Publication | Open Access
Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples
1.2K
Citations
28
References
2018
Year
EngineeringMachine LearningEvasion TechniqueInformation SecurityAi SafetyInformation ForensicsSide-channel AttackSoftware AnalysisFormal VerificationData ScienceAdversarial Machine LearningAdversarial ExamplesObfuscated GradientsGradient MaskingComputer EngineeringData PrivacyComputer ScienceData SecurityFalse SenseCryptographyProgram AnalysisAttack ModelIclr 2018Obfuscation (Software)
The study aims to characterize defenses that exhibit obfuscated gradients and to develop attack techniques for each of the three identified types. The authors analyze defense mechanisms, identify three categories of obfuscated gradients, and design corresponding attacks to bypass them. They demonstrate that obfuscated gradients create a false sense of security, are present in 7 of 9 examined white‑box defenses, and that their attacks successfully circumvent six defenses entirely and one partially.
We identify obfuscated gradients, a kind of gradient masking, as a phenomenon that leads to a false sense of security in defenses against adversarial examples. While defenses that cause obfuscated gradients appear to defeat iterative optimization-based attacks, we find defenses relying on this effect can be circumvented. We describe characteristic behaviors of defenses exhibiting the effect, and for each of the three types of obfuscated gradients we discover, we develop attack techniques to overcome it. In a case study, examining non-certified white-box-secure defenses at ICLR 2018, we find obfuscated gradients are a common occurrence, with 7 of 9 defenses relying on obfuscated gradients. Our new attacks successfully circumvent 6 completely, and 1 partially, in the original threat model each paper considers.
| Year | Citations | |
|---|---|---|
Page 1
Page 1