5,337
edits
No edit summary |
|||
Line 765: | Line 765: | ||
It depends on the data distribution, threat model, and hypothesis class. | It depends on the data distribution, threat model, and hypothesis class. | ||
=== | ===Provable Defenses=== | ||
There are 3 types of Lp defenses: | |||
* Curvature-based defenses | |||
* IBP and Convex defenses | |||
* Randomzied smoothing | |||
=== | For Non-Lp | ||
* Patch Threat | |||
* Sparse Threat | |||
* Wasserstein Threat | |||
===Randomized Smoothing=== | |||
A smoothed classifier: <math>\bar{f}(x) = E_{\epsilon}[f(x+\epsilon)]</math>. | |||
The idea is that the decision boundary becomes smoother. | |||
Gaussian Smoothing for L2 attacks: | |||
;Theorem (Cohen et al., 2019) | |||
No adversarial example exists within the radius: | |||
<math>\frac{\sigma}{2}\left(\Phi^{-1}(p_1(x))-\Phi^{-1}(p_2(x))\right)</math> | |||
==Misc== | ==Misc== |