Et Tu Certifications: Robustness Certificates Yield Better Adversarial Examples

Andrew Craig Cullen, Shijie Liu, Paul Montague, Sarah Monazam Erfani, Benjamin I. P. Rubinstein
Proceedings of the 41st International Conference on Machine Learning, PMLR 235:9745-9761, 2024.

Abstract

In guaranteeing the absence of adversarial examples in an instance’s neighbourhood, certification mechanisms play an important role in demonstrating neural net robustness. In this paper, we ask if these certifications can compromise the very models they help to protect? Our new Certification Aware Attack exploits certifications to produce computationally efficient norm-minimising adversarial examples $74$% more often than comparable attacks, while reducing the median perturbation norm by more than $10$%. While these attacks can be used to assess the tightness of certification bounds, they also highlight that releasing certifications can paradoxically reduce security.

Cite this Paper

BibTeX
@InProceedings{pmlr-v235-cullen24a, title = {Et Tu Certifications: Robustness Certificates Yield Better Adversarial Examples}, author = {Cullen, Andrew Craig and Liu, Shijie and Montague, Paul and Erfani, Sarah Monazam and Rubinstein, Benjamin I. P.}, booktitle = {Proceedings of the 41st International Conference on Machine Learning}, pages = {9745--9761}, year = {2024}, editor = {Salakhutdinov, Ruslan and Kolter, Zico and Heller, Katherine and Weller, Adrian and Oliver, Nuria and Scarlett, Jonathan and Berkenkamp, Felix}, volume = {235}, series = {Proceedings of Machine Learning Research}, month = {21--27 Jul}, publisher = {PMLR}, pdf = {https://raw.githubusercontent.com/mlresearch/v235/main/assets/cullen24a/cullen24a.pdf}, url = {https://proceedings.mlr.press/v235/cullen24a.html}, abstract = {In guaranteeing the absence of adversarial examples in an instance’s neighbourhood, certification mechanisms play an important role in demonstrating neural net robustness. In this paper, we ask if these certifications can compromise the very models they help to protect? Our new Certification Aware Attack exploits certifications to produce computationally efficient norm-minimising adversarial examples $74$% more often than comparable attacks, while reducing the median perturbation norm by more than $10$%. While these attacks can be used to assess the tightness of certification bounds, they also highlight that releasing certifications can paradoxically reduce security.} }
Endnote
%0 Conference Paper %T Et Tu Certifications: Robustness Certificates Yield Better Adversarial Examples %A Andrew Craig Cullen %A Shijie Liu %A Paul Montague %A Sarah Monazam Erfani %A Benjamin I. P. Rubinstein %B Proceedings of the 41st International Conference on Machine Learning %C Proceedings of Machine Learning Research %D 2024 %E Ruslan Salakhutdinov %E Zico Kolter %E Katherine Heller %E Adrian Weller %E Nuria Oliver %E Jonathan Scarlett %E Felix Berkenkamp %F pmlr-v235-cullen24a %I PMLR %P 9745--9761 %U https://proceedings.mlr.press/v235/cullen24a.html %V 235 %X In guaranteeing the absence of adversarial examples in an instance’s neighbourhood, certification mechanisms play an important role in demonstrating neural net robustness. In this paper, we ask if these certifications can compromise the very models they help to protect? Our new Certification Aware Attack exploits certifications to produce computationally efficient norm-minimising adversarial examples $74$% more often than comparable attacks, while reducing the median perturbation norm by more than $10$%. While these attacks can be used to assess the tightness of certification bounds, they also highlight that releasing certifications can paradoxically reduce security.
APA
Cullen, A.C., Liu, S., Montague, P., Erfani, S.M. & Rubinstein, B.I.P.. (2024). Et Tu Certifications: Robustness Certificates Yield Better Adversarial Examples. Proceedings of the 41st International Conference on Machine Learning, in Proceedings of Machine Learning Research 235:9745-9761 Available from https://proceedings.mlr.press/v235/cullen24a.html.

Related Material