Analyses of defenses

[anishathalye]

ML security, or any security field in general, is going to have cases where papers make a certain claim, and later, that claim ends up being invalidated. For example, we once thought MD4 was a secure hash function, but now it's known to be broken. This is a natural thing to happen in a security field: future analysis showing that a certain scheme is not secure.

For this reason, it might be a good idea for a resource that lists defenses against adversarial examples to also keep up-to-date with future analyses of those defenses, so that readers looking at this list do not mistakenly believe that a broken scheme is secure.

The list currently has a number of defenses that are known to have true robustness significantly below what is claimed in the paper (in most cases, the true accuracy is 0%). This includes:

• Defensive Distillation (broken by this paper)
• PixelDefend (broken by this paper)

Do you think the list could be organized so that it's clear to readers that while defense papers are interesting, for certain papers, later analyses have shown that the schemes can be circumvented? (robust-ml.org is one example of such an organization)

[yenchenlin]

Good idea! I will start to add up-to-date future analyses to the list two weeks later (after I finish my mandatory military service).

Also, as the number of papers related to adversarial examples has exploded over the past two years, I am thinking about writing an annotated bibliographies (also served as a suggested reading list) here for people new to the field to track the status.

Feel free to share your thoughts here! Will keep this issue open until the up-to-date analyses are added.