Deep neural networks are vulnerable to adversarial attacks. In this paper, we take the role of investigators who want to trace the attack and identify the source, that is, the particular model which the adversarial examples are generated from. Techniques derived would aid forensic investigation of attack incidents and serve as deterrence to potential attacks. We consider the buyers-seller setting where a machine learning model is to be distributed to various buyers and each buyer receives a slightly different copy with same functionality. A malicious buyer generates adversarial examples from a particular copy $\mathcal{M}_i$ and uses them to attack other copies. From these adversarial examples, the investigator wants to identify the source $\mathcal{M}_i$. To address this problem, we propose a two-stage separate-and-trace framework. The model separation stage generates multiple copies of a model for a same classification task. This process injects unique characteristics into each copy so that adversarial examples generated have distinct and traceable features. We give a parallel structure which embeds a ``tracer'' in each copy, and a noise-sensitive training loss to achieve this goal. The tracing stage takes in adversarial examples and a few candidate models, and identifies the likely source. Based on the unique features induced by the noise-sensitive loss function, we could effectively trace the potential adversarial copy by considering the output logits from each tracer. Empirical results show that it is possible to trace the origin of the adversarial example and the mechanism can be applied to a wide range of architectures and datasets.

机器学习模型容易受到对抗攻击的影响。在本文中，我们考虑将模型分发给多个用户的场景，其中恶意用户尝试攻击另一个用户。恶意用户探测其模型的副本以搜索对抗性样本，然后向受害者模型提出发现的样本以复制攻击。我们指出，通过将模型的不同副本分发给不同的用户，我们可以减轻攻击，使得在一份副本上发现的对手样本不会在另一个副本上工作。我们首先观察到培训具有不同随机性的模型确实减轻了某种程度的这种复制。但是，没有保证和再培训是计算昂贵的。接下来，我们提出了一种灵活的参数重写方法，可直接修改模型的参数。该方法不需要额外的训练，并且能够以更可控的方式在不同拷贝中诱导不同的对抗性样本。实验研究表明，我们的方法可以显着减轻攻击，同时保持高分类准确性。从这项研究中，我们认为有许多有价值的方向值得探索。

通过对数据集的样本应用小而有意的最差情况扰动可以产生对抗性输入，这导致甚至最先进的深神经网络，以高信任输出不正确的答案。因此，开发了一些对抗防御技术来提高模型的安全性和稳健性，并避免它们被攻击。逐渐，攻击者和捍卫者之间的游戏类似的竞争，其中两个玩家都会试图在最大化自己的收益的同时互相反对发挥最佳策略。为了解决游戏，每个玩家都基于对对手的战略选择的预测来选择反对对手的最佳策略。在这项工作中，我们正处于防守方面，以申请防止攻击的游戏理论方法。我们使用两个随机化方法，随机初始化和随机激活修剪，以创造网络的多样性。此外，我们使用一种去噪技术，超级分辨率，通过在攻击前预处理图像来改善模型的鲁棒性。我们的实验结果表明，这三种方法可以有效提高深度学习神经网络的鲁棒性。

深度神经网络容易受到对抗的例子，这可以通过添加微妙的扰动来欺骗深层模型。虽然现有的攻击已经取得了有希望的结果，但它仍然在黑盒设置下留下长途来产生可转移的对抗性示例。为此，本文提出提高对抗示例的可转移性，并将双阶段特征级扰动应用于现有模型，以隐式创建一组不同的模型。然后在迭代期间由纵向集合融合这些模型。该方法被称为双级网络侵蚀（DSNE）。我们对非残留和残余网络进行全面的实验，并获得更多可转移的对抗实例，其计算成本类似于最先进的方法。特别地，对于残余网络，通过将残余块信息偏置到跳过连接，可以显着改善对抗性示例的可转移性。我们的工作为神经网络的建筑脆弱性提供了新的见解，并对神经网络的稳健性带来了新的挑战。

有必要提高某些特殊班级的表现，或者特别保护它们免受对抗学习的攻击。本文提出了一个将成本敏感分类和对抗性学习结合在一起的框架，以训练可以区分受保护和未受保护的类的模型，以使受保护的类别不太容易受到对抗性示例的影响。在此框架中，我们发现在训练深神经网络（称为Min-Max属性）期间，一个有趣的现象，即卷积层中大多数参数的绝对值。基于这种最小的最大属性，该属性是在随机分布的角度制定和分析的，我们进一步建立了一个针对对抗性示例的新防御模型，以改善对抗性鲁棒性。构建模型的一个优点是，它的性能比标准模型更好，并且可以与对抗性训练相结合，以提高性能。在实验上证实，对于所有类别的平均准确性，我们的模型在没有发生攻击时几乎与现有模型一样，并且在发生攻击时比现有模型更好。具体而言，关于受保护类的准确性，提议的模型比发生攻击时的现有模型要好得多。

