Attacking the Madry Defense Model with $L_1$-based Adversarial Examples

TL;DR

This paper shows that relaxing $L_ ext{infty}$ constraints enables the EAD attack to produce transferable adversarial examples with minimal visual distortion, challenging the adequacy of $L_ ext{infty}$ as a distortion measure.

Contribution

It introduces the effectiveness of the elastic-net attack (EAD) under relaxed $L_ ext{infty}$ constraints, highlighting its ability to generate visually minimal yet transferable adversarial examples.

Findings

EAD can generate transferable adversarial examples with high $L_ ext{infty}$ distortion.

Relaxing $L_ ext{infty}$ constraints reveals limitations of using $L_ ext{infty}$ as sole distortion metric.

EAD demonstrates robustness in creating adversarial examples despite high average $L_ ext{infty}$ distortions.

Abstract

The Madry Lab recently hosted a competition designed to test the robustness of their adversarially trained MNIST model. Attacks were constrained to perturb each pixel of the input image by a scaled maximal $L_\infty$ distortion $\epsilon$ = 0.3. This discourages the use of attacks which are not optimized on the $L_\infty$ distortion metric. Our experimental results demonstrate that by relaxing the $L_\infty$ constraint of the competition, the elastic-net attack to deep neural networks (EAD) can generate transferable adversarial examples which, despite their high average $L_\infty$ distortion, have minimal visual distortion. These results call into question the use of $L_\infty$ as a sole measure for visual distortion, and further demonstrate the power of EAD at generating robust adversarial examples.