Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples

Introduction

In response to the susceptibility of neural networks to adversarial examples (Szegedy et al., 2013; Biggio et al., 2013), there has been significant interest recently in constructing defenses to increase the robustness of neural networks. While progress has been made in understanding and defending against adversarial examples in the white-box setting, where the adversary has full access to the network, a complete solution has not yet been found.

As benchmarking against iterative optimization-based attacks (e.g., Kurakin et al. (2016a); Madry et al. (2018); Carlini & Wagner (2017c)) has become standard practice in evaluating defenses, new defenses have arisen that appear to be robust against these powerful optimization-based attacks.

We identify one common reason why many defenses provide apparent robustness against iterative optimization attacks: obfuscated gradients, a term we define as a special case of gradient masking (Papernot et al., 2017). Without a good gradient, where following the gradient does not successfully optimize the loss, iterative optimization-based methods cannot succeed. We identify three types of obfuscated gradients: shattered gradients are nonexistent or incorrect gradients caused either intentionally through non-differentiable operations or unintentionally through numerical instability; stochastic gradients depend on test-time randomness; and vanishing/exploding gradients in very deep computation result in an unusable gradient.

We propose new techniques to overcome obfuscated gradients caused by these three phenomena. We address gradient shattering with a new attack technique we call Backward Pass Differentiable Approximation, where we approximate derivatives by computing the forward pass normally and computing the backward pass using a differentiable approximation of the function. We compute gradients of randomized defenses by applying Expectation Over Transformation (Athalye et al., 2017). We solve vanishing/exploding gradients through reparameterization and optimize over a space where gradients do not explode/vanish.

To investigate the prevalence of obfuscated gradients and understand the applicability of these attack techniques, we use as a case study the ICLR 2018 non-certified defenses that claim white-box robustness. We find that obfuscated gradients are a common occurrence, with 7 of 9 defenses relying on this phenomenon. Applying the new attack techniques we develop, we overcome obfuscated gradients and circumvent 6 of them completely, and 1 partially, under the original threat model of each paper. Along with this, we offer an analysis of the evaluations performed in the papers.

Additionally, we hope to provide researchers with a common baseline of knowledge, description of attack techniques, and common evaluation pitfalls, so that future defenses can avoid falling vulnerable to these same attack approaches.

To promote reproducible research, we release our re-implementation of each of these defenses, along with implementations of our attacks for each. https://github.com/anishathalye/obfuscated-gradients

Preliminaries

We consider a neural network $f(\cdot)$ used for classification where $f(x)_{i}$ represents the probability that image $x$ corresponds to label $i$. We classify images, represented as $x\in^{w\cdot h\cdot c}$ for a $c$-channel image of width $w$ and height $h$. We use $f^{j}(\cdot)$ to refer to layer $j$ of the neural network, and $f^{1..j}(\cdot)$ the composition of layers $1$ through $j$. We denote the classification of the network as $c(x)=\text{arg max}_{i}f(x)_{i}$, and $c^{*}(x)$ denotes the true label.

2 Adversarial Examples

Given an image $x$ and classifier $f(\cdot)$, an adversarial example (Szegedy et al., 2013) $x^{\prime}$ satisfies two properties: $\mathcal{D}(x,x^{\prime})$ is small for some distance metric $\mathcal{D}$, and $c(x^{\prime})\neq c^{*}(x)$. That is, for images, $x$ and $x^{\prime}$ appear visually similar but $x^{\prime}$ is classified incorrectly.

3 Datasets & Models

We evaluate these defenses on the same datasets on which they claim robustness.

If a defense argues security on MNIST and any other dataset, we only evaluate the defense on the larger dataset. On MNIST and CIFAR-10, we evaluate defenses over the entire test set and generate untargeted adversarial examples. On ImageNet, we evaluate over 1000 randomly selected images in the test set, construct targeted adversarial examples with randomly selected target classes, and report attack success rate in addition to model accuracy. Generating targeted adversarial examples is a strictly harder problem that we believe is a more meaningful metric for evaluating attacks. Misclassification is a less meaningful metric on ImageNet, where a misclassification of closely related classes (e.g., a German shepherd classified as a Doberman) may not be meaningful. Conversely, for a defender, the harder task is to argue robustness to untargeted attacks.

