-art fails to find adversarial examples for defensively distilled networks, the stronger attacks we develop in this paper are able to construct adversarial examples.

II-B Neural Networks and Notation

In this paper we focus on neural networks used as an $m$ -class classifier. The output of the network is computed using the softmax function, which ensures that the output vector $y$ satisfies $0\leq y_{i}\leq 1$ and $y_{1}+\dots+y_{m}=1$ . The output vector $y$ is thus treated as a probability distribution, i.e., $y_{i}$ is treated as the probability that input $x$ has class $i$ . The classifier assigns the label $C(x)=\arg\max_{i}F(x)_{i}$ to the input $x$ . Let $C^{*}(x)$ be the correct label of $x$ . The inputs to the softmax function are called logits.

We use the notation from Papernot et al. : define $F$ to be the full neural network including the softmax function, $Z(x)=z$ to be the output of all layers except the softmax (so $z$ are the logits), and

A neural network typically Most simple networks have this simple linear structure, however other more sophisticated networks have more complicated structures (e.g., ResNet and Inception ). The network architecture does not impact our attacks. consists of layers

for some non-linear activation function $\sigma$ , some matrix $\theta_{i}$ of model weights, and some vector $\hat{\theta}_{i}$ of model biases. Together $\theta$ and $\hat{\theta}$ make up the model parameters. Common choices of $\sigma$ are tanh , sigmoid, ReLU , or ELU . In this paper we focus primarily on networks that use a ReLU activation function, as it currently is the most widely used activation function .

II-C Adversarial Examples

Szegedy et al. first pointed out the existence of adversarial examples: given a valid input $x$ and a target $t\neq C^{*}(x)$ , it is often possible to find a similar input $x^{\prime}$ such that $C(x^{\prime})=t$ yet $x,x^{\prime}$ are close according to some distance metric. An example $x^{\prime}$ with this property is known as a targeted adversarial example.

A less powerful attack also discussed in the literature instead asks for untargeted adversarial examples: instead of classifying $x$ as a given target class, we only search for an input $x^{\prime}$ so that $C(x^{\prime})\neq C^{*}(x)$ and $x,x^{\prime}$ are close. Untargeted attacks are strictly less powerful than targeted attacks and we do not consider them in this paper. An untargeted attack is simply a more efficient (and often less accurate) method of running a targeted attack for each target and taking the closest. In this paper we focus on identifying the most accurate attacks, and do not consider untargeted attacks.

Instead, we consider three different approaches for how to choose the target class, in a targeted attack:

Average Case: select the target class uniformly at random among the labels that are not the correct label.

Best Case: perform the attack against all incorrect classes, and report the target class that was least difficult to attack.

Worst Case: perform the attack against all incorrect classes, and report the target class that was most difficult to attack.

In all of our evaluations we perform all three types of attacks: best-case, average-case, and worst-case. Notice that if a classifier is only accurate $80\%$ of the time, then the best case attack will require a change of in $20\%$ of cases.

On ImageNet, we approximate the best-case and worst-case attack by sampling 100 random target classes out of the 1,000 possible for efficiency reasons.

II-D Distance Metrics

In our definition of adversarial examples, we require use of a distance metric to quantify similarity. There are three widely-used distance metrics in the literature for generating adversarial examples, all of which are $L_{p}$ norms.

The $L_{p}$ distance is written $\|x-x^{\prime}\|_{p}$ , where the $p$ -norm $\|\cdot\|_{p}$ is defined as

$L_{0}$ distance measures the number of coordinates $i$ such that $x_{i}\neq x^{\prime}_{i}$ . Thus, the $L_{0}$ distance corresponds to the number of pixels that have been altered in an image.In RGB images, there are three channels that each can change. We count the number of pixels that are different, where two pixels are considered different if any of the three colors are different. We do not consider a distance metric where an attacker can change one color plane but not another meaningful. We relax this requirement when comparing to other $L_{0}$ attacks that do not make this assumption to provide for a fair comparison.

Papernot et al. argue for the use of the $L_{0}$ distance metric, and it is the primary distance metric under which defensive distillation’s security is argued .

$L_{2}$ distance measures the standard Euclidean (root-mean-square) distance between $x$ and $x^{\prime}$ . The $L_{2}$ distance can remain small when there are many small changes to many pixels.

This distance metric was used in the initial adversarial example work .

$L_{\infty}$ distance measures the maximum change to any of the coordinates:

For images, we can imagine there is a maximum budget, and each pixel is allowed to be changed by up to this limit, with no limit on the number of pixels that are modified.

Goodfellow et al. argue that $L_{\infty}$ is the optimal distance metric to use and in a follow-up paper Papernot et al. argue distillation is secure under this distance metric .

No distance metric is a perfect measure of human perceptual similarity, and we pass no judgement on exactly which distance metric is optimal. We believe constructing and evaluating a good distance metric is an important research question we leave to future work.

However, since most existing work has picked one of these three distance metrics, and since defensive distillation argued security against two of these, we too use these distance metrics and construct attacks that perform superior to the state-of-the-art for each of these distance metrics.

When reporting all numbers in this paper, we report using the distance metric as defined above, on the range $ $. (That is, changing a pixel in a greyscale image from full-on to full-off will result in$ L_{2} $change of$ 1.0 $and a$ L_{\infty} $change of$ 1.0 $, not$ 255$.)

II-E Defensive Distillation

We briefly provide a high-level overview of defensive distillation. We provide a complete description later in Section VIII.

To defensively distill a neural network, begin by first training a network with identical architecture on the training data in a standard manner. When we compute the softmax while training this network, replace it with a more-smooth version of the softmax (by dividing the logits by some constant $T$ ). At the end of training, generate the soft training labels by evaluating this network on each of the training instances and taking the output labels of the network.

