我们识别普遍对抗扰动（UAP）的性质，将它们与标准的对抗性扰动区分开来。具体而言，我们表明，由投影梯度下降产生的靶向UAPS表现出两种人对齐的特性：语义局部性和空间不变性，标准的靶向对抗扰动缺乏。我们还证明，除标准对抗扰动之外，UAPS含有明显较低的泛化信号 - 即，UAPS在比标准的对抗的扰动的较小程度上利用非鲁棒特征。

Adversarial examples have attracted significant attention in machine learning, but the reasons for their existence and pervasiveness remain unclear. We demonstrate that adversarial examples can be directly attributed to the presence of non-robust features: features (derived from patterns in the data distribution) that are highly predictive, yet brittle and (thus) incomprehensible to humans. After capturing these features within a theoretical framework, we establish their widespread existence in standard datasets. Finally, we present a simple setting where we can rigorously tie the phenomena we observe in practice to a misalignment between the (human-specified) notion of robustness and the inherent geometry of the data.

We show that there may exist an inherent tension between the goal of adversarial robustness and that of standard generalization. Specifically, training robust models may not only be more resource-consuming, but also lead to a reduction of standard accuracy. We demonstrate that this trade-off between the standard accuracy of a model and its robustness to adversarial perturbations provably exists in a fairly simple and natural setting. These findings also corroborate a similar phenomenon observed empirically in more complex settings. Further, we argue that this phenomenon is a consequence of robust classifiers learning fundamentally different feature representations than standard classifiers. These differences, in particular, seem to result in unexpected benefits: the representations learned by robust models tend to align better with salient data characteristics and human perception.

代表学习，即对下游应用有用的表示形式的产生，是一项基本重要性的任务，它是深层神经网络（DNNS）成功的基础。最近，对对抗性例子的鲁棒性已成为DNNS的理想特性，促进了解释对抗性例子的强大训练方法的发展。在本文中，我们旨在了解通过鲁棒培训所学的表示的特性与从标准的，非运动培训获得的培训的特性不同。这对于诊断稳健网络中的众多显着陷阱至关重要，例如，良性输入的性能降解，鲁棒性的概括不良以及过度拟合的增加。我们利用一组强大的工具在三个视觉数据集中被称为表示相似性指标，以获得具有不同体系结构，培训程序和对抗性约束的稳健和非稳健DNN之间的层次比较。我们的实验突出显示了迄今为止稳健表示的属性，我们认为，这是强大网络的行为差异的基础。我们发现在强大的网络的表示中缺乏专业化以及“块结构”的消失。我们还发现在强大的训练中过度拟合会在很大程度上影响更深的层。这些以及其他发现还为更好的健壮网络的设计和培训提出了前进的方向。

在本文中，我们询问视觉变形金刚（VIT）是否可以作为改善机器学习模型对抗逃避攻击的对抗性鲁棒性的基础结构。尽管较早的作品集中在改善卷积神经网络上，但我们表明VIT也非常适合对抗训练以实现竞争性能。我们使用自定义的对抗训练配方实现了这一目标，该配方是在Imagenet数据集的一部分上使用严格的消融研究发现的。与卷积相比，VIT的规范培训配方建议强大的数据增强，部分是为了补偿注意力模块的视力归纳偏置。我们表明，该食谱在用于对抗训练时可实现次优性能。相比之下，我们发现省略所有重型数据增强，并添加一些额外的零件（$ \ varepsilon $ -Warmup和更大的重量衰减），从而大大提高了健壮的Vits的性能。我们表明，我们的配方在完整的Imagenet-1k上概括了不同类别的VIT体系结构和大规模模型。此外，调查了模型鲁棒性的原因，我们表明，在使用我们的食谱时，在训练过程中产生强烈的攻击更加容易，这会在测试时提高鲁棒性。最后，我们通过提出一种量化对抗性扰动的语义性质并强调其与模型的鲁棒性的相关性来进一步研究对抗训练的结果。总体而言，我们建议社区应避免将VIT的规范培训食谱转换为在对抗培训的背景下进行强大的培训和重新思考常见的培训选择。