We use standard models for each dataset. For MNIST we use a standard 5-layer convolutional neural network which reaches $99.3\%$ accuracy. On CIFAR-10 we train a wide ResNet (Zagoruyko & Komodakis, 2016; He et al., 2016) to $95\%$ accuracy. For ImageNet we use the InceptionV3 (Szegedy et al., 2016) network which reaches $78.0\%$ top-1 and $93.9\%$ top-5 accuracy.

4 Threat Models

5 Attack Methods

Obfuscated Gradients

A defense is said to cause gradient masking if it “does not have useful gradients” for generating adversarial examples (Papernot et al., 2017); gradient masking is known to be an incomplete defense to adversarial examples (Papernot et al., 2017; Tramèr et al., 2018). Despite this, we observe that 7 of the ICLR 2018 defenses rely on this effect.

To contrast from previous defenses which cause gradient masking by learning to break gradient descent (e.g., by learning to make the gradients point the wrong direction (Tramèr et al., 2018)), we refer to the case where defenses are designed in such a way that the constructed defense necessarily causes gradient masking as obfuscated gradients. We discover three ways in which defenses obfuscate gradients (we use this word because in these cases, it is the defense creator who has obfuscated the gradient information); we briefly define and discuss each of them.

Shattered Gradients are caused when a defense is non-differentiable, introduces numeric instability, or otherwise causes a gradient to be nonexistent or incorrect. Defenses that cause gradient shattering can do so unintentionally, by using differentiable operations but where following the gradient does not maximize classification loss globally.

Stochastic Gradients are caused by randomized defenses, where either the network itself is randomized or the input is randomly transformed before being fed to the classifier, causing the gradients to become randomized. This causes methods using a single sample of the randomness to incorrectly estimate the true gradient.

Exploding & Vanishing Gradients are often caused by defenses that consist of multiple iterations of neural network evaluation, feeding the output of one computation as the input of the next. This type of computation, when unrolled, can be viewed as an extremely deep neural network evaluation, which can cause vanishing/exploding gradients.

Some defenses intentionally break gradient descent and cause obfuscated gradients. However, others defenses unintentionally break gradient descent, but the cause of gradient descent being broken is a direct result of the design of the neural network. We discuss below characteristic behaviors of defenses which cause this to occur. These behaviors may not perfectly characterize all cases of masked gradients.

Iterative optimization-based attacks applied in a white-box setting are strictly stronger than single-step attacks and should give strictly superior performance. If single-step methods give performance superior to iterative methods, it is likely that the iterative attack is becoming stuck in its optimization search at a local minimum.

The black-box threat model is a strict subset of the white-box threat model, so attacks in the white-box setting should perform better; if a defense is obfuscating gradients, then black-box attacks (which do not use the gradient) often perform better than white-box attacks (Papernot et al., 2017).

With unbounded distortion, any classifier should have $0\%$ robustness to attack. If an attack does not reach $100\%$ success with sufficiently large distortion bound, this indicates the attack is not performing optimally against the defense, and the attack should be improved.

Brute-force random search (e.g., randomly sampling $10^{5}$ or more points) within some $\epsilon$-ball should not find adversarial examples when gradient-based attacks do not.

A larger distortion bound should monotonically increase attack success rate; significantly increasing distortion bound should result in significantly higher attack success rate.

Attack Techniques

Generating adversarial examples through optimization-based methods requires useful gradients obtained through backpropagation (Rumelhart et al., 1986). Many defenses therefore either intentionally or unintentionally cause gradient descent to fail because of obfuscated gradients caused by gradient shattering, stochastic gradients, or vanishing/exploding gradients. We discuss a number of techniques that we develop to overcome obfuscated gradients.