深度神经网络（DNN）已被证明是针对对抗性示例（AE）的脆弱性，这些例子是恶意设计用于欺骗目标模型的。添加了不可察觉的对抗扰动的正常示例（NES）可能是对DNN的安全威胁。尽管现有的AES检测方法已经达到了很高的精度，但他们未能利用检测到的AE的信息。因此，基于高维扰动提取，我们提出了一种无模型的AES检测方法，其整个过程没有查询受害者模型。研究表明，DNN对高维度敏感。对抗示例中隐藏的对抗性扰动属于高维特征，高维特征是高度预测性和非持胸膜的。 DNN比其他人从高维数据中学习更多细节。在我们的方法中，扰动提取器可以从AES作为高维特征提取对抗扰动，然后训练有素的AES鉴别器确定输入是否为AE。实验结果表明，所提出的方法不仅可以以高精度检测对抗示例，还可以检测AE的特定类别。同时，提取的扰动可用于将AE恢复到NES。

In the scenario of black-box adversarial attack, the target model's parameters are unknown, and the attacker aims to find a successful adversarial perturbation based on query feedback under a query budget. Due to the limited feedback information, existing query-based black-box attack methods often require many queries for attacking each benign example. To reduce query cost, we propose to utilize the feedback information across historical attacks, dubbed example-level adversarial transferability. Specifically, by treating the attack on each benign example as one task, we develop a meta-learning framework by training a meta-generator to produce perturbations conditioned on benign examples. When attacking a new benign example, the meta generator can be quickly fine-tuned based on the feedback information of the new task as well as a few historical attacks to produce effective perturbations. Moreover, since the meta-train procedure consumes many queries to learn a generalizable generator, we utilize model-level adversarial transferability to train the meta-generator on a white-box surrogate model, then transfer it to help the attack against the target model. The proposed framework with the two types of adversarial transferability can be naturally combined with any off-the-shelf query-based attack methods to boost their performance, which is verified by extensive experiments.

虽然深度神经网络在各种任务中表现出前所未有的性能，但对对抗性示例的脆弱性阻碍了他们在安全关键系统中的部署。许多研究表明，即使在黑盒设置中也可能攻击，其中攻击者无法访问目标模型的内部信息。大多数黑匣子攻击基于查询，每个都可以获得目标模型的输入输出，并且许多研究侧重于减少所需查询的数量。在本文中，我们注意了目标模型的输出完全对应于查询输入的隐含假设。如果将某些随机性引入模型中，它可以打破假设，因此，基于查询的攻击可能在梯度估计和本地搜索中具有巨大的困难，这是其攻击过程的核心。从这种动机来看，我们甚至观察到一个小的添加剂输入噪声可以中和大多数基于查询的攻击和名称这个简单但有效的方法小噪声防御（SND）。我们分析了SND如何防御基于查询的黑匣子攻击，并展示其与CIFAR-10和ImageNet数据集的八种最先进的攻击有效性。即使具有强大的防御能力，SND几乎保持了原始的分类准确性和计算速度。通过在推断下仅添加一行代码，SND很容易适用于预先训练的模型。

Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples-inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. 1

机器学习模型严重易于来自对抗性示例的逃避攻击。通常，对逆势示例的修改输入类似于原始输入的修改输入，在WhiteBox设置下由对手的WhiteBox设置构成，完全访问模型。然而，最近的攻击已经显示出使用BlackBox攻击的对逆势示例的查询号显着减少。特别是，警报是从越来越多的机器学习提供的经过培训的模型的访问界面中利用分类决定作为包括Google，Microsoft，IBM的服务提供商，并由包含这些模型的多种应用程序使用的服务提供商来利用培训的模型。对手仅利用来自模型的预测标签的能力被区别为基于决策的攻击。在我们的研究中，我们首先深入潜入最近的ICLR和SP的最先进的决策攻击，以突出发现低失真对抗采用梯度估计方法的昂贵性质。我们开发了一种强大的查询高效攻击，能够避免在梯度估计方法中看到的嘈杂渐变中的局部最小和误导中的截留。我们提出的攻击方法，ramboattack利用随机块坐标下降的概念来探索隐藏的分类器歧管，针对扰动来操纵局部输入功能以解决梯度估计方法的问题。重要的是，ramboattack对对对手和目标类别可用的不同样本输入更加强大。总的来说，对于给定的目标类，ramboattack被证明在实现给定查询预算的较低失真时更加强大。我们使用大规模的高分辨率ImageNet数据集来策划我们的广泛结果，并在GitHub上开源我们的攻击，测试样本和伪影。

