Saved in:
Bibliographic Details
Main Author: Carlini, Nicholas
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2405.03672
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866911938995290112
author Carlini, Nicholas
author_facet Carlini, Nicholas
contents Sabre is a defense to adversarial examples that was accepted at IEEE S&P 2024. We first reveal significant flaws in the evaluation that point to clear signs of gradient masking. We then show the cause of this gradient masking: a bug in the original evaluation code. By fixing a single line of code in the original repository, we reduce Sabre's robust accuracy to 0%. In response to this, the authors modify the defense and introduce a new defense component not described in the original paper. But this fix contains a second bug; modifying one more line of code reduces robust accuracy to below baseline levels. After we released the first version of our paper online, the authors introduced another change to the defense; by commenting out one line of code during attack we reduce the robust accuracy to 0% again.
format Preprint
id arxiv_https___arxiv_org_abs_2405_03672
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Cutting through buggy adversarial example defenses: fixing 1 line of code breaks Sabre
Carlini, Nicholas
Cryptography and Security
Machine Learning
Sabre is a defense to adversarial examples that was accepted at IEEE S&P 2024. We first reveal significant flaws in the evaluation that point to clear signs of gradient masking. We then show the cause of this gradient masking: a bug in the original evaluation code. By fixing a single line of code in the original repository, we reduce Sabre's robust accuracy to 0%. In response to this, the authors modify the defense and introduce a new defense component not described in the original paper. But this fix contains a second bug; modifying one more line of code reduces robust accuracy to below baseline levels. After we released the first version of our paper online, the authors introduced another change to the defense; by commenting out one line of code during attack we reduce the robust accuracy to 0% again.
title Cutting through buggy adversarial example defenses: fixing 1 line of code breaks Sabre
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2405.03672