Shattered gradients, caused either unintentionally, e.g. by numerical instability, or intentionally, e.g. by using non-differentiable operations, result in nonexistent or incorrect gradients. To attack defenses where gradients are not readily available, we introduce a technique we call Backward Pass Differentiable Approximation (BPDA) The BPDA approach can be used on an arbitrary network, even if it is already differentiable, to obtain a more useful gradient..

As a special case, we first discuss what amounts to the straight-through estimator (Bengio et al., 2013) applied to constructing adversarial examples.

Many non-differentiable defenses can be expressed as follows: given a pre-trained classifier $f(\cdot)$, construct a preprocessor $g(\cdot)$ and let the secured classifier $\hat{f}(x)=f(g(x))$ where the preprocessor $g(\cdot)$ satisfies $g(x)\approx x$ (e.g., such a $g(\cdot)$ may perform image denoising to remove the adversarial perturbation, as in Guo et al. (2018)). If $g(\cdot)$ is smooth and differentiable, then computing gradients through the combined network $\hat{f}$ is often sufficient to circumvent the defense (Carlini & Wagner, 2017b). However, recent work has constructed functions $g(\cdot)$ which are neither smooth nor differentiable, and therefore can not be backpropagated through to generate adversarial examples with a white-box attack that requires gradient signal.

Because $g$ is constructed with the property that $g(x)\approx x$, we can approximate its derivative as the derivative of the identity function: $\nabla_{x}g(x)\approx\nabla_{x}x=1$. Therefore, we can approximate the derivative of $f(g(x))$ at the point $\hat{x}$ as:

This allows us to compute gradients and therefore mount a white-box attack. Conceptually, this attack is simple. We perform forward propagation through the neural network as usual, but on the backward pass, we replace $g(\cdot)$ with the identity function. In practice, the implementation can be expressed in an even simpler way: we approximate $\nabla_{x}f(g(x))$ by evaluating $\nabla_{x}f(x)$ at the point $g(x)$. This gives us an approximation of the true gradient, and while not perfect, is sufficiently useful that when averaged over many iterations of gradient descent still generates an adversarial example. The math behind the validity of this approach is similar to the special case.

1.2 Generalized Attack: BPDA

While the above attack is effective for a simple class of networks expressible as $f(g(x))$ when $g(x)\approx x$, it is not fully general. We now generalize the above approach into our full attack, which we call Backward Pass Differentiable Approximation (BPDA).

Let $f(\cdot)=f^{1\ldots j}(\cdot)$ be a neural network, and let $f^{i}(\cdot)$ be a non-differentiable (or not usefully-differentiable) layer. To approximate $\nabla_{x}f(x)$, we first find a differentiable approximation $g(x)$ such that $g(x)\approx f^{i}(x)$. Then, we can approximate $\nabla_{x}f(x)$ by performing the forward pass through $f(\cdot)$ (and in particular, computing a forward pass through $f^{i}(x)$), but on the backward pass, replacing $f^{i}(x)$ with $g(x)$. Note that we perform this replacement only on the backward pass.

As long as the two functions are similar, we find that the slightly inaccurate gradients still prove useful in constructing an adversarial example. Applying BPDA often requires more iterations of gradient descent than without because each individual gradient descent step is not exactly correct.

We have found applying BPDA is often necessary: replacing $f^{i}(\cdot)$ with $g(\cdot)$ on both the forward and backward pass is either completely ineffective (e.g. with Song et al. (2018)) or many times less effective (e.g. with Buckman et al. (2018)).

2 Attacking Randomized Classifiers

Stochastic gradients arise when using randomized transformations to the input before feeding it to the classifier or when using a stochastic classifier. When using optimization-based attacks on defenses that employ these techniques, it is necessary to estimate the gradient of the stochastic function.

For defenses that employ randomized transformations to the input, we apply Expectation over Transformation (EOT) (Athalye et al., 2017) to correctly compute the gradient over the expected transformation to the input.

