Deep neural networks are vulnerable to adversarial examples, which poses security concerns on these algorithms due the potentially severe consequences. Adversarial attacks serve as an important surrogate evaluate robustness of deep learning models before they deployed. However, most existing can only fool a black-box model with low success rate. To address this issue, we propose broad class momentum-based iterative boost attacks. By integrating momentum term into process for attacks, our...

Neural networks are vulnerable to adversarial examples, which poses a threat their application in security sensitive systems. We propose high-level representation guided denoiser (HGD) as defense for image classification. Standard suffers from the error amplification effect, small residual noise is progressively amplified and leads wrong classifications. HGD overcomes this problem by using loss function defined difference between target model's outputs activated clean denoised image....

Deep neural networks are vulnerable to adversarial examples, which can mislead classifiers by adding imperceptible perturbations. An intriguing property of examples is their good transferability, making black-box attacks feasible in real-world applications. Due the threat attacks, many methods have been proposed improve robustness. Several state-of-the-art defenses shown be robust against transferable examples. In this paper, we propose a translation-invariant attack method generate more...

Deep neural networks are vulnerable to adversarial examples, which becomes one of the most important research problems in development deep learning. While a lot efforts have been made recent years, it is great significance perform correct and complete evaluations attack defense algorithms. In this paper, we establish comprehensive, rigorous, coherent benchmark evaluate robustness on image classification tasks. After briefly reviewing plenty representative methods, large-scale experiments...

Though deep neural networks have achieved significant progress on various tasks, often enhanced by model ensemble, existing high-performance models can be vulnerable to adversarial attacks. Many efforts been devoted enhancing the robustness of individual and then constructing a straightforward e.g., directly averaging outputs, which ignores interaction among networks. This paper presents new method that explores improve for ensemble models. Technically, we define notion diversity in setting...

Although the recent progress is substantial, deep learning methods can be vulnerable to maliciously generated adversarial examples. In this paper, we present a novel training procedure and thresholding test strategy, towards robust detection of training, propose minimize reverse cross-entropy (RCE), which encourages network learn latent representations that better distinguish examples from normal ones. testing, use strategy as detector filter out for reliable predictions. Our method simple...

We consider the black-box adversarial setting, where adversary has to generate perturbations without access target models compute gradients. Previous methods tried approximate gradient either by using a transfer of surrogate white-box model, or based on query feedback. However, these often suffer from low attack success rates poor efficiency since it is non-trivial estimate in high-dimensional space with limited information. To address problems, we propose prior-guided random gradient-free...

Adversarial training (AT) is one of the most effective strategies for promoting model robustness. However, recent benchmarks show that proposed improvements on AT are less than simply early stopping procedure. This counter-intuitive fact motivates us to investigate implementation details tens methods. Surprisingly, we find basic settings (e.g., weight decay, schedule, etc.) used in these methods highly inconsistent. In this work, provide comprehensive evaluations CIFAR-10, focusing effects...

As billions of personal data being shared through social media and network, the privacy security have drawn an increasing attention. Several attempts been made to alleviate leakage identity information from face photos, with aid of, e.g., image obfuscation techniques. However, most present results are either perceptually unsatisfactory or ineffective against recognition systems. Our goal in this paper is develop a technique that can encrypt photos such they protect users unauthorized systems...

Although deep neural networks (DNNs) have made rapid progress in recent years, they are vulnerable adversarial environments. A malicious backdoor could be embedded a model by poisoning the training dataset, whose intention is to make infected give wrong predictions during inference when specific trigger appears. To mitigate potential threats of attacks, various detection and defense methods been proposed. However, existing techniques usually require poisoned data or access white-box model,...

It has been recognized that the data generated by denoising diffusion probabilistic model (DDPM) improves adversarial training. After two years of rapid development in models, a question naturally arises: can better models further improve training? This paper gives an affirmative answer employing most recent which higher efficiency ($\sim 20$ sampling steps) and image quality (lower FID score) compared with DDPM. Our adversarially trained achieve state-of-the-art performance on RobustBench...

Previous work shows that adversarially robust generalization requires larger sample complexity, and the same dataset, e.g., CIFAR-10, which enables good standard accuracy may not suffice to train models. Since collecting new training data could be costly, we focus on better utilizing given by inducing regions with high density in feature space, lead locally sufficient samples for learning. We first formally show softmax cross-entropy (SCE) loss its variants convey inappropriate supervisory...

Adversarial training (AT) is one of the most effective defenses against adversarial attacks for deep learning models. In this work, we advocate incorporating hypersphere embedding (HE) mechanism into AT procedure by regularizing features onto compact manifolds, which constitutes a lightweight yet module to blend in strength representation learning. Our extensive analyses reveal that and HE are well coupled benefit robustness adversarially trained models from several aspects. We validate...

Adversarial training (AT) is among the most effective techniques to improve model robustness by augmenting data with adversarial examples. However, existing AT methods adopt a specific attack craft examples, leading unreliable against other unseen attacks. Besides, single algorithm could be insufficient explore space of perturbations. In this paper, we introduce distributional (ADT), novel framework for learning robust models. ADT formulated as minimax optimization problem, where inner...

Large vision-language models (VLMs) such as GPT-4 have achieved unprecedented performance in response generation, especially with visual inputs, enabling more creative and adaptable interaction than large language ChatGPT. Nonetheless, multimodal generation exacerbates safety concerns, since adversaries may successfully evade the entire system by subtly manipulating most vulnerable modality (e.g., vision). To this end, we propose evaluating robustness of open-source VLMs realistic high-risk...

Deep neural networks are vulnerable to adversarial examples, which poses security concerns on these algorithms due the potentially severe consequences. Adversarial attacks serve as an important surrogate evaluate robustness of deep learning models before they deployed. However, most existing can only fool a black-box model with low success rate. To address this issue, we propose broad class momentum-based iterative boost attacks. By integrating momentum term into process for attacks, our...

It has been widely recognized that adversarial examples can be easily crafted to fool deep networks, which mainly root from the locally non-linear behavior nearby input examples. Applying mixup in training provides an effective mechanism improve generalization performance and model robustness against perturbations, introduces globally linear in-between However, previous work, mixup-trained models only passively defend attacks inference by directly classifying inputs, where induced global...

Adversarial attacks have been extensively studied in recent years since they can identify the vulnerability of deep learning models before deployed. In this paper, we consider black-box adversarial setting, where adversary needs to craft examples without access gradients a target model. Previous methods attempted approximate true gradient either by using transfer surrogate white-box model or based on feedback queries. However, existing inevitably suffer from low attack success rates poor...