Beware the Black-Box: On the Robustness of Recent Defenses to Adversarial Examples

Many defenses have recently been proposed at venues like NIPS, ICML, ICLR and CVPR. These defenses are mainly focused on mitigating white-box attacks. They do not properly examine black-box attacks. In this paper, we expand upon the analyses of these defenses to include adaptive black-box adversaries. Our evaluation is done on nine defenses including Barrage of Random Transforms, ComDefend, Ensemble Diversity, Feature Distillation, The Odds are Odd, Error Correcting Codes, Distribution Classifier Defense, K-Winner Take All and Buffer Zones. Our investigation is done using two black-box adversarial models and six widely studied adversarial attacks for CIFAR-10 and Fashion-MNIST datasets. Our analyses show most recent defenses (7 out of 9) provide only marginal improvements in security (<25%), as compared to undefended networks. For every defense, we also show the relationship between the amount of data the adversary has at their disposal, and the effectiveness of adaptive black-box attacks. Overall, our results paint a clear picture: defenses need both thorough white-box and black-box analyses to be considered secure. We provide this large scale study and analyses to motivate the field to move towards the development of more robust black-box defenses.

Advancing diagnostic performance and clinical usability of neural networks via adversarial training and dual batch normalization

Unmasking the decision making process of machine learning models is essential for implementing diagnostic support systems in clinical practice. Here, we demonstrate that adversarially trained models can significantly enhance the usability of pathology detection as compared to their standard counterparts. We let six experienced radiologists rate the interpretability of saliency maps in datasets of X-rays, computed tomography, and magnetic resonance imaging scans. Significant improvements are found for our adversarial models, which are further improved by the application of dual-batch normalization. Contrary to previous research on adversarially trained models, we find that accuracy of such models is equal to standard models, when sufficiently large datasets and dual batch norm training are used. To ensure transferability, we additionally validate our results on an external test set of 22,433 X-rays. These findings elucidate that different paths for adversarial and real images are needed during training to achieve state of the art results with superior clinical interpretability.

Emergent self-mediating classes in the digital semiosphere: Covid-19 conspiracies and the climate justice movement

In this article, we advocate for media studies to adopt a systematic evolutionary-complexity model, in order to link the study of human culture and knowledge practices to the biosphere and geosphere, arguing that such global phenomena require a new kind of cultural science. For this purpose, we extend Juri Lotman's model of the semiosphere to the “digital semiosphere”, superseding inherited adversarial models in both mainstream media and media studies. We contrast the mediation of Covid-19 with that of the climate crisis, using Lotman's model to propose that, in the digital semiosphere, the global emergence of girl-led climate activism and far-right Covid-19 conspiracy groups indicates how new social classes are organising around the means of their own mediation. We discuss ways to study and forecast such emergent processes using the means of cultural data analytics and related approaches.

Unrolled Cryptography on Silicon

Cryptographic primitives with low-latency performance have gained momentum lately due to an increased demand for real-time applications. Block ciphers such as PRINCE enable data encryption (resp. decryption) within a single clock cycle at a moderately high operating frequency when implemented in a fully-unrolled fashion. Unsurprisingly, many typical environments for unrolled ciphers require protection against physical adversaries as well. Yet, recent works suggest that most common SCA countermeasures are hard to apply to low-latency circuits. Hardware masking, for example, requires register stages to offer resistance, thus adding delay and defeating the purpose of unrolling. On another note, it has been indicated that unrolled primitives without any additional means of protection offer an intrinsic resistance to SCA attacks due to their parallelism, asynchronicity and speed of execution. In this work, we take a closer look at the physical security properties provided by unrolled cryptographic IC implementations. We are able to confirm that the nature of unrolling indeed bears the potential to decrease the susceptibility of cipher implementations significantly when reset methods are applied. With respect to certain adversarial models, e.g., ciphertext-only access, an amazingly high level of protection can be achieved. While this seems to be a great result for cryptographic hardware engineers, there is an attack vector hidden in plain sight which still threatens the security of unrolled implementations remarkably – namely the static power consumption of CMOS-based circuits. We point out that essentially all reasons which make it hard to extract meaningful information from the dynamic behavior of unrolled primitives are not an issue when exploiting the static currents for key recovery. Our evaluation is based on real-silicon measurements of an unrolled PRINCE core in a custom 40nm ASIC. The presented results serve as a neat educational case study to demonstrate the broad differences between dynamic and static power information leakage in the light of technological advancement.

Adaptively Multi-Objective Adversarial Training for Dialogue Generation

Naive neural dialogue generation models tend to produce repetitive and dull utterances. The promising adversarial models train the generator against a well-designed discriminator to push it to improve towards the expected direction. However, assessing dialogues requires consideration of many aspects of linguistics, which are difficult to be fully covered by a single discriminator. To address it, we reframe the dialogue generation task as a multi-objective optimization problem and propose a novel adversarial dialogue generation framework with multiple discriminators that excel in different objectives for multiple linguistic aspects, called AMPGAN, whose feasibility is proved by theoretical derivations. Moreover, we design an adaptively adjusted sampling distribution to balance the discriminators and promote the overall improvement of the generator by continuing to focus on these objectives that the generator is not performing well relatively. Experimental results on two real-world datasets show a significant improvement over the baselines.

Analyzing Uncertainty of an Ankle Joint Model with Genetic Algorithm

Recent studies in biomechanical modeling suggest a paradigm shift, in which the parameters of biomechanical models would no longer treated as fixed values but as random variables with, often unknown, distributions. In turn, novel and efficient numerical methods will be required to handle such complicated modeling problems. The main aim of this study was to introduce and verify genetic algorithm for analyzing uncertainty in biomechanical modeling. The idea of the method was to encode two adversarial models within one decision variable vector. These structures would then be concurrently optimized with the objective being the maximization of the difference between their outputs. The approach, albeit expensive numerically, offered a general formulation of the uncertainty analysis, which did not constrain the search space. The second aim of the study was to apply the proposed procedure to analyze the uncertainty of an ankle joint model with 43 parameters and flexible links. The bounds on geometrical and material parameters of the model were set to 0.50 mm and 5.00% respectively. The results obtained from the analysis were unexpected. The two obtained adversarial structures were almost visually indistinguishable and differed up to 38.52% in their angular displacements.