3 Reparameterization

We solve vanishing/exploding gradients by reparameterization. Assume we are given a classifier $f(g(x))$ where $g(\cdot)$ performs some optimization loop to transform the input $x$ to a new input $\hat{x}$. Often times, this optimization loop means that differentiating through $g(\cdot)$, while possible, yields exploding or vanishing gradients.

To resolve this, we make a change-of-variable $x=h(z)$ for some function $h(\cdot)$ such that $g(h(z))=h(z)$ for all $z$, but $h(\cdot)$ is differentiable. For example, if $g(\cdot)$ projects samples to some manifold in a specific manner, we might construct $h(z)$ to return points exclusively on the manifold. This allows us to compute gradients through $f(h(z))$ and thereby circumvent the defense.

Case Study: ICLR 2018 Defenses

As a case study for evaluating the prevalence of obfuscated gradients, we study the ICLR 2018 non-certified defenses that argue robustness in a white-box threat model. Each of these defenses argues a high robustness to adaptive, white-box attacks. We find that seven of these nine defenses rely on this phenomenon, and we demonstrate that our techniques can completely circumvent six of those (and partially circumvent one) that rely on obfuscated gradients. We omit two defenses with provable security claims (Raghunathan et al., 2018; Sinha et al., 2018) and one that only argues black-box security (Tramèr et al., 2018). We include one paper, Ma et al. (2018), that was not proposed as a defense per se, but suggests a method to detect adversarial examples.

There is an asymmetry in attacking defenses versus constructing robust defenses: to show a defense can be bypassed, it is only necessary to demonstrate one way to do so; in contrast, a defender must show no attack can succeed.

Table 1 summarizes our results. Of the 9 accepted papers, 7 rely on obfuscated gradients. Two of these defenses argue robustness on ImageNet, a much harder task than CIFAR-10; and one argues robustness on MNIST, a much easier task than CIFAR-10. As such, comparing defenses across datasets is difficult.

We study the adversarial training approach of Madry et al. (2018) which for a given $\epsilon$-ball solves

To approximately solve this formulation, the authors solve the inner maximization problem by generating adversarial examples using projected gradient descent.

1.2 Cascade Adversarial Training

Cascade adversarial machine learning (Na et al., 2018) is closely related to the above defense. The main difference is that instead of using iterative methods to generate adversarial examples at each mini-batch, the authors train a first model, generate adversarial examples (with iterative methods) on that model, add these to the training set, and then train a second model on the augmented dataset only single-step methods for efficiency. Additionally, the authors construct a “unified embedding” and enforce that the clean and adversarial logits are close under some metric.

Again, as above, we are unable to reduce the claims made by the authors. However, these claims are weaker than other defenses (because the authors correctly performed a strong optimization-based attack (Carlini & Wagner, 2017c)): $16\%$ accuracy with $\epsilon=.015$, compared to over $70\%$ at the same perturbation budget with adversarial training as in Madry et al. (2018).

2 Gradient Shattering

In contrast to prior work (Szegedy et al., 2013) which viewed adversarial examples as “blind spots” in neural networks, Goodfellow et al. (2014b) argue that the reason adversarial examples exist is that neural networks behave in a largely linear manner. The purpose of thermometer encoding is to break this linearity.

Given an image $x$, for each pixel color $x_{i,j,c}$, the $l$-level thermometer encoding $\tau(x_{i,j,c})$ is a $l$-dimensional vector where $\tau(x_{i,j,c})_{k}=1$ if $\text{if}\;\;x_{i,j,c}>k/l$, and otherwise (e.g., for a 10-level thermometer encoding, $\tau(0.66)=1111110000$).

Due to the discrete nature of thermometer encoded values, it is not possible to directly perform gradient descent on a thermometer encoded neural network. The authors therefore construct Logit-Space Projected Gradient Ascent (LS-PGA) as an attack over the discrete thermometer encoded inputs. Using this attack, the authors perform the adversarial training of Madry et al. (2018) on thermometer encoded networks.

