It is becoming increasingly imperative to design robust ML defenses. However, recent work has found that many defenses that initially resist state-of-the-art attacks can be broken by an adaptive adversary. In this work we take steps to simplify the design of defenses and argue that white-box defenses should eschew randomness when possible. We begin by illustrating a new issue with the deployment of randomized defenses that reduces their security compared to their deterministic counterparts. We then provide evidence that making defenses deterministic simplifies robustness evaluation, without reducing the effectiveness of a truly robust defense. Finally, we introduce a new defense evaluation framework that leverages a defense's deterministic nature to better evaluate its adversarial robustness.
翻译:设计强大的 ML 防御越来越势在必行。 但是,最近的工作发现,许多最初抵制最先进的攻击的防御可以被一个适应性强的对手打破。 在这项工作中,我们采取步骤简化防御的设计,并主张白箱防御应尽可能避免随机性。我们首先说明一个新问题,即部署随机化防御来降低其安全,而与其确定性的对应方相比。我们然后提供证据,说明如何在不降低真正强大的防御的有效性的情况下,进行确定性强力评估,同时进行确定性强力评估。最后,我们引入一个新的国防评价框架,利用国防的确定性来更好地评估其对抗性强力。</s>