Pith. sign in

REVIEW

Randomness in ML Defenses Helps Persistent Attackers and Hinders Evaluators

Not yet reviewed by Pith; the record is open.

This paper has not been read by Pith yet. Machine review is queued; the pith claim, tier, and objections will appear here once it completes.

SPECIMEN: schema-true, not a live event

T0 review · schema-true

One-sentence machine reading of the paper's core claim.

pith:XXXXXXXX · record.json · timestamp

arxiv 2302.13464 v1 pith:5RK7T5T5 submitted 2023-02-27 cs.LG cs.CR

Randomness in ML Defenses Helps Persistent Attackers and Hinders Evaluators

classification cs.LG cs.CR
keywords defensesdefensedeterministicdesignevaluationrandomnessrobustrobustness
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved
0 comments
read the original abstract

It is becoming increasingly imperative to design robust ML defenses. However, recent work has found that many defenses that initially resist state-of-the-art attacks can be broken by an adaptive adversary. In this work we take steps to simplify the design of defenses and argue that white-box defenses should eschew randomness when possible. We begin by illustrating a new issue with the deployment of randomized defenses that reduces their security compared to their deterministic counterparts. We then provide evidence that making defenses deterministic simplifies robustness evaluation, without reducing the effectiveness of a truly robust defense. Finally, we introduce a new defense evaluation framework that leverages a defense's deterministic nature to better evaluate its adversarial robustness.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.