Then, throw out the first network and use only the soft training labels. With those, train a second network where instead of training it on the original training labels, use the soft labels. This trains the second model to behave like the first model, and the soft labels convey additional hidden knowledge learned by the first model.

The key insight here is that by training to match the first network, we will hopefully avoid over-fitting against any of the training data. If the reason that neural networks exist is because neural networks are highly non-linear and have “blind spots” where adversarial examples lie, then preventing this type of over-fitting might remove those blind spots.

In fact, as we will see later, defensive distillation does not remove adversarial examples. One potential reason this may occur is that others have argued the reason adversarial examples exist is not due to blind spots in a highly non-linear neural network, but due only to the locally-linear nature of neural networks. This so-called linearity hypothesis appears to be true , and under this explanation it is perhaps less surprising that distillation does not increase the robustness of neural networks.

II-F Organization

The remainder of this paper is structured as follows. In the next section, we survey existing attacks that have been proposed in the literature for generating adversarial examples, for the $L_{2}$ , $L_{\infty}$ , and $L_{0}$ distance metrics. We then describe our attack algorithms that target the same three distance metrics and provide superior results to the prior work. Having developed these attacks, we review defensive distillation in more detail and discuss why the existing attacks fail to find adversarial examples on defensively distilled networks. Finally, we attack defensive distillation with our new algorithms and show that it provides only limited value.

III Attack Algorithms

Szegedy et al. generated adversarial examples using box-constrained L-BFGS. Given an image $x$ , their method finds a different image $x^{\prime}$ that is similar to $x$ under $L_{2}$ distance, yet is labeled differently by the classifier. They model the problem as a constrained minimization problem:

This problem can be very difficult to solve, however, so Szegedy et al. instead solve the following problem:

where $\text{loss}_{F,l}$ is a function mapping an image to a positive real number. One common loss function to use is cross-entropy. Line search is performed to find the constant $c>0$ that yields an adversarial example of minimum distance: in other words, we repeatedly solve this optimization problem for multiple values of $c$ , adaptively updating $c$ using bisection search or any other method for one-dimensional optimization.

III-B Fast Gradient Sign

The fast gradient sign method has two key differences from the L-BFGS method: first, it is optimized for the $L_{\infty}$ distance metric, and second, it is designed primarily to be fast instead of producing very close adversarial examples. Given an image $x$ the fast gradient sign method sets

where $\epsilon$ is chosen to be sufficiently small so as to be undetectable, and $t$ is the target label. Intuitively, for each pixel, the fast gradient sign method uses the gradient of the loss function to determine in which direction the pixel’s intensity should be changed (whether it should be increased or decreased) to minimize the loss function; then, it shifts all pixels simultaneously.

It is important to note that the fast gradient sign attack was designed to be fast, rather than optimal. It is not meant to produce the minimal adversarial perturbations.

Kurakin et al. introduce a simple refinement of the fast gradient sign method where instead of taking a single step of size $\epsilon$ in the direction of the gradient-sign, multiple smaller steps $\alpha$ are taken, and the result is clipped by the same $\epsilon$ . Specifically, begin by setting

Iterative gradient sign was found to produce superior results to fast gradient sign .

III-C JSMA

Papernot et al. introduced an attack optimized under $L_{0}$ distance known as the Jacobian-based Saliency Map Attack (JSMA). We give a brief summary of their attack algorithm; for a complete description and motivation, we encourage the reader to read their original paper .

At a high level, the attack is a greedy algorithm that picks pixels to modify one at a time, increasing the target classification on each iteration. They use the gradient $\nabla Z(x)_{l}$ to compute a saliency map, which models the impact each pixel has on the resulting classification. A large value indicates that changing it will significantly increase the likelihood of the model labeling the image as the target class $l$ . Given the saliency map, it picks the most important pixel and modify it to increase the likelihood of class $l$ . This is repeated until either more than a set threshold of pixels are modified which makes the attack detectable, or it succeeds in changing the classification.

In more detail, we begin by defining the saliency map in terms of a pair of pixels $p,q$ . Define

so that $\alpha_{pq}$ represents how much changing both pixels $p$ and $q$ will change the target classification, and $\beta_{pq}$ represents how much changing $p$ and $q$ will change all other outputs. Then the algorithm picks

so that $\alpha_{pq}>0$ (the target class is more likely), $\beta_{pq}<0$ (the other classes become less likely), and $-\alpha_{pq}\cdot\beta_{pq}$ is largest.

Notice that JSMA uses the output of the second-to-last layer $Z$ , the logits, in the calculation of the gradient: the output of the softmax $F$ is not used. We refer to this as the JSMA-Z attack.

However, when the authors apply this attack to their defensively distilled networks, they modify the attack so it uses $F$ instead of $Z$ . In other words, their computation uses the output of the softmax ( $F$ ) instead of the logits ( $Z$ ). We refer to this modification as the JSMA-F attack.We verified this via personal communication with the authors.

When an image has multiple color channels (e.g., RGB), this attack considers the $L_{0}$ difference to be $1$ for each color channel changed independently (so that if all three color channels of one pixel change change, the $L_{0}$ norm would be 3). While we do not believe this is a meaningful threat model, when comparing to this attack, we evaluate under both models.

III-D Deepfool

Deepfool is an untargeted attack technique optimized for the $L_{2}$ distance metric. It is efficient and produces closer adversarial examples than the L-BFGS approach discussed earlier.

The authors construct Deepfool by imagining that the neural networks are totally linear, with a hyperplane separating each class from another. From this, they analytically derive the optimal solution to this simplified problem, and construct the adversarial example.

