Timezone: »

Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations
Florian Tramer · Jens Behrmann · Nicholas Carlini · Nicolas Papernot · Joern-Henrik Jacobsen

Wed Jul 15 08:00 AM -- 08:45 AM & Wed Jul 15 08:00 PM -- 08:45 PM (PDT) @

Adversarial examples are malicious inputs crafted to induce misclassification. Commonly studied \emph{sensitivity-based} adversarial examples introduce semantically-small changes to an input that result in a different model prediction. This paper studies a complementary failure mode, \emph{invariance-based} adversarial examples, that introduce minimal semantic changes that modify an input's true label yet preserve the model's prediction. We demonstrate fundamental tradeoffs between these two types of adversarial examples. We show that defenses against sensitivity-based attacks actively harm a model's accuracy on invariance-based attacks, and that new approaches are needed to resist both attack types. In particular, we break state-of-the-art adversarially-trained and \emph{certifiably-robust} models by generating small perturbations that the models are (provably) robust to, yet that change an input's class according to human labelers. Finally, we formally show that the existence of excessively invariant classifiers arises from the presence of \emph{overly-robust} predictive features in standard datasets.

Author Information

Florian Tramer (Stanford University)
Jens Behrmann (University of Bremen)
Nicholas Carlini (Google)
Nicolas Papernot (University of Toronto and Vector Institute)
Joern-Henrik Jacobsen (Apple Inc.)

More from the Same Authors