许多最先进的ML模型在各种任务中具有优于图像分类的人类。具有如此出色的性能，ML模型今天被广泛使用。然而，存在对抗性攻击和数据中毒攻击的真正符合ML模型的稳健性。例如，Engstrom等人。证明了最先进的图像分类器可以容易地被任意图像上的小旋转欺骗。由于ML系统越来越纳入安全性和安全敏感的应用，对抗攻击和数据中毒攻击构成了相当大的威胁。本章侧重于ML安全的两个广泛和重要的领域：对抗攻击和数据中毒攻击。

Adversarial attacks pose safety and security concerns to deep learning applications, but their characteristics are under-explored. Yet largely imperceptible, a strong trace could have been left by PGD-like attacks in an adversarial example. Recall that PGD-like attacks trigger the ``local linearity'' of a network, which implies different extents of linearity for benign or adversarial examples. Inspired by this, we construct an Adversarial Response Characteristics (ARC) feature to reflect the model's gradient consistency around the input to indicate the extent of linearity. Under certain conditions, it qualitatively shows a gradually varying pattern from benign example to adversarial example, as the latter leads to Sequel Attack Effect (SAE). To quantitatively evaluate the effectiveness of ARC, we conduct experiments on CIFAR-10 and ImageNet for attack detection and attack type recognition in a challenging setting. The results suggest that SAE is an effective and unique trace of PGD-like attacks reflected through the ARC feature. The ARC feature is intuitive, light-weighted, non-intrusive, and data-undemanding.

在过去的几十年中，人工智能的兴起使我们有能力解决日常生活中最具挑战性的问题，例如癌症的预测和自主航行。但是，如果不保护对抗性攻击，这些应用程序可能不会可靠。此外，最近的作品表明，某些对抗性示例可以在不同的模型中转移。因此，至关重要的是避免通过抵抗对抗性操纵的强大模型进行这种可传递性。在本文中，我们提出了一种基于特征随机化的方法，该方法抵抗了八次针对测试阶段深度学习模型的对抗性攻击。我们的新方法包括改变目标网络分类器中的训练策略并选择随机特征样本。我们认为攻击者具有有限的知识和半知识条件，以进行最普遍的对抗性攻击。我们使用包括现实和合成攻击的众所周知的UNSW-NB15数据集评估了方法的鲁棒性。之后，我们证明我们的策略优于现有的最新方法，例如最强大的攻击，包括针对特定的对抗性攻击进行微调网络模型。最后，我们的实验结果表明，我们的方法可以确保目标网络并抵抗对抗性攻击的转移性超过60％。

作为反对攻击的最有效的防御方法之一，对抗性训练倾向于学习包容性的决策边界，以提高深度学习模型的鲁棒性。但是，由于沿对抗方向的边缘的大幅度和不必要的增加，对抗性训练会在自然实例和对抗性示例之间引起严重的交叉，这不利于平衡稳健性和自然准确性之间的权衡。在本文中，我们提出了一种新颖的对抗训练计划，以在稳健性和自然准确性之间进行更好的权衡。它旨在学习一个中度包容的决策边界，这意味着决策边界下的自然示例的边缘是中等的。我们称此方案为中等边缘的对抗训练（MMAT），该方案生成更细粒度的对抗示例以减轻交叉问题。我们还利用了经过良好培训的教师模型的逻辑来指导我们的模型学习。最后，MMAT在Black-Box和White-Box攻击下都可以实现高自然的精度和鲁棒性。例如，在SVHN上，实现了最新的鲁棒性和自然精度。

尽管机器学习系统的效率和可扩展性，但最近的研究表明，许多分类方法，尤其是深神经网络（DNN），易受对抗的例子;即，仔细制作欺骗训练有素的分类模型的例子，同时无法区分从自然数据到人类。这使得在安全关键区域中应用DNN或相关方法可能不安全。由于这个问题是由Biggio等人确定的。 （2013）和Szegedy等人。（2014年），在这一领域已经完成了很多工作，包括开发攻击方法，以产生对抗的例子和防御技术的构建防范这些例子。本文旨在向统计界介绍这一主题及其最新发展，主要关注对抗性示例的产生和保护。在数值实验中使用的计算代码（在Python和R）公开可用于读者探讨调查的方法。本文希望提交人们将鼓励更多统计学人员在这种重要的令人兴奋的领域的产生和捍卫对抗的例子。