Then, since neural networks are not actually linear, they take a step towards that solution, and repeat the process a second time. The search terminates when a true adversarial example is found.

The exact formulation used is rather sophisticated; interested readers should refer to the original work .

IV Experimental Setup

Before we develop our attack algorithms to break distillation, we describe how we train the models on which we will evaluate our attacks.

We train two networks for the MNIST and CIFAR-10 classification tasks, and use one pre-trained network for the ImageNet classification task . Our models and training approaches are identical to those presented in . We achieve $99.5\%$ accuracy on MNIST, comparable to the state of the art. On CIFAR-10, we achieve $80\%$ accuracy, identical to the accuracy given in the distillation work. This is compared to the state-of-the-art result of $95\%$ . However, in order to provide the most accurate comparison to the original work, we feel it is important to reproduce their model architectures.

MNIST and CIFAR-10. The model architecture is given in Table I and the hyperparameters selected in Table II. We use a momentum-based SGD optimizer during training.

The CIFAR-10 model significantly overfits the training data even with dropout: we obtain a final training cross-entropy loss of $0.05$ with accuracy $98\%$ , compared to a validation loss of $1.2$ with validation accuracy $80\%$ . We do not alter the network by performing image augmentation or adding additional dropout as that was not done in .

ImageNet. Along with considering MNIST and CIFAR, which are both relatively small datasets, we also consider the ImageNet dataset. Instead of training our own ImageNet model, we use the pre-trained Inception v3 network , which achieves $96\%$ top-5 accuracy (that is, the probability that the correct class is one of the five most likely as reported by the network is $96\%$ ). Inception takes images as $299\times 299\times 3$ dimensional vectors.

V Our Approach

We now turn to our approach for constructing adversarial examples. To begin, we rely on the initial formulation of adversarial examples and formally define the problem of finding an adversarial instance for an image $x$ as follows:

where $x$ is fixed, and the goal is to find $\delta$ that minimizes $\mathcal{D}(x,x+\delta)$ . That is, we want to find some small change $\delta$ that we can make to an image $x$ that will change its classification, but so that the result is still a valid image. Here $\mathcal{D}$ is some distance metric; for us, it will be either $L_{0}$ , $L_{2}$ , or $L_{\infty}$ as discussed earlier.

We solve this problem by formulating it as an appropriate optimization instance that can be solved by existing optimization algorithms. There are many possible ways to do this; we explore the space of formulations and empirically identify which ones lead to the most effective attacks.

The above formulation is difficult for existing algorithms to solve directly, as the constraint $C(x+\delta)=t$ is highly non-linear. Therefore, we express it in a different form that is better suited for optimization. We define an objective function $f$ such that $C(x+\delta)=t$ if and only if $f(x+\delta)\leq 0$ . There are many possible choices for $f$ :

where $s$ is the correct classification, $(e)^{+}$ is short-hand for $\max(e,0)$ , $\text{softplus}(x)=\log(1+\exp(x))$ , and $\text{loss}_{F,s}(x)$ is the cross entropy loss for $x$ .

Notice that we have adjusted some of the above formula by adding a constant; we have done this only so that the function respects our definition. This does not impact the final result, as it just scales the minimization function.

Now, instead of formulating the problem as

where $c>0$ is a suitably chosen constant. These two are equivalent, in the sense that there exists $c>0$ such that the optimal solution to the latter matches the optimal solution to the former. After instantiating the distance metric $\mathcal{D}$ with an $l_{p}$ norm, the problem becomes: given $x$ , find $\delta$ that solves

Empirically, we have found that often the best way to choose $c$ is to use the smallest value of $c$ for which the resulting solution $x^{*}$ has $f(x^{*})\leq 0$ . This causes gradient descent to minimize both of the terms simultaneously instead of picking only one to optimize over first.

We verify this by running our $f_{6}$ formulation (which we found most effective) for values of $c$ spaced uniformly (on a log scale) from $c=0.01$ to $c=100$ on the MNIST dataset. We plot this line in Figure 2. The corresponding figures for other objective functions are similar; we omit them for brevity.

Further, we have found that if choose the smallest $c$ such that $f(x^{*})\leq 0$ , the solution is within $5\%$ of optimal $70\%$ of the time, and within $30\%$ of optimal $98\%$ of the time, where “optimal” refers to the solution found using the best value of $c$ . Therefore, in our implementations we use modified binary search to choose $c$ .

V-B Box constraints

To ensure the modification yields a valid image, we have a constraint on $\delta$ : we must have $0\leq x_{i}+\delta_{i}\leq 1$ for all $i$ . In the optimization literature, this is known as a “box constraint.” Previous work uses a particular optimization algorithm, L-BFGS-B, which supports box constraints natively.

We investigate three different methods of approaching this problem.

Projected gradient descent performs one step of standard gradient descent, and then clips all the coordinates to be within the box.

This approach can work poorly for gradient descent approaches that have a complicated update step (for example, those with momentum): when we clip the actual $x_{i}$ , we unexpectedly change the input to the next iteration of the algorithm.

Clipped gradient descent does not clip $x_{i}$ on each iteration; rather, it incorporates the clipping into the objective function to be minimized. In other words, we replace $f(x+\delta)$ with $f(\min(\max(x+\delta,0),1))$ , with the min and max taken component-wise.

While solving the main issue with projected gradient descent, clipping introduces a new problem: the algorithm can get stuck in a flat spot where it has increased some component $x_{i}$ to be substantially larger than the maximum allowed. When this happens, the partial derivative becomes zero, so even if some improvement is possible by later reducing $x_{i}$ , gradient descent has no way to detect this.