While the intention behind this defense is to break the local linearity of neural networks, we find that this defense in fact causes gradient shattering. This can be observed through their black-box attack evaluation: adversarial examples generated on a standard adversarially trained model transfer to a thermometer encoded model reducing the accuracy to $67\%$, well below the $80\%$ robustness to the white-box iterative attack.

We use the BPDA approach from §4.1.2, where we let $f(x)=\tau(x)$. Observe that if we define

so we can let $g(x)=\hat{\tau}(x)$ and replace the backwards pass with the function $g(\cdot)$.

LS-PGA only reduces model accuracy to $50\%$ on a thermometer-encoded model trained without adversarial training (bounded by $\epsilon=0.031$). In contrast, we achieve $1\%$ model accuracy with the lower $\epsilon=0.015$ (and $0\%$ with $\epsilon=0.031$). This shows no measurable improvement from standard models, trained without thermometer encoding.

When we attack a thermometer-encoded adversarially trained model That is, a thermometer encoded model that is trained using the approach of (Madry et al., 2018)., we are able to reproduce the $80\%$ accuracy at $\epsilon=0.031$ claim against LS-PGA. However, our attack reduces model accuracy to $30\%$. This is significantly weaker than the original Madry et al. (2018) model that does not use thermometer encoding. Because this model is trained against the (comparatively weak) LS-PGA attack, it is unable to adapt to the stronger attack we present above. Figure 1 shows a comparison of thermometer encoding, with and without adversarial training, against the baseline classifier, over a range of perturbation magnitudes, demonstrating that thermometer encoding provides limited value.

2.2 Input Transformations

Guo et al. (2018) propose five input transformations to counter adversarial examples.

As a baseline, the authors evaluate image cropping and rescaling, bit-depth reduction, and JPEG compression. Then the authors suggest two new transformations: (a) randomly drop pixels and restore them by performing total variance minimization; and (b) image quilting: reconstruct images by replacing small patches with patches from “clean” images, using minimum graph cuts in overlapping boundary regions to remove edge artifacts.

The authors explore different combinations of input transformations along with different underlying ImageNet classifiers, including adversarially trained models. They find that input transformations provide protection even with a vanilla classifier.

The authors do not succeed in white-box attacks, crediting lack of access to test-time randomness as “particularly crucial in developing strong defenses” (Guo et al., 2018). This defense may be stronger in a threat model where the adversary does not have complete information about the exact quilting process used (personal communication with authors).

2.3 Local Intrinsic Dimensionality (LID)

LID is a general-purpose metric that measures the distance from an input to its neighbors. Ma et al. (2018) propose using LID to characterize properties of adversarial examples. The authors emphasize that this classifier is not intended as a defense against adversarial examples Personal communication with authors., however the authors argue that it is a robust method for detecting adversarial examples that is not easy to evade by attempting their own adaptive attack and showing it fails.

Instead of actively attacking the detection method, we find that LID is not able to detect high confidence adversarial examples (Carlini & Wagner, 2017a), even in the unrealistic threat model where the adversary is entirely oblivious to the defense and generates adversarial examples on the original classifier. A full discussion of this attack is given in Appendix A.

3 Stochastic Gradients

SAP (Dhillon et al., 2018) introduces randomness into the evaluation of a neural network to defend against adversarial examples. SAP randomly drops some neurons of each layer $f^{i}$ to 0 with probability proportional to their absolute value. That is, SAP essentially applies dropout at each layer where instead of dropping with uniform probability, nodes are dropped with a weighted distribution. Values which are retained are scaled up (as is done in dropout) to retain accuracy. Applying SAP decreases clean classification accuracy slightly, with a higher drop probability decreasing accuracy, but increasing robustness. We study various levels of drop probability and find they lead to similar robustness numbers.

The authors only evaluate SAP by taking a single step in the gradient direction (Dhillon et al., 2018). While taking a single step in the direction of the gradient can be effective on non-randomized neural networks, when randomization is used, computing the gradient with respect to one sample of the randomness is ineffective.

