Transferable adversarial examples raise critical security concerns in real-world, black-box attack scenarios.
The safety properties proved in the resulting surrogate model apply to the original ADS with a probabilistic guarantee.
In this work, we design good practices to address these limitations, and we present the first comprehensive evaluation of transfer attacks, covering 23 representative attacks against 9 defenses on ImageNet.
In this paper, we propose a framework of filter-based ensemble of deep neuralnetworks (DNNs) to defend against adversarial attacks.
It is shown that DeepPAC outperforms the state-of-the-art statistical method PROVERO, and it achieves more practical robustness analysis than the formal verification tool ERAN.
The core idea is to make use of the obtained constraints of the abstraction to infer new bounds for the neurons.