Change of variables introduces a new variable $w$ and instead of optimizing over the variable $\delta$ defined above, we apply a change-of-variables and optimize over $w$ , setting

Since $-1\leq\tanh(w_{i})\leq 1$ , it follows that $0\leq x_{i}+\delta_{i}\leq 1$ , so the solution will automatically be valid. Instead of scaling by $\frac{1}{2}$ we scale by $\frac{1}{2}+\epsilon$ to avoid dividing by zero.

We can think of this approach as a smoothing of clipped gradient descent that eliminates the problem of getting stuck in extreme regions.

These methods allow us to use other optimization algorithms that don’t natively support box constraints. We use the Adam optimizer almost exclusively, as we have found it to be the most effective at quickly finding adversarial examples. We tried three solvers — standard gradient descent, gradient descent with momentum, and Adam — and all three produced identical-quality solutions. However, Adam converges substantially more quickly than the others.

V-C Evaluation of approaches

For each possible objective function $f(\cdot)$ and method to enforce the box constraint, we evaluate the quality of the adversarial examples found.

To choose the optimal $c$ , we perform $20$ iterations of binary search over $c$ . For each selected value of $c$ , we run $10,000$ iterations of gradient descent with the Adam optimizer. Adam converges to $95\%$ of optimum within $1,000$ iterations $92\%$ of the time. For completeness we run it for $10,000$ iterations at each step.

The results of this analysis are in Table III. We evaluate the quality of the adversarial examples found on the MNIST and CIFAR datasets. The relative ordering of each objective function is identical between the two datasets, so for brevity we report only results for MNIST.

There is a factor of three difference in quality between the best objective function and the worst. The choice of method for handling box constraints does not impact the quality of results as significantly for the best minimization functions.

In fact, the worst performing objective function, cross entropy loss, is the approach that was most suggested in the literature previously .

Why are some loss functions better than others? When $c=0$ , gradient descent will not make any move away from the initial image. However, a large $c$ often causes the initial steps of gradient descent to perform in an overly-greedy manner, only traveling in the direction which can most easily reduce $f$ and ignoring the $\mathcal{D}$ loss — thus causing gradient descent to find sub-optimal solutions.

This means that for loss function $f_{1}$ and $f_{4}$ , there is no good constant $c$ that is useful throughout the duration of the gradient descent search. Since the constant $c$ weights the relative importance of the distance term and the loss term, in order for a fixed constant $c$ to be useful, the relative value of these two terms should remain approximately equal. This is not the case for these two loss functions.

To explain why this is the case, we will have to take a side discussion to analyze how adversarial examples exist. Consider a valid input $x$ and an adversarial example $x^{\prime}$ on a network.

What does it look like as we linearly interpolate from $x$ to $x^{\prime}$ ? That is, let $y=\alpha x+(1-\alpha)x^{\prime}$ for $\alpha\in$ . It turns out the value of $Z(\cdot)_{t}$ is mostly linear from the input to the adversarial example, and therefore the $F(\cdot)_{t}$ is a logistic. We verify this fact empirically by constructing adversarial examples on the first $1,000$ test images on both the MNIST and CIFAR dataset with our approach, and find the Pearson correlation coefficient $r>.9$ .

Given this, consider loss function $f_{4}$ (the argument for $f_{1}$ is similar). In order for the gradient descent attack to make any change initially, the constant $c$ will have to be large enough that

implying that $c$ must be larger than the inverse of the gradient to make progress, but the gradient of $f_{1}$ is identical to $F(\cdot)_{t}$ so will be tiny around the initial image, meaning $c$ will have to be extremely large.

However, as soon as we leave the immediate vicinity of the initial image, the gradient of $\nabla f_{1}(x+\delta)$ increases at an exponential rate, making the large constant $c$ cause gradient descent to perform in an overly greedy manner.

We verify all of this theory empirically. When we run our attack trying constants chosen from $10^{-10}$ to $10^{10}$ the average constant for loss function $f_{4}$ was $10^{6}$ .

The average gradient of the loss function $f_{1}$ around the valid image is $2^{-20}$ but $2^{-1}$ at the closest adversarial example. This means $c$ is a million times larger than it has to be, causing the loss function $f_{4}$ and $f_{1}$ to perform worse than any of the others.

V-D Discretization

We model pixel intensities as a (continuous) real number in the range $ $. However, in a valid image, each pixel intensity must be a (discrete) integer in the range$ \{0,1,\dots,255\} $. This additional requirement is not captured in our formulation. In practice, we ignore the integrality constraints, solve the continuous optimization problem, and then round to the nearest integer: the intensity of the$ i $th pixel becomes$ \lfloor 255(x_{i}+\delta_{i})\rceil$.

This rounding will slightly degrade the quality of the adversarial example. If we need to restore the attack quality, we perform greedy search on the lattice defined by the discrete solutions by changing one pixel value at a time. This greedy search never failed for any of our attacks.

Prior work has largely ignored the integrality constraints.One exception: The JSMA attack handles this by only setting the output value to either 0 or 255. For instance, when using the fast gradient sign attack with $\epsilon=0.1$ (i.e., changing pixel values by $10\%$ ), discretization rarely affects the success rate of the attack. In contrast, in our work, we are able to find attacks that make much smaller changes to the images, so discretization effects cannot be ignored. We take care to always generate valid images; when reporting the success rate of our attacks, they always are for attacks that include the discretization post-processing.