深神经网络容易受到对抗的例子（AES）的伤害，这具有对抗性转移性：为源模型产生的AES可以误导另一个（目标）模型的预测。然而，从阶级目标模型的预测被误导的角度来看，尚未理解的可转换性尚未理解（即，传播的可传送性）。在本文中，我们将目标模型预测与源模型（“相同错误”）或不同的错误类（“不同错误”）进行分析，以分析和提供对机制的解释。首先，我们的分析显示（1）与“非目标转移性”和（2）不同的错误在类似模型之间发生不同的错误，而不管扰动大小如何。其次，我们提出了一种证据表明，相同的差异和不同的错误可以通过非稳健的特征来解释，预测性但人的无法解释的模式：当AES中的非鲁棒特征被模型使用时发生不同的错误。因此，非鲁棒特征可以为AES的类感知转换性提供一致的解释。

Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples-inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. 1

现代神经网络Excel在图像分类中，但它们仍然容易受到常见图像损坏，如模糊，斑点噪音或雾。最近的方法关注这个问题，例如Augmix和Deepaulment，引入了在预期运行的防御，以期望图像损坏分布。相比之下，$ \ ell_p $ -norm界限扰动的文献侧重于针对最坏情况损坏的防御。在这项工作中，我们通过提出防范内人来调和两种方法，这是一种优化图像到图像模型的参数来产生对外损坏的增强图像的技术。我们理论上激发了我们的方法，并为其理想化版本的一致性以及大纲领提供了足够的条件。我们的分类机器在预期对CiFar-10-C进行的常见图像腐败基准上提高了最先进的，并改善了CIFAR-10和ImageNet上的$ \ ell_p $ -norm有界扰动的最坏情况性能。

对共同腐败的稳健性的文献表明对逆势培训是否可以提高这种环境的性能，没有达成共识。 First, we show that, when used with an appropriately selected perturbation radius, $\ell_p$ adversarial training can serve as a strong baseline against common corruptions improving both accuracy and calibration.然后，我们解释了为什么对抗性训练比具有简单高斯噪声的数据增强更好地表现，这被观察到是对共同腐败的有意义的基线。与此相关，我们确定了高斯增强过度适用于用于培训的特定标准偏差的$ \ sigma $ -oviting现象，这对培训具有显着不利影响的普通腐败精度。我们讨论如何缓解这一问题，然后如何通过学习的感知图像贴片相似度引入对抗性训练的有效放松来进一步增强$ \ ell_p $普发的培训。通过对CiFar-10和Imagenet-100的实验，我们表明我们的方法不仅改善了$ \ ell_p $普发的培训基线，而且还有累积的收益与Augmix，Deepaulment，Ant和Sin等数据增强方法，导致普通腐败的最先进的表现。我们的实验代码在HTTPS://github.com/tml-epfl/adv-training - 窗子上公开使用。

积极的数据增强是视觉变压器（VIT）的强大泛化能力的关键组成部分。一种这样的数据增强技术是对抗性培训;然而，许多先前的作品表明，这通常会导致清洁的准确性差。在这项工作中，我们展示了金字塔对抗训练，这是一种简单有效的技术来提高韦维尔的整体性能。我们将其与“匹配”辍学和随机深度正则化配对，这采用了干净和对抗样品的相同辍学和随机深度配置。类似于Advprop的CNNS的改进（不直接适用于VIT），我们的金字塔对抗性训练会破坏分销准确性和vit和相关架构的分配鲁棒性之间的权衡。当Imagenet-1K数据训练时，它导致ImageNet清洁准确性的182美元的vit-B模型的精确度，同时由7美元的稳健性指标同时提高性能，从$ 1.76 \％$至11.45 \％$。我们为Imagenet-C（41.4 MCE），Imagenet-R（$ 53.92 \％$），以及Imagenet-Sketch（41.04美元\％$）的新的最先进，只使用vit-b / 16骨干和我们的金字塔对抗训练。我们的代码将在接受时公开提供。

Adaptive attacks have (rightfully) become the de facto standard for evaluating defenses to adversarial examples. We find, however, that typical adaptive evaluations are incomplete. We demonstrate that thirteen defenses recently published at ICLR, ICML and NeurIPS-and which illustrate a diverse set of defense strategies-can be circumvented despite attempting to perform evaluations using adaptive attacks. While prior evaluation papers focused mainly on the end result-showing that a defense was ineffective-this paper focuses on laying out the methodology and the approach necessary to perform an adaptive attack. Some of our attack strategies are generalizable, but no single strategy would have been sufficient for all defenses. This underlines our key message that adaptive attacks cannot be automated and always require careful and appropriate tuning to a given defense. We hope that these analyses will serve as guidance on how to properly perform adaptive attacks against defenses to adversarial examples, and thus will allow the community to make further progress in building more robust models.

