Bypassing Feature Squeezing by Increasing Adversary Strength
Yash Sharma, Pin-Yu Chen
TL;DR
This paper shows that increasing adversary strength can bypass feature squeezing defenses in image classification, highlighting the need for more robust defense validation against stronger attacks.
Contribution
It demonstrates that feature squeezing defenses can be circumvented by stronger attacks, challenging their effectiveness and emphasizing the importance of testing against powerful adversaries.
Findings
Feature squeezing can be bypassed with stronger attacks.
Detection frameworks are vulnerable to increased adversary strength.
Stronger attack configurations are necessary for validating defenses.
Abstract
Feature Squeezing is a recently proposed defense method which reduces the search space available to an adversary by coalescing samples that correspond to many different feature vectors in the original space into a single sample. It has been shown that feature squeezing defenses can be combined in a joint detection framework to achieve high detection rates against state-of-the-art attacks. However, we demonstrate on the MNIST and CIFAR-10 datasets that by increasing the adversary strength of said state-of-the-art attacks, one can bypass the detection framework with adversarial examples of minimal visual distortion. These results suggest for proposed defenses to validate against stronger attack configurations.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Anomaly Detection Techniques and Applications · Bacillus and Francisella bacterial research