VI Our Three Attacks

Putting these ideas together, we obtain a method for finding adversarial examples that will have low distortion in the $L_{2}$ metric. Given $x$ , we choose a target class $t$ (such that we have $t\neq C^{*}(x)$ ) and then search for $w$ that solves

This $f$ is based on the best objective function found earlier, modified slightly so that we can control the confidence with which the misclassification occurs by adjusting $\kappa$ . The parameter $\kappa$ encourages the solver to find an adversarial instance $x^{\prime}$ that will be classified as class $t$ with high confidence. We set $\kappa=0$ for our attacks but we note here that a side benefit of this formulation is it allows one to control for the desired confidence. This is discussed further in Section VIII-D.

Figure 3 shows this attack applied to our MNIST model for each source digit and target digit. Almost all attacks are visually indistinguishable from the original digit.

A comparable figure (Figure 12) for CIFAR is in the appendix. No attack is visually distinguishable from the baseline image.

Multiple starting-point gradient descent. The main problem with gradient descent is that its greedy search is not guaranteed to find the optimal solution and can become stuck in a local minimum. To remedy this, we pick multiple random starting points close to the original image and run gradient descent from each of those points for a fixed number of iterations. We randomly sample points uniformly from the ball of radius $r$ , where $r$ is the closest adversarial example found so far. Starting from multiple starting points reduces the likelihood that gradient descent gets stuck in a bad local minimum.

The $L_{0}$ distance metric is non-differentiable and therefore is ill-suited for standard gradient descent. Instead, we use an iterative algorithm that, in each iteration, identifies some pixels that don’t have much effect on the classifier output and then fixes those pixels, so their value will never be changed. The set of fixed pixels grows in each iteration until we have, by process of elimination, identified a minimal (but possibly not minimum) subset of pixels that can be modified to generate an adversarial example. In each iteration, we use our $L_{2}$ attack to identify which pixels are unimportant.

In more detail, on each iteration, we call the $L_{2}$ adversary, restricted to only modify the pixels in the allowed set. Let $\delta$ be the solution returned from the $L_{2}$ adversary on input image $x$ , so that $x+\delta$ is an adversarial example. We compute $g=\nabla f(x+\delta)$ (the gradient of the objective function, evaluated at the adversarial instance). We then select the pixel $i=\arg\min_{i}g_{i}\cdot\delta_{i}$ and fix $i$ , i.e., remove $i$ from the allowed set.Selecting the index $i$ that minimizes $\delta_{i}$ is simpler, but it yields results with $1.5\times$ higher $L_{0}$ distortion. The intuition is that $g_{i}\cdot\delta_{i}$ tells us how much reduction to $f(\cdot)$ we obtain from the $i$ th pixel of the image, when moving from $x$ to $x+\delta$ : $g_{i}$ tells us how much reduction in $f$ we obtain, per unit change to the $i$ th pixel, and we multiply this by how much the $i$ th pixel has changed. This process repeats until the $L_{2}$ adversary fails to find an adversarial example.

There is one final detail required to achieve strong results: choosing a constant $c$ to use for the $L_{2}$ adversary. To do this, we initially set $c$ to a very low value (e.g., $10^{-4}$ ). We then run our $L_{2}$ adversary at this $c$ -value. If it fails, we double $c$ and try again, until it is successful. We abort the search if $c$ exceeds a fixed threshold (e.g., $10^{10}$ ).

JSMA grows a set — initially empty — of pixels that are allowed to be changed and sets the pixels to maximize the total loss. In contrast, our attack shrinks the set of pixels — initially containing every pixel — that are allowed to be changed.

Our algorithm is significantly more effective than JSMA (see Section V for an evaluation). It is also efficient: we introduce optimizations that make it about as fast as our $L_{2}$ attack with a single starting point on MNIST and CIFAR; it is substantially slower on ImageNet. Instead of starting gradient descent in each iteration from the initial image, we start the gradient descent from the solution found on the previous iteration (“warm-start”). This dramatically reduces the number of rounds of gradient descent needed during each iteration, as the solution with $k$ pixels held constant is often very similar to the solution with $k+1$ pixels held constant.

Figure 4 shows the $L_{0}$ attack applied to one digit of each source class, targeting each target class, on the MNIST dataset. The attacks are visually noticeable, implying the $L_{0}$ attack is more difficult than $L_{2}$ . Perhaps the worst case is that of a 7 being made to classify as a 6; interestingly, this attack for $L_{2}$ is one of the only visually distinguishable attacks.

A comparable figure (Figure 11) for CIFAR is in the appendix.

The $L_{\infty}$ distance metric is not fully differentiable and standard gradient descent does not perform well for it. We experimented with naively optimizing

However, we found that gradient descent produces very poor results: the $\|\delta\|_{\infty}$ term only penalizes the largest (in absolute value) entry in $\delta$ and has no impact on any of the other. As such, gradient descent very quickly becomes stuck oscillating between two suboptimal solutions. Consider a case where $\delta_{i}=0.5$ and $\delta_{j}=0.5-\epsilon$ . The $L_{\infty}$ norm will only penalize $\delta_{i}$ , not $\delta_{j}$ , and $\frac{\partial}{\partial\delta_{j}}\|\delta\|_{\infty}$ will be zero at this point. Thus, the gradient imposes no penalty for increasing $\delta_{j}$ , even though it is already large. On the next iteration we might move to a position where $\delta_{j}$ is slightly larger than $\delta_{i}$ , say $\delta_{i}=0.5-\epsilon^{\prime}$ and $\delta_{j}=0.5+\epsilon^{\prime\prime}$ , a mirror image of where we started. In other words, gradient descent may oscillate back and forth across the line $\delta_{i}=\delta_{j}=0.5$ , making it nearly impossible to make progress.

