Slope: A First-order Approach for Measuring Gradient Obfuscation
Published in In the proceedings of ESANN 2021 - European Symposium on Artificial Neural Networks, Computational Intelligence and Machine Learning, 2021
Recommended citation: Maura Pintor, Luca Demetrio, Giovanni Manca, Battista Biggio, Fabio Roli, "Slope: A First-order Approach for Measuring Gradient Obfuscation." In the proceedings of ESANN 2021 - European Symposium on Artificial Neural Networks, Computational Intelligence and Machine Learning, 2021. https://www.esann.org/sites/default/files/proceedings/2021/ES2021-99.pdf
Abstract:
Evaluating adversarial robustness is a challenging problem. Many defenses have been shown to provide a false sense of security by unintentionally obfuscating gradients, hindering the optimization process of gradient-based attacks. Such defenses have been subsequently shown to fail against adaptive attacks crafted to circumvent gradient obfuscation. In this work, we present Slope, a metric that detects obfuscated gradients by comparing the expected and the actual increase of the attack loss after one iteration. We show that our metric can detect the presence of obfuscated gradients in many documented cases, providing a useful debugging tool towards improving adversarial robustness evaluations.
BibTeX:
@conference{pintor2021slope,
author = {Pintor, Maura and Demetrio, Luca and Manca, Giovanni and Biggio, Battista and Roli, Fabio},
title = {Slope: A First-order Approach for Measuring Gradient Obfuscation},
booktitle = {ESANN 2021 - European Symposium on Artificial Neural Networks, Computational Intelligence and Machine Learning},
year = {2021},
url = {https://www.esann.org/sites/default/files/proceedings/2021/ES2021-99.pdf}
}