One of the key limitations of deep-learning is its inability to generalize to new domains. The focus of this talk will be on adversarial examples; inputs constructed by an adversary to mislead a machine-learning model. These adversarial examples can, for example, cause self-driving cars to misrecognize street signs or misidentify pedestrians.
This talk introduces how adversarial examples are generated and why they are so easy to find. Then, we consider recent attempts at increasing the robustness of neural networks.
Across recent papers, we have studied several dozen defences proposed at top machine-learning and security conferences and found that almost all can be evaded and offer nearly no improvement on top of the undefended baselines.
Worryingly, our most recent breaks require no new attack ideas and merely re-use earlier attack approaches.
General robustness is still a challenge for deep-learning and one that will require extensive work to solve.