Subspace Grid-sweep: ML Defense Evaluation via Constrained Brute-force Search

Keane Lucas; Matthew Jagielski; Florian Tramèr; Lujo Bauer; Nicholas Carlini

Subspace Grid-sweep: ML Defense Evaluation via Constrained Brute-force Search

Keane Lucas, Matthew Jagielski, Florian Tramèr, Lujo Bauer, Nicholas Carlini

23 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX

Primary Area: general machine learning (i.e., none of the above)

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.

Keywords: artificial intelligence, machine learning, robustness, adversarial machine learning

Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.

TL;DR: We propose a new ML defense evaluation tool that leverages deterministic inference. We also show that some random defenses retain empirical robustness when made deterministic, which allows us to use our tool to gain new insights on them.

Abstract: It is becoming increasingly imperative to design robust ML defenses. However, recent work has found that many defenses that initially resist state-of-the-art attacks can be broken by an adaptive adversary. Attacks can initially make defenses look strong by not finding potential adversarial examples due to obfuscated gradients, limited compute, unlucky initialization, etc. In this work, we make steps towards more reliable defense evaluation by introducing a new defense evaluation tool, Subspace Grid-sweep, that leverages deterministic inference to more simply evaluate adversarial robustness. We use Subspace Grid-sweep to show that a previously published, but now broken, defense could have been known to be broken without performing a fully adaptive attack. In order to make Subspace Grid-sweep applicable to random defenses, we show how to make deterministic variants of random defenses while retaining similar empirical effectiveness. As a result, we show that randomness may not be necessary for these defense’s robustness.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.

Supplementary Material: zip

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Submission Number: 7742

Loading