Open Peer Review. Open Publishing. Open Access. Open Discussion. Open Directory. Open Recommendations. Open API. Open Source.
Bypassing Feature Squeezing by Increasing Adversary Strength
Yash Sharma, Pin-Yu Chen
Feb 12, 2018 (modified: Feb 12, 2018)ICLR 2018 Workshop Submissionreaders: everyone
Abstract:Feature Squeezing is a recently proposed defense method which reduces the search space available to an adversary by coalescing samples that correspond
to many different feature vectors in the original space into a single
sample. It has been shown that feature squeezing defenses can be combined in a joint detection framework to achieve high detection rates against state-of-the-art attacks. However, we demonstrate on the MNIST and CIFAR-10 datasets that by increasing the adversary strength of said state-of-the-art attacks, one can bypass the detection framework with adversarial examples of minimal visual distortion. These results suggest for proposed defenses to validate against stronger attack configurations.
TL;DR:By increasing the adversary strength of PGD and EAD, via the $\epsilon$ and $\kappa$ hyperparameters respectively, one can bypass the feature squeezing detection framework with adversarial examples of minimal visual distortion.