Open Peer Review. Open Publishing. Open Access. Open Discussion. Open Directory. Open Recommendations. Open API. Open Source.
Bypassing Feature Squeezing by Increasing Adversary Strength
Yash Sharma, Pin-Yu Chen
Feb 12, 2018 (modified: Jun 04, 2018)ICLR 2018 Workshop Submissionreaders: everyoneShow Bibtex
Abstract:Feature Squeezing is a recently proposed defense method which reduces the search space available to an adversary by coalescing samples that correspond
to many different feature vectors in the original space into a single
sample. It has been shown that feature squeezing defenses can be combined in a joint detection framework to achieve high detection rates against state-of-the-art attacks. However, we demonstrate on the MNIST and CIFAR-10 datasets that by increasing the adversary strength of said state-of-the-art attacks, one can bypass the detection framework with adversarial examples of minimal visual distortion. These results suggest for proposed defenses to validate against stronger attack configurations.
TL;DR:By increasing the adversary strength of PGD and EAD, via the $\epsilon$ and $\kappa$ hyperparameters respectively, one can bypass the feature squeezing detection framework with adversarial examples of minimal visual distortion.
Enter your feedback below and we'll get back to you as soon as possible.