To resolve this difficulty, we estimate the gradients by computing the expectation over instantiations of randomness. At each iteration of gradient descent, instead of taking a step in the direction of $\nabla_{x}f(x)$ we move in the direction of $\sum_{i=1}^{k}\nabla_{x}f(x)$ where each invocation is randomized with SAP. We have found that choosing $k=10$ provides useful gradients. We additionally had to resolve a numerical instability when computing gradients: this defense caused computing a backward pass to cause exploding gradients due to division by numbers very close to 0.

With these approaches, we are able to reduce SAP model accuracy to $9\%$ at $\epsilon=.015$, and $0\%$ at $\epsilon=0.031$. If we consider an attack successful only when an example is classified incorrectly $10$ times out of $10$ (and consider it correctly classified if it is ever classified as the correct label), model accuracy is below $10\%$ with $\epsilon=0.031$.

3.2 Mitigating through Randomization

Xie et al. (2018) propose to defend against adversarial examples by adding a randomization layer before the input to the classifier. For a classifier that takes a $299\times 299$ input, the defense first randomly rescales the image to a $r\times r$ image, with $r\in[299,331)$, and then randomly zero-pads the image so that the result is $331\times 331$. The output is then fed to the classifier.

The authors consider three attack scenarios: vanilla attack (an attack on the original classifier), single-pattern attack (an attack assuming some fixed randomization pattern), and ensemble-pattern attack (an attack over a small ensemble of fixed randomization patterns). The authors strongest attack reduces InceptionV3 model accuracy to $32.8\%$ top-1 accuracy (over images that were originally classified correctly).

The authors dismiss a stronger attack over larger choices of randomness, stating that it would be “computationally impossible” (emphasis ours) and that such an attack “may not even converge” (Xie et al., 2018).

We find the authors’ ensemble attack overfits to the ensemble with fixed randomization. We bypass this defense by applying EOT, optimizing over the (in this case, discrete) distribution of transformations.

4 Vanishing & Exploding Gradients

Song et al. (2018) propose using a PixelCNN generative model to project a potential adversarial example back onto the data manifold before feeding it into a classifier. The authors argue that adversarial examples mainly lie in the low-probability region of the data distribution. PixelDefend “purifies” adversarially perturbed images prior to classification by using a greedy decoding procedure to approximate finding the highest probability example within an $\epsilon$-ball of the input image.

4.2 Defense-GAN

Defense-GAN (Samangouei et al., 2018) uses a Generative Adversarial Network (Goodfellow et al., 2014a) to project samples onto the manifold of the generator before classifying them. That is, the intuition behind this defense is nearly identical to PixelDefend, but using a GAN instead of a PixelCNN. We therefore summarize results here and present the full details in Appendix B.

Defense-GAN is not argued secure on CIFAR-10, so we use MNIST. We find that adversarial examples exist on the manifold defined by the generator. That is, we show that we are able to construct an adversarial example $x^{\prime}=G(z)$ so that $x^{\prime}\approx x$ but $c(x)\neq c(x^{\prime})$. As such, a perfect projector would not modify this example $x^{\prime}$ because it exists on the manifold described by the generator. However, while this attack would defeat a perfect projector mapping $x$ to its nearest point on $G(z)$, the imperfect gradient descent based approach taken by Defense-GAN does not perfectly preserve points on the manifold. We therefore construct a second attack using BPDA to evade Defense-GAN, although at only a $45\%$ success rate.

Discussion

Having demonstrated attacks on these seven defenses, we now take a step back and discuss the method of evaluating a defense against adversarial examples.

The papers we study use a variety of approaches in evaluating robustness of the proposed defenses. We list what we believe to be the most important points to keep in mind while building and evaluating defenses. Much of what we describe below has been discussed in prior work (Carlini & Wagner, 2017a; Madry et al., 2018); we repeat these points here and offer our own perspective for completeness.