We resolve this issue using an iterative attack. We replace the $L_{2}$ term in the objective function with a penalty for any terms that exceed $\tau$ (initially $1$ , decreasing in each iteration). This prevents oscillation, as this loss term penalizes all large values simultaneously. Specifically, in each iteration we solve

After each iteration, if $\delta_{i}<\tau$ for all $i$ , we reduce $\tau$ by a factor of 0.9 and repeat; otherwise, we terminate the search.

Again we must choose a good constant $c$ to use for the $L_{\infty}$ adversary. We take the same approach as we do for the $L_{0}$ attack: initially set $c$ to a very low value and run the $L_{\infty}$ adversary at this $c$ -value. If it fails, we double $c$ and try again, until it is successful. We abort the search if $c$ exceeds a fixed threshold.

Using “warm-start” for gradient descent in each iteration, this algorithm is about as fast as our $L_{2}$ algorithm (with a single starting point).

Figure 5 shows the $L_{\infty}$ attack applied to one digit of each source class, targeting each target class, on the MNSIT dataset. While most differences are not visually noticeable, a few are. Again, the worst case is that of a 7 being made to classify as a 6.

A comparable figure (Figure 13) for CIFAR is in the appendix. No attack is visually distinguishable from the baseline image.

VII Attack Evaluation

We compare our targeted attacks to the best results previously reported in prior publications, for each of the three distance metrics.

We re-implement Deepfool, fast gradient sign, and iterative gradient sign. For fast gradient sign, we search over $\epsilon$ to find the smallest distance that generates an adversarial example; failures is returned if no $\epsilon$ produces the target class. Our iterative gradient sign method is similar: we search over $\epsilon$ (fixing $\alpha={1\over 256}$ ) and return the smallest successful.

For JSMA we use the implementation in CleverHans with only slight modification (we improve performance by $50\times$ with no impact on accuracy).

JSMA is unable to run on ImageNet due to an inherent significant computational cost: recall that JSMA performs search for a pair of pixels $p,q$ that can be changed together that make the target class more likely and other classes less likely. ImageNet represents images as $299\times 299\times 3$ vectors, so searching over all pairs of pixels would require $2^{36}$ work on each step of the calculation. If we remove the search over pairs of pixels, the success of JSMA falls off dramatically. We therefore report it as failing always on ImageNet.

We report success if the attack produced an adversarial example with the correct target label, no matter how much change was required. Failure indicates the case where the attack was entirely unable to succeed.

We evaluate on the first $1,000$ images in the test set on CIFAR and MNSIT. On ImageNet, we report on $1,000$ images that were initially classified correctly by Inception v3 Otherwise the best-case attack results would appear to succeed extremely often artificially low due to the relatively low top-1 accuracy. On ImageNet we approximate the best-case and worst-case results by choosing $100$ target classes ( $10\%$ ) at random.

The results are found in Table IV for MNIST and CIFAR, and Table V for ImageNet. The complete code to reproduce these tables and figures is available online at http://nicholas.carlini.com/code/nn_robust_attacks.

For each distance metric, across all three datasets, our attacks find closer adversarial examples than the previous state-of-the-art attacks, and our attacks never fail to find an adversarial example. Our $L_{0}$ and $L_{2}$ attacks find adversarial examples with $2\times$ to $10\times$ lower distortion than the best previously published attacks, and succeed with $100\%$ probability. Our $L_{\infty}$ attacks are comparable in quality to prior work, but their success rate is higher. Our $L_{\infty}$ attacks on ImageNet are so successful that we can change the classification of an image to any desired label by only flipping the lowest bit of each pixel, a change that would be impossible to detect visually.

As the learning task becomes increasingly more difficult, the previous attacks produce worse results, due to the complexity of the model. In contrast, our attacks perform even better as the task complexity increases. We have found JSMA is unable to find targeted $L_{0}$ adversarial examples on ImageNet, whereas ours is able to with $100\%$ success.

It is important to realize that the results between models are not directly comparable. For example, even though a $L_{0}$ adversary must change $10$ times as many pixels to switch an ImageNet classification compared to a MNIST classification, ImageNet has $114\times$ as many pixels and so the fraction of pixels that must change is significantly smaller.

Generating synthetic digits. With our targeted adversary, we can start from any image we want and find adversarial examples of each given target. Using this, in Figure 6 we show the minimum perturbation to an entirely-black image required to make it classify as each digit, for each of the distance metrics.

This experiment was performed for the $L_{0}$ task previously , however when mounting their attack, “for classes 0, 2, 3 and 5 one can clearly recognize the target digit.” With our more powerful attacks, none of the digits are recognizable. Figure 7 performs the same analysis starting from an all-white image.

Notice that the all-black image requires no change to become a digit $1$ because it is initially classified as a $1$ , and the all-white image requires no change to become a $8$ because the initial image is already an $8$ .

Runtime Analysis. We believe there are two reasons why one may consider the runtime performance of adversarial example generation algorithms important: first, to understand if the performance would be prohibitive for an adversary to actually mount the attacks, and second, to be used as an inner loop in adversarial re-training .

Comparing the exact runtime of attacks can be misleading. For example, we have parallelized the implementation of our $L_{2}$ adversary allowing it to run hundreds of attacks simultaneously on a GPU, increasing performance from $10\times$ to $100\times$ . However, we did not parallelize our $L_{0}$ or $L_{\infty}$ attacks. Similarly, our implementation of fast gradient sign is parallelized, but JSMA is not. We therefore refrain from giving exact performance numbers because we believe an unfair comparison is worse than no comparison.

All of our attacks, and all previous attacks, are plenty efficient to be used by an adversary. No attack takes longer than a few minutes to run on any given instance.