我们理论上和经验地证明，对抗性鲁棒性可以显着受益于半体验学习。从理论上讲，我们重新审视了Schmidt等人的简单高斯模型。这显示了标准和稳健分类之间的示例复杂性差距。我们证明了未标记的数据桥接这种差距：简单的半体验学习程序（自我训练）使用相同数量的达到高标准精度所需的标签实现高的强大精度。经验上，我们增强了CiFar-10，使用50万微小的图像，使用了8000万微小的图像，并使用强大的自我训练来优于最先进的鲁棒精度（i）$ \ ell_ infty $鲁棒性通过对抗培训和（ii）认证$ \ ell_2 $和$ \ ell_ \ infty $鲁棒性通过随机平滑的几个强大的攻击。在SVHN上，添加DataSet自己的额外训练集，删除的标签提供了4到10个点的增益，在使用额外标签的1点之内。

对抗性训练遭受了稳健的过度装备，这是一种现象，在训练期间鲁棒测试精度开始减少。在本文中，我们专注于通过使用常见的数据增强方案来减少强大的过度装备。我们证明，与先前的发现相反，当与模型重量平均结合时，数据增强可以显着提高鲁棒精度。此外，我们比较各种增强技术，并观察到空间组合技术适用于对抗性培训。最后，我们评估了我们在Cifar-10上的方法，而不是$ \ ell_ indty $和$ \ ell_2 $ norm-indeded扰动分别为尺寸$ \ epsilon = 8/255 $和$ \ epsilon = 128/255 $。与以前的最先进的方法相比，我们表现出+ 2.93％的绝对改善+ 2.93％，+ 2.16％。特别是，反对$ \ ell_ infty $ norm-indeded扰动尺寸$ \ epsilon = 8/255 $，我们的模型达到60.07％的强劲准确性而不使用任何外部数据。我们还通过这种方法实现了显着的性能提升，同时使用其他架构和数据集如CiFar-100，SVHN和TinyimageNet。

防御对抗例子仍然是一个空旷的问题。一个普遍的信念是，推理的随机性增加了寻找对抗性输入的成本。这种辩护的一个例子是将随机转换应用于输入之前，然后将其馈送到模型。在本文中，我们从经验和理论上研究了这种随机预处理的防御措施，并证明它们存在缺陷。首先，我们表明大多数随机防御措施比以前想象的要弱。他们缺乏足够的随机性来承受诸如投影梯度下降之类的标准攻击。这对长期以来的假设产生了怀疑，即随机防御能力无效，旨在逃避确定性的防御和迫使攻击者以整合对转型（EOT）概念的期望。其次，我们表明随机防御与对抗性鲁棒性和模型不变性之间的权衡面临。随着辩护模型获得更多的随机化不变性，它们变得不太有效。未来的工作将需要使这两种效果分解。我们的代码在补充材料中可用。

通用的对抗扰动（UAP）是不可察觉的，图像敏捷的矢量，引起深度神经网络（DNNS），从而从具有很高概率的数据分布中误分类输入。现有方法不会为转换创造强大的UAPS，从而将其适用性限制为现实世界攻击。在这项工作中，我们介绍了一个新的概念和强大的普遍对抗性扰动的表述。基于我们的公式，我们构建了一种小说，迭代算法，该算法利用了概率的鲁棒性界限来生成UAPS，以与通过组成任意亚差异性转换功能生成的转换产生鲁棒。我们对流行的CIFAR-10和ILSVRC 2012数据集进行了广泛的评估，该数据集测量了人类解剖性语义转换（例如旋转，对比变化等）在现实世界中常见的鲁棒性。我们的结果表明，我们生成的UAP比基线的UAP更强大。