A threat model specifies the conditions under which a defense argues security: a precise threat model allows for an exact understanding of the setting under which the defense is meant to work. Prior work has used words including white-box, grey-box, black-box, and no-box to describe slightly different threat models, often overloading the same word.

Instead of attempting to, yet again, redefine the vocabulary, we enumerate the various aspects of a defense that might be revealed to the adversary or held secret to the defender: model architecture and model weights; training algorithm and training data; test time randomness (either the values chosen or the distribution); and, if the model weights are held secret, whether query access is allowed (and if so, the type of output, e.g. logits or only the top label).

While there are some aspects of a defense that might be held secret, threat models should not contain unrealistic constraints. We believe any compelling threat model should at the very least grant knowledge of the model architecture, training algorithm, and allow query access.

It is not meaningful to restrict the computational power of an adversary artificially (e.g., to fewer than several thousand attack iterations). If two defenses are equally robust but generating adversarial examples on one takes one second and another takes ten seconds, the robustness has not increased.

2 Make specific, testable claims

In this paper, we study all papers under the threat model the authors define. However, if a paper is evaluated under a different threat model, explicitly stating so makes it clear that the original paper’s claims are not being violated.

A defense being specified completely, with all hyperparameters given, is a prerequisite for claims to be testable. Releasing source code and a pre-trained model along with the paper describing a specific threat model and robustness claims is perhaps the most useful method of making testable claims. At the time of writing this paper, four of the defenses we study made complete source code available (Madry et al., 2018; Ma et al., 2018; Guo et al., 2018; Xie et al., 2018).

3 Evaluate against adaptive attacks

A strong defense is robust not only against existing attacks, but also against future attacks within the specified threat model. A necessary component of any defense proposal is therefore an attempt at an adaptive attack.

An adaptive attack is one that is constructed after a defense has been completely specified, where the adversary takes advantage of knowledge of the defense and is only restricted by the threat model. One useful attack approach is to perform many attacks and report the mean over the best attack per image. That is, for a set of attacks $a\in\mathcal{A}$ instead of reporting the value $\min\limits_{a\in\mathcal{A}}\mathop{\text{mean}}\limits_{x\in\mathcal{A}}f(a(x))$ report $\mathop{\text{mean}}\limits_{x\in\mathcal{A}}\min\limits_{a\in\mathcal{A}}f(a(x))$.

If a defense is modified after an evaluation, an adaptive attack is one that considers knowledge of the new defense. In this way, concluding an evaluation with a final adaptive attack can be seen as analogous to evaluating a model on the test data.

Conclusion

Constructing defenses to adversarial examples requires defending against not only existing attacks but also future attacks that may be developed. In this paper, we identify obfuscated gradients, a phenomenon exhibited by certain defenses that makes standard gradient-based methods fail to generate adversarial examples. We develop three attack techniques to bypass three different types of obfuscated gradients. To evaluate the applicability of our techniques, we use the ICLR 2018 defenses as a case study, circumventing seven of nine accepted defenses.

More generally, we hope that future work will be able to avoid relying on obfuscated gradients (and other methods that only prevent gradient descent-based attacks) for perceived robustness, and use our evaluation approach to detect when this occurs. Defending against adversarial examples is an important area of research and we believe performing a careful, thorough evaluation is a critical step that can not be overlooked when designing defenses.

Acknowledgements

We are grateful to Aleksander Madry, Andrew Ilyas, and Aditi Raghunathan for helpful comments on an early draft of this paper. We thank Bo Li, Xingjun Ma, Laurens van der Maaten, Aurko Roy, Yang Song, and Cihang Xie for useful discussion and insights on their defenses.

This work was partially supported by the National Science Foundation through award CNS-1514457, Qualcomm, and the Hewlett Foundation through the Center for Long-Term Cybersecurity.