深度神经网络容易受到通过对输入对难以察觉的变化进行制作的对抗性示例。但是，这些对手示例在适用于模型及其参数的白盒设置中最成功。寻找可转移到其他模型或在黑匣子设置中开发的对抗性示例显着更加困难。在本文中，我们提出了可转移的对抗性实例的方向聚集的对抗性攻击。我们的方法在攻击过程中使用聚集方向，以避免产生的对抗性示例在白盒模型上过度拟合。关于Imagenet的广泛实验表明，我们的提出方法显着提高了对抗性实例的可转移性，优于最先进的攻击，特别是对抗对抗性稳健的模型。我们所提出的方法的最佳平均攻击成功率达到94.6 \％，针对三种对手训练模型和94.8％抵御五种防御方法。它还表明，目前的防御方法不会阻止可转移的对抗性攻击。

与此同时，黑匣子对抗攻击已经吸引了令人印象深刻的注意，在深度学习安全领域的实际应用，同时，由于无法访问目标模型的网络架构或内部权重，非常具有挑战性。基于假设：如果一个例子对多种型号保持过逆势，那么它更有可能将攻击能力转移到其他模型，基于集合的对抗攻击方法是高效的，用于黑匣子攻击。然而，集合攻击的方式相当不那么调查，并且现有的集合攻击只是均匀地融合所有型号的输出。在这项工作中，我们将迭代集合攻击视为随机梯度下降优化过程，其中不同模型上梯度的变化可能导致众多局部Optima差。为此，我们提出了一种新的攻击方法，称为随机方差减少了整体（SVRE）攻击，这可以降低集合模型的梯度方差，并充分利用集合攻击。标准想象数据集的经验结果表明，所提出的方法可以提高对抗性可转移性，并且优于现有的集合攻击显着。

Recent increases in the computational demands of deep neural networks (DNNs) have sparked interest in efficient deep learning mechanisms, e.g., quantization or pruning. These mechanisms enable the construction of a small, efficient version of commercial-scale models with comparable accuracy, accelerating their deployment to resource-constrained devices. In this paper, we study the security considerations of publishing on-device variants of large-scale models. We first show that an adversary can exploit on-device models to make attacking the large models easier. In evaluations across 19 DNNs, by exploiting the published on-device models as a transfer prior, the adversarial vulnerability of the original commercial-scale models increases by up to 100x. We then show that the vulnerability increases as the similarity between a full-scale and its efficient model increase. Based on the insights, we propose a defense, $similarity$-$unpairing$, that fine-tunes on-device models with the objective of reducing the similarity. We evaluated our defense on all the 19 DNNs and found that it reduces the transferability up to 90% and the number of queries required by a factor of 10-100x. Our results suggest that further research is needed on the security (or even privacy) threats caused by publishing those efficient siblings.

The authors thank Nicholas Carlini (UC Berkeley) and Dimitris Tsipras (MIT) for feedback to improve the survey quality. We also acknowledge X. Huang (Uni. Liverpool), K. R. Reddy (IISC), E. Valle (UNICAMP), Y. Yoo (CLAIR) and others for providing pointers to make the survey more comprehensive.

Deep neural networks (DNNs) are one of the most prominent technologies of our time, as they achieve state-of-the-art performance in many machine learning tasks, including but not limited to image classification, text mining, and speech processing. However, recent research on DNNs has indicated ever-increasing concern on the robustness to adversarial examples, especially for security-critical tasks such as traffic sign identification for autonomous driving. Studies have unveiled the vulnerability of a well-trained DNN by demonstrating the ability of generating barely noticeable (to both human and machines) adversarial images that lead to misclassification. Furthermore, researchers have shown that these adversarial images are highly transferable by simply training and attacking a substitute model built upon the target model, known as a black-box attack to DNNs.Similar to the setting of training substitute models, in this paper we propose an effective black-box attack that also only has access to the input (images) and the output (confidence scores) of a targeted DNN. However, different from leveraging attack transferability from substitute models, we propose zeroth order optimization (ZOO) based attacks to directly estimate the gradients of the targeted DNN for generating adversarial examples. We use zeroth order stochastic coordinate descent along with dimension reduction, hierarchical attack and importance sampling techniques to * Pin-Yu Chen and Huan Zhang contribute equally to this work.