When compared to $L_{0}$ , our attacks are $2\times-10\times$ slower than our optimized JSMA algorithm (and significantly faster than the un-optimized version). Our attacks are typically $10\times-100\times$ slower than previous attacks for $L_{2}$ and $L_{\infty}$ , with exception of iterative gradient sign which we are $10\times$ slower.

VIII Evaluating Defensive Distillation

Distillation was initially proposed as an approach to reduce a large model (the teacher) down to a smaller distilled model . At a high level, distillation works by first training the teacher model on the training set in a standard manner. Then, we use the teacher to label each instance in the training set with soft labels (the output vector from the teacher network). For example, while the hard label for an image of a hand-written digit $7$ will say it is classified as a seven, the soft labels might say it has a $80\%$ chance of being a seven and a $20\%$ chance of being a one. Then, we train the distilled model on the soft labels from the teacher, rather than on the hard labels from the training set. Distillation can potentially increase accuracy on the test set as well as the rate at which the smaller model learns to predict the hard labels .

Defensive distillation uses distillation in order to increase the robustness of a neural network, but with two significant changes. First, both the teacher model and the distilled model are identical in size — defensive distillation does not result in smaller models. Second, and more importantly, defensive distillation uses a large distillation temperature (described below) to force the distilled model to become more confident in its predictions.

Recall that, the softmax function is the last layer of a neural network. Defensive distillation modifies the softmax function to also include a temperature constant $T$ :

It is easy to see that $\text{softmax}(x,T)=\text{softmax}(x/T,1)$ . Intuitively, increasing the temperature causes a “softer” maximum, and decreasing it causes a “harder” maximum. As the limit of the temperature goes to , softmax approaches $\max$ ; as the limit goes to infinity, $\text{softmax}(x)$ approaches a uniform distribution.

Defensive distillation proceeds in four steps:

Train a network, the teacher network, by setting the temperature of the softmax to $T$ during the training phase.

Compute soft labels by apply the teacher network to each instance in the training set, again evaluating the softmax at temperature $T$ .

Train the distilled network (a network with the same shape as the teacher network) on the soft labels, using softmax at temperature $T$ .

Finally, when running the distilled network at test time (to classify new inputs), use temperature $1$ .

We briefly investigate the reason that existing attacks fail on distilled networks, and find that existing attacks are very fragile and can easily fail to find adversarial examples even when they exist.

L-BFGS and Deepfool fail due to the fact that the gradient of $F(\cdot)$ is zero almost always, which prohibits the use of the standard objective function.

When we train a distilled network at temperature $T$ and then test it at temperature $1$ , we effectively cause the inputs to the softmax to become larger by a factor of $T$ . By minimizing the cross entropy during training, the output of the softmax is forced to be close to $1.0$ for the correct class and $0.0$ for all others. Since $Z(\cdot)$ is divided by $T$ , the distilled network will learn to make the $Z(\cdot)$ values $T$ times larger than they otherwise would be. (Positive values are forced to become about $T$ times larger; negative values are multiplied by a factor of about $T$ and thus become even more negative.) Experimentally, we verified this fact: the mean value of the $L_{1}$ norm of $Z(\cdot)$ (the logits) on the undistilled network is $5.8$ with standard deviation $6.4$ ; on the distilled network (with $T=100$ ), the mean is $482$ with standard deviation $457$ .

Because the values of $Z(\cdot)$ are 100 times larger, when we test at temperature $1$ , the output of $F$ becomes $\epsilon$ in all components except for the output class which has confidence $1-9\epsilon$ for some very small $\epsilon$ (for tasks with 10 classes). In fact, in most cases, $\epsilon$ is so small that the 32-bit floating-point value is rounded to . For similar reasons, the gradient is so small that it becomes when expressed as a 32-bit floating-point value.

This causes the L-BFGS minimization procedure to fail to make progress and terminate. If instead we run L-BFGS with our stable objective function identified earlier, rather than the objective function $\text{loss}_{F,l}(\cdot)$ suggested by Szegedy et al. , L-BFGS does not fail. An alternate approach to fixing the attack would be to set

where $T$ is the distillation temperature chosen. Then minimizing $\text{loss}_{F^{\prime},l}(\cdot)$ will not fail, as now the gradients do not vanish due to floating-point arithmetic rounding. This clearly demonstrates the fragility of using the loss function as the objective to minimize.

JSMA-F (whereby we mean the attack uses the output of the final layer $F(\cdot)$ ) fails for the same reason that L-BFGS fails: the output of the $Z(\cdot)$ layer is very large and so softmax becomes essentially a hard maximum. This is the version of the attack that Papernot et al. use to attack defensive distillation in their paper .

JSMA-Z (the attack that uses the logits) fails for a completely different reason. Recall that in the $Z(\cdot)$ version of the attack, we use the input to the softmax for computing the gradient instead of the final output of the network. This removes any potential issues with the gradient vanishing, however this introduces new issues. This version of the attack is introduced by Papernot et al. but it is not used to attack distillation; we provide here an analysis of why it fails.

Since this attack uses the $Z$ values, it is important to realize the differences in relative impact. If the smallest input to the softmax layer is $-100$ , then, after the softmax layer, the corresponding output becomes practically zero. If this input changes from $-100$ to $-90$ , the output will still be practically zero. However, if the largest input to the softmax layer is $10$ , and it changes to , this will have a massive impact on the softmax output.

Relating this to parameters used in their attack, $\alpha$ and $\beta$ represent the size of the change at the input to the softmax layer. It is perhaps surprising that JSMA-Z works on un-distilled networks, as it treats all changes as being of equal importance, regardless of how much they change the softmax output. If changing a single pixel would increase the target class by $10$ , but also increase the least likely class by $15$ , the attack will not increase that pixel.

