BREAKING CERTIFIED DEFENSES: SEMANTIC ADVERSARIAL EXAMPLES WITH SPOOFED ROBUSTNESS CERTIFICATESDownload PDF

Amin Ghiasi, Ali Shafahi, Tom Goldstein

Published: 20 Dec 2019, Last Modified: 23 Mar 2025ICLR 2020 Conference Blind SubmissionReaders: Everyone
Abstract: Defenses against adversarial attacks can be classified into certified and non-certified. Certifiable defenses make networks robust within a certain $\ell_p$-bounded radius, so that it is impossible for the adversary to make adversarial examples in the certificate bound. We present an attack that maintains the imperceptibility property of adversarial examples while being outside of the certified radius. Furthermore, the proposed "Shadow Attack" can fool certifiably robust networks by producing an imperceptible adversarial example that gets misclassified and produces a strong ``spoofed'' certificate.
Code: [![github](/images/github_icon.svg) AminJun/BreakingCertifiableDefenses](https://github.com/AminJun/BreakingCertifiableDefenses)
Data: [ImageNet](https://paperswithcode.com/dataset/imagenet)
Community Implementations: [![CatalyzeX](/images/catalyzex_icon.svg) 2 code implementations](https://www.catalyzex.com/paper/breaking-certified-defenses-semantic/code)
Original Pdf: pdf
7 Replies

OpenReview is a long-term project to advance science through improved peer review with legal nonprofit status. We gratefully acknowledge the support of the OpenReview Sponsors. © 2025 OpenReview