References & Citations
Computer Science > Machine Learning
Title: On the Limitations of Stochastic Pre-processing Defenses
(Submitted on 19 Jun 2022 (v1), last revised 11 Oct 2022 (this version, v3))
Abstract: Defending against adversarial examples remains an open problem. A common belief is that randomness at inference increases the cost of finding adversarial inputs. An example of such a defense is to apply a random transformation to inputs prior to feeding them to the model. In this paper, we empirically and theoretically investigate such stochastic pre-processing defenses and demonstrate that they are flawed. First, we show that most stochastic defenses are weaker than previously thought; they lack sufficient randomness to withstand even standard attacks like projected gradient descent. This casts doubt on a long-held assumption that stochastic defenses invalidate attacks designed to evade deterministic defenses and force attackers to integrate the Expectation over Transformation (EOT) concept. Second, we show that stochastic defenses confront a trade-off between adversarial robustness and model invariance; they become less effective as the defended model acquires more invariance to their randomization. Future work will need to decouple these two effects. We also discuss implications and guidance for future research.
Submission history
From: Yue Gao [view email][v1] Sun, 19 Jun 2022 21:54:42 GMT (298kb,D)
[v2] Wed, 28 Sep 2022 02:51:44 GMT (2078kb,D)
[v3] Tue, 11 Oct 2022 23:08:30 GMT (2080kb,D)
Link back to: arXiv, form interface, contact.