Recall that distillation at temperature $T$ causes the value of the logits to be $T$ times larger. In effect, this magnifies the sub-optimality noted above as logits that are extremely unlikely but have slight variation can cause the attack to refuse to make any changes.

Fast Gradient Sign fails at first for the same reason L-BFGS fails: the gradients are almost always zero. However, something interesting happens if we attempt the same division trick and divide the logits by $T$ before feeding them to the softmax function: distillation still remains effective . We are unable to explain this phenomenon.

VIII-B Applying Our Attacks

When we apply our attacks to defensively distilled networks, we find distillation provides only marginal value. We re-implement defensive distillation on MNIST and CIFAR-10 as described using the same model we used for our evaluation above. We train our distilled model with temperature $T=100$ , the value found to be most effective .

Table VI shows our attacks when applied to distillation. All of the previous attacks fail to find adversarial examples. In contrast, our attack succeeds with $100\%$ success probability for each of the three distance metrics.

When compared to Table IV, distillation has added almost no value: our $L_{0}$ and $L_{2}$ attacks perform slightly worse, and our $L_{\infty}$ attack performs approximately equally. All of our attacks succeed with $100\%$ success.

VIII-C Effect of Temperature

In the original work, increasing the temperature was found to consistently reduce attack success rate. On MNIST, this goes from a $91\%$ success rate at $T=1$ to a $24\%$ success rate for $T=5$ and finally $0.5\%$ success at $T=100$ .

We re-implement this experiment with our improved attacks to understand how the choice of temperature impacts robustness. We train models with the temperature varied from $t=1$ to $t=100$ .

When we re-run our implementation of JSMA, we observe the same effect: attack success rapidly decreases. However, with our improved $L_{2}$ attack, we see no effect of temperature on the mean distance to adversarial examples: the correlation coefficient is $\rho=-0.05$ . This clearly demonstrates the fact that increasing the distillation temperature does not increase the robustness of the neural network, it only causes existing attacks to fail more often.

VIII-D Transferability

Recent work has shown that an adversarial example for one model will often transfer to be an adversarial on a different model, even if they are trained on different sets of training data , and even if they use entirely different algorithms (i.e., adversarial examples on neural networks transfer to random forests ).

Therefore, any defense that is able to provide robustness against adversarial examples must somehow break this transferability property; otherwise, we could run our attack algorithm on an easy-to-attack model, and then transfer those adversarial examples to the hard-to-attack model.

Even though defensive distillation is not robust to our stronger attacks, we demonstrate a second break of distillation by transferring attacks from a standard model to a defensively distilled model.

We accomplish this by finding high-confidence adversarial examples, which we define as adversarial examples that are strongly misclassified by the original model. Instead of looking for an adversarial example that just barely changes the classification from the source to the target, we want one where the target is much more likely than any other label.

Recall the loss function defined earlier for $L_{2}$ attacks:

The purpose of the parameter $\kappa$ is to control the strength of adversarial examples: the larger $\kappa$ , the stronger the classification of the adversarial example. This allows us to generate high-confidence adversarial examples by increasing $\kappa$ .

We first investigate if our hypothesis is true that the stronger the classification on the first model, the more likely it will transfer. We do this by varying $\kappa$ from to $40$ .

Our baseline experiment uses two models trained on MNIST as described in Section IV, with each model trained on half of the training data. We find that the transferability success rate increases linearly from $\kappa=0$ to $\kappa=20$ and then plateaus at near- $100\%$ success for $\kappa\approx 20$ , so clearly increasing $\kappa$ increases the probability of a successful transferable attack.

We then run this same experiment only instead we train the second model with defensive distillation, and find that adversarial examples do transfer. This gives us another attack technique for finding adversarial examples on distilled networks.

However, interestingly, the transferability success rate between the unsecured model and the distilled model only reaches $100\%$ success at $\kappa=40$ , in comparison to the previous approach that only required $\kappa=20$ .

We believe that this approach can be used in general to evaluate the robustness of defenses, even if the defense is able to completely block flow of gradients to cause our gradient-descent based approaches from succeeding.

IX Conclusion

The existence of adversarial examples limits the areas in which deep learning can be applied. It is an open problem to construct defenses that are robust to adversarial examples. In an attempt to solve this problem, defensive distillation was proposed as a general-purpose procedure to increase the robustness of an arbitrary neural network.

In this paper, we propose powerful attacks that defeat defensive distillation, demonstrating that our attacks more generally can be used to evaluate the efficacy of potential defenses. By systematically evaluating many possible attack approaches, we settle on one that can consistently find better adversarial examples than all existing approaches. We use this evaluation as the basis of our three $L_{0}$ , $L_{2}$ , and $L_{\infty}$ attacks.

We encourage those who create defenses to perform the two evaluation approaches we use in this paper:

Use a powerful attack (such as the ones proposed in this paper) to evaluate the robustness of the secured model directly. Since a defense that prevents our $L_{2}$ attack will prevent our other attacks, defenders should make sure to establish robustness against the $L_{2}$ distance metric.

Demonstrate that transferability fails by constructing high-confidence adversarial examples on a unsecured model and showing they fail to transfer to the secured model.

Acknowledgements

We would like to thank Nicolas Papernot discussing our defensive distillation implementation, and the anonymous reviewers for their helpful feedback. This work was supported by Intel through the ISTC for Secure Computing, Qualcomm, Cisco, the AFOSR under MURI award FA9550-12-1-0040, and the Hewlett Foundation through the Center for Long-Term Cybersecurity.