References

Appendix A Local Intrinsic Dimensionality

The Local Intrinsic Dimensionality (Amsaleg et al., 2015) “assesses the space-filling capability of the region surrounding a reference example, based on the distance distribution of the example to its neighbors” (Ma et al., 2018). The authors present evidence that the LID is significantly larger for adversarial examples generated by existing attacks than for normal images, and they construct a classifier that can distinguish these adversarial images from normal images. Again, the authors indicate that LID is not intended as a defense and only should be used to explore properties of adversarial examples. However, it would be natural to wonder whether it would be effective as a defense, so we study its robustness; our results confirm that it is not adequate as a defense. The method used to compute the LID relies on finding the $k$ nearest neighbors, a non-differentiable operation, rendering gradient descent based methods ineffective.

Let $\mathcal{S}$ be a mini-batch of $N$ clean examples. Let $r_{i}(x)$ denote the distance (under metric $d(x,y)$) between sample $x$ and its $i$-th nearest neighbor in $\mathcal{S}$ (under metric $d$). Then LID can be approximated by

where $k$ is a defense hyperparameter the controls the number of nearest neighbors to consider. The authors use the distance function

to measure the distance between the $j$th activation layers. The authors compute a vector of LID values for each sample:

Finally, they compute the $\overrightarrow{\text{LID}}(x)$ over the training data and adversarial examples generated on the training data, and train a logistic regression classifier to detect adversarial examples. We are grateful to the authors for releasing their complete source code.

While LID is not a defense itself, the authors assess the ability of LID to detect different types of attacks.

In this case, we observe the reason that performing this type of adaptive attack fails is that gradient descent does not succeed in optimizing the LID loss, even though the LID computation is differentiable. Computing the LID term involves computing the $k$-nearest neighbors when computing $r_{i}(x)$. Minimizing the gradient of the distance to the current $k$-nearest neighbors is not representative of the true direction to travel in for the optimal set of $k$-nearest neighbors. As a consequence, we find that adversarial examples generated with gradient methods when penalizing for a high LID either (a) are not adversarial; or (b) are detected as adversarial, despite penalizing for the LID loss.

This evaluation demonstrates that the LID metric can be circumvented, and future work should carefully evaluate if building a detector relying on LID is robust to adversarial examples explicitly targeting such a detector. This work also raises questions whether a large LID is a fundamental characteristic of all adversarial examples, or whether it is a by-product of certain attacks.

Appendix B Defense-GAN

The defender first trains a Generative Adversarial Network with a generator $G(z)$ that maps samples from a latent space (typically $z\sim\mathcal{N}(0,1)$) to images that look like training data. Defense-GAN takes a trained classifier $f(\cdot)$, and to classify an input $x$, instead of returning $f(x)$, returns $f(\mathop{\text{arg min}}_{z}|G(z)-x|)$. To perform this projection to the manifold, the authors take many steps of gradient descent starting from different random initializations.

Defense-GAN was not shown to be effective on CIFAR-10. We therefore evaluate it on MNIST (where it was argued to be secure).

We find that adversarial examples do exist on the data manifold as described by the generator $G(\cdot)$. However, Defense-GAN does not completely project to the projection of the generator, and therefore often does not identify these adversarial examples actually on the manifold.

Evaluation A. Performing the manifold projection is nontrivial as an inner optimization step when generating adversarial examples. To sidestep this difficulty, we show that adversarial examples exist directly on the projection of the generator. That is, we construct an adversarial example $x^{\prime}=G(z^{*})$ so that $|x-x^{\prime}|$ is small and $c(x)\neq c(x^{\prime})$.

To do this, we solve the re-parameterized formulation

We initialize $z=\mathop{\text{arg min}}_{z}|G(z)-x|$ (also found via gradient descent). We train a WGAN using the code the authors provide (Gulrajani et al., 2017), and a MNIST CNN to $99.3\%$ accuracy.

Concurrent to our work, Ilyas et al. (2017) also develop a nearly identical approach to Defense-GAN; they also find it is vulnerable to the attack we outline above, but increase the robustness further with adversarial training. We do not evaluate this extended approach.

Evaluation B. The above attack does not succeed on Defense-GAN. While the adversarial examples are directly on the projection of the Generator, the projection process will actually move it off the projection.