Adversarial Attacks on ML Defense Models Competition (2110.08042v1)

Abstract: Due to the vulnerability of deep neural networks (DNNs) to adversarial examples, a large number of defense techniques have been proposed to alleviate this problem in recent years. However, the progress of building more robust models is usually hampered by the incomplete or incorrect robustness evaluation. To accelerate the research on reliable evaluation of adversarial robustness of the current defense models in image classification, the TSAIL group at Tsinghua University and the Alibaba Security group organized this competition along with a CVPR 2021 workshop on adversarial machine learning (https://aisecure-workshop.github.io/amlcvpr2021/). The purpose of this competition is to motivate novel attack algorithms to evaluate adversarial robustness more effectively and reliably. The participants were encouraged to develop stronger white-box attack algorithms to find the worst-case robustness of different defenses. This competition was conducted on an adversarial robustness evaluation platform -- ARES (https://github.com/thu-ml/ares), and is held on the TianChi platform (https://tianchi.aliyun.com/competition/entrance/531847/introduction) as one of the series of AI Security Challengers Program. After the competition, we summarized the results and established a new adversarial robustness benchmark at https://ml.cs.tsinghua.edu.cn/ares-bench/, which allows users to upload adversarial attack algorithms and defense models for evaluation.

• The paper introduces a competition framework for rigorous evaluation of white-box adversarial attacks on ML defense models using CIFAR-10 and ImageNet.
• The paper highlights effective attack strategies, including enhanced step scheduling and Output Diversified Initialization, which improved misclassification rates.
• The paper demonstrates significant collaboration between academia and industry, advancing both practical and theoretical insights in adversarial robustness.

Adversarial Attacks on ML Defense Models Competition

The paper "Adversarial Attacks on ML Defense Models Competition" presents insights from a competition aimed at enhancing the evaluation of adversarial robustness in machine learning models, particularly in the context of image classification. This initiative was structured to generate innovative attack strategies to rigorously test the resilience of defense mechanisms against adversarial examples. The competition was orchestrated by the TSAIL group at Tsinghua University in collaboration with Alibaba Security Group, embodying a blend of academia and industry expertise.

The vulnerability of deep neural networks (DNNs) to adversarial attacks has prompted an influx of defense strategies over recent years. However, accurately assessing these defenses remains a significant hurdle, often due to incomplete evaluations or adaptive attacks rendering existing defenses inadequate. The competition sought to address these challenges by fostering stronger white-box attack methodologies, particularly those employing gradient-based techniques.

Competition Structure

The competition unfolded over three comprehensive stages:

1. Stage I involved evaluating white-box attacks on 15 defense models, predominantly trained on CIFAR-10, with a few on ImageNet. This initial phase was designed to assess the attack capabilities against known models using a limited dataset.
2. Stage II introduced another set of 15 secret models, using the same image datasets as Stage I, to prevent participants from tailoring their attacks to specific model weaknesses from the first stage.
3. Final Stage expanded the dataset to include the entire CIFAR-10 test set and a larger selection from ImageNet, aiming to provide a thorough evaluation of attack efficacy across a broader spectrum.

Participants developed attack algorithms executed on the ARES platform, emphasizing both accuracy and computational efficiency. An essential component of the evaluation was the misclassification rate induced by the attacks, reflecting their potency.

Strong Numerical Results and Bold Claims

The competition attracted over 1,600 teams and generated more than 2,500 submissions, culminating in valuable advancements in adversarial attack methodologies. The top strategies predominantly focused on enhancing step size schedules, leveraging innovative initialization techniques like the Output Diversified Initialization (ODI), and modularizing attacks to cope with varying model robustness.

Several results stand out:

• The first-place team improved attack success with a score of 51.104 by introducing adjustments such as step decay and bias in output diversity initialization.
• Other top scoring strategies also employed enhancements in step scheduling and targeted loss functions, highlighting the ongoing evolution of adversarial attack strategies.

Implications and Future Directions

The competition provides a robust framework for evaluating adversarial robustness, offering an online benchmark where researchers can submit their attack and defense methods for evaluation. This benefits both practical applications, by enhancing model security, and theoretical developments in adversarial learning.

A critical implication of this research is the necessity for continuous adaptation in both attack and defense mechanisms. As adversarial strategies evolve, so too must the corresponding defenses, suggesting a cyclic progression in adversarial research.

In future developments, integrating these adversarial robustness evaluations into real-world applications, such as autonomous driving and healthcare, will be crucial. The comprehensive testing facilitated by this competition sets a precedent for systematic robustness evaluation across varying domains and model architectures.

Conclusion

The Adversarial Attacks on ML Defense Models competition significantly contributes to the understanding and advancement of evaluating machine learning defenses against adversarial attacks. It emphasizes the importance of reliable robustness assessment and encourages the development of comprehensive attack methods to drive progress in this critical area of AI security research. The ongoing efforts to maintain and expand the adversarial robustness benchmark post-competition underscore the commitment to fostering innovation and collaboration in the field.