Adversarial Attacks and Defences Competition
Alexey Kurakin, Ian Goodfellow, Samy Bengio, Yinpeng Dong, Fangzhou Liao, Ming Liang, Tianyu Pang, Jun Zhu, Xiaolin Hu, Cihang Xie, Jianyu Wang, Zhishuai Zhang, Zhou Ren, Alan Yuille, Sangxia Huang, Yao Zhao, Yuzhe Zhao, Zhonglin Han, Junjiajia Long, Yerkebulan Berdibekov, Takuya Akiba, Seiya Tokui, Motoki Abe
TL;DR
The paper documents the NIPS 2017 Adversarial Attacks and Defences Competition, outlining the problem of adversarial examples, the competition’s structure, evaluation framework, and the array of top submissions. It surveys attack and defense techniques, including momentum-based and ensemble attacks, randomization and denoising defenses, and loss-ensemble strategies, illustrating how teams push the state of the art. Key contributions include TsAIL’s high-level representation guided denoiser, a momentum iterative attack achieving strong transferability, and randomization-based defenses that improve robustness against white-box and black-box attacks. The findings indicate strong average-case robustness for certain defenses, but worst-case scenarios reveal persistent vulnerability, underscoring the need for continued research and robust evaluation practices with diverse attack strategies.
Abstract
To accelerate research on adversarial examples and robustness of machine learning classifiers, Google Brain organized a NIPS 2017 competition that encouraged researchers to develop new methods to generate adversarial examples as well as to develop new ways to defend against them. In this chapter, we describe the structure and organization of the competition and the solutions developed by several of the top-placing teams.