It is common practice in deep learning to use overparameterized networks and train for as long as possible; there are numerous studies that show, both theoretically and empirically, that such practices surprisingly do not unduly harm the generalization performance of the classifier. In this paper, we empirically study this phenomenon in the setting of adversarially trained deep networks, which are trained to minimize the loss under worst-case adversarial perturbations. We find that overfitting to the training set does in fact harm robust performance to a very large degree in adversarially robust training across multiple datasets (SVHN, CIFAR-10, CIFAR-100, and ImageNet) and perturbation models ( ∞ and 2 ). Based upon this observed effect, we show that the performance gains of virtually all recent algorithmic improvements upon adversarial training can be matched by simply using early stopping. We also show that effects such as the double descent curve do still occur in adversarially trained models, yet fail to explain the observed overfitting. Finally, we study several classical and modern deep learning remedies for overfitting, including regularization and data augmentation, and find that no approach in isolation improves significantly upon the gains achieved by early stopping. All code for reproducing the experiments as well as pretrained model weights and training logs can be found at https://github.com/ locuslab/robust_overfitting.

删除攻击旨在通过略微扰动正确标记的训练示例的特征来大幅恶化学习模型的测试准确性。通过将这种恶意攻击正式地找到特定$ \ infty $ -wassersein球中的最坏情况培训数据，我们表明最小化扰动数据的对抗性风险相当于优化原始数据上的自然风险的上限。这意味着对抗性培训可以作为防止妄想攻击的原则防御。因此，通过普遍训练可以很大程度地回收测试精度。为了进一步了解国防的内部机制，我们披露了对抗性培训可以通过防止学习者过于依赖于自然环境中的非鲁棒特征来抵制妄想扰动。最后，我们将我们的理论调查结果与一系列关于流行的基准数据集进行了补充，这表明防御能够承受六种不同的实际攻击。在面对令人难以闻名的对手时，理论和经验结果投票给逆势训练。

Adversarial examples are perturbed inputs designed to fool machine learning models. Adversarial training injects such examples into training data to increase robustness. To scale this technique to large datasets, perturbations are crafted using fast single-step methods that maximize a linear approximation of the model's loss. We show that this form of adversarial training converges to a degenerate global minimum, wherein small curvature artifacts near the data points obfuscate a linear approximation of the loss. The model thus learns to generate weak perturbations, rather than defend against strong ones. As a result, we find that adversarial training remains vulnerable to black-box attacks, where we transfer perturbations computed on undefended models, as well as to a powerful novel single-step attack that escapes the non-smooth vicinity of the input data via a small random step. We further introduce Ensemble Adversarial Training, a technique that augments training data with perturbations transferred from other models. On ImageNet, Ensemble Adversarial Training yields models with stronger robustness to blackbox attacks. In particular, our most robust model won the first round of the NIPS 2017 competition on Defenses against Adversarial Attacks (Kurakin et al., 2017c). However, subsequent work found that more elaborate black-box attacks could significantly enhance transferability and reduce the accuracy of our models.

The study of adversarial robustness has so far largely focused on perturbations bound in p -norms. However, state-of-the-art models turn out to be also vulnerable to other, more natural classes of perturbations such as translations and rotations. In this work, we thoroughly investigate the vulnerability of neural network-based classifiers to rotations and translations. While data augmentation offers relatively small robustness, we use ideas from robust optimization and test-time input aggregation to significantly improve robustness. Finally we find that, in contrast to the p -norm case, first-order methods cannot reliably find worst-case perturbations. This highlights spatial robustness as a fundamentally different setting requiring additional study. 1

时间序列数据在许多现实世界中（例如，移动健康）和深神经网络（DNNS）中产生，在解决它们方面已取得了巨大的成功。尽管他们成功了，但对他们对对抗性攻击的稳健性知之甚少。在本文中，我们提出了一个通过统计特征（TSA-STAT）}称为时间序列攻击的新型对抗框架}。为了解决时间序列域的独特挑战，TSA-STAT对时间序列数据的统计特征采取限制来构建对抗性示例。优化的多项式转换用于创建比基于加性扰动的攻击（就成功欺骗DNN而言）更有效的攻击。我们还提供有关构建对抗性示例的统计功能规范的认证界限。我们对各种现实世界基准数据集的实验表明，TSA-STAT在欺骗DNN的时间序列域和改善其稳健性方面的有效性。 TSA-STAT算法的源代码可在https://github.com/tahabelkhouja/time-series-series-attacks-via-statity-features上获得