Random Spiking and Systematic Evaluation of Defenses Against
Adversarial Examples
Huangyi Ge Sze Yiu Chau
[email protected] [email protected]
Purdue University Purdue University
ABSTRACT
Image classifiers often suffer from adversarial examples, which
are generated by strategically adding a small amount of noise to
arXiv:1812.01804v4 [cs.LG] 20 Jan 2020
input images to trick classifiers into misclassification. Over the
years, many defense mechanisms have been proposed, and differ-
ent researchers have made seemingly contradictory claims on their
effectiveness. We present an analysis of possible adversarial mod-
els, and propose an evaluation framework for comparing different
defense mechanisms. As part of the framework, we introduce a
more powerful and realistic adversary strategy. Furthermore, we
propose a new defense mechanism called Random Spiking (RS),
which generalizes dropout and introduces random noises in the
training process in a controlled manner. Evaluations under our
proposed framework suggest RS delivers better protection against
adversarial examples than many existing schemes.
CCS CONCEPTS
• Computing methodologies → Neural networks; Super-
vised learning by classification; • Security and privacy →
Domain-specific security and privacy architectures.
KEYWORDS
random spiking, adversarial example, neural network
ACM Reference Format:
Huangyi Ge, Sze Yiu Chau, Bruno Ribeiro, and Ninghui Li. 2020. Random
Spiking and Systematic Evaluation of Defenses Against Adversarial Exam-
ples. In Proceedings of the Tenth ACM Conference on Data and Application Se-
curity and Privacy (CODASPY ’20), March 16–18, 2020, New Orleans, LA, USA.
ACM, New York, NY, USA, 12 pages. https://doi.org/10.1145/3374664.3375736
1 INTRODUCTION
Modern society increasingly relies on software systems trained by
machine learning (ML) techniques. Many such techniques, how-
ever, were designed under the implicit assumption that both the
training and test data follow the same static (although possibly un-
known) distribution. In the presence of intelligent and resourceful
adversaries, this assumption no longer holds. Such an adversary
can deliberately manipulate a test instance, and cause the trained
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specific permission and/or a
fee. Request permissions from
[email protected]
.
CODASPY ’20, March 16–18, 2020, New Orleans, LA, USA
© 2020 Association for Computing Machinery.
ACM ISBN 978-1-4503-7107-0/20/03. . . $15.00
https://doi.org/10.1145/3374664.3375736
Bruno Ribeiro Ninghui Li
[email protected] [email protected]
Purdue University Purdue University
models to behave unexpectedly. For example, it is found that exist-
ing image classifiers based on Deep Neural Networks are highly
vulnerable to adversarial examples [16, 33]. Often times, by modi-
fying an image in a way that is barely noticeable by humans, the
classifier will confidently classify it as something else. This phe-
nomenon also exists for classifiers that do not use neural networks,
and has been called “optical illusions for machines”. Understanding
why adversarial examples work and how to defend against them is
becoming increasingly important, as machine learning techniques
are used ubiquitously, for example, in transformative technologies
such as autonomous cars, unmanned aerial vehicles, and so on.
Many approaches have been proposed to help defend against
adversarial examples. Goodfellow et al. [33] proposed adversarial
training, in which one trains a neural network using both the origi-
nal training dataset and the newly generated adversarial examples.
In region-based classification [6], one aggregates predictions on
multiple perturbed versions of an input instance to make the fi-
nal prediction. Some approaches attempt to train additional neural
network models to identify and reject adversarial examples [24, 41].
We point out that since the adversary can choose instances and
shift the test distribution after a model is trained, adversary ex-
amples exist so long as ML models differ from human perception
on some instances. (These instances can be used as adversarial
examples.) Thus adversarial examples are unlikely to be completely
eliminated. What we can do is to reduce the number of such in-
stances by training ML models that better match human perceptions,
and by making it more difficult for the attacker to find adversarial
examples.
While the research community has seen a proliferation in propos-
als of defense mechanisms, conducting a thorough evaluation and
a fair head-to-head comparison of different mechanisms remains
challenging. In Section 3, we analyze possible adversarial models,
and propose to conduct evaluation in a variety of models, including
both white-box and translucent-box attacks. In translucent-box at-
tacks, the adversary is assumed to know the defense mechanism,
model architecture, and distribution of training data, but not the
precise parameters of the target model. With this knowledge, the ad-
versary can train one or more surrogate models, and to generate
adversarial examples leveraging such surrogate models.
While other research efforts have attempted to generate adver-
sarial examples based on surrogate models and then assess transfer-
ability, existing application of this method does not fully exploit the
potential of surrogate models. As a result, one can overestimate the
effectiveness of defenses. We propose two improvements. First, one
can train many surrogate models under the same configuration, and
then generate adversarial examples that can simultaneously fool
multiple surrogate models at the same time. Second, one can reserve
some surrogate models as “validation models”. These validation

models are not used when generating adversarial examples; how-
ever, generated adversarial examples are first run against them, and
only those examples that are able to fool a certain percentage of the
validation models are used in evaluation against the target model.
This models a more determined and resourceful attacker who is
willing to spend more resources to find more effective adversarial
examples to deploy, a scenario that is certainly realistic. Our experi-
mental results demonstrate that these more sophisticated adversary
strategies lead to significantly higher transferability rates.
Furthermore, in Section 4, we propose a new defense mechanism
called Random Spiking, where random noises are added to one or
more hidden layers during training. Random Spiking generalizes
the idea of dropout [30], where hidden units are randomly dropped
during training. In Random Spiking, the outputs of some randomly
chosen units are replaced by a random noise during training.
In Section 5, we present extensive evaluations of several ex-
isting defense mechanisms and Random Spiking (RS) under both
white-box and translucent-box attacks, and empirically show that
RS, especially when combined with adversarial training, improve
the resiliency against adversarial examples.
In summary, we make three contributions. (1) The proposed
evaluation methodology, especially the more powerful and realistic
adversary strategy of attacking multiple surrogates in parallel and
using validation models to filter. (2) The idea of Random Spiking,
which is demonstrated to offer additional resistance to adversarial
examples. (3) We provide a thorough evaluation of several defense
mechanisms against adversarial examples, improving our under-
standing of them.
2 BACKGROUND
We consider neural networks that are used as m-class classifiers,
where the output of a network is computed using the softmax func-
tion. Given such a neural network used for classification, let z(x)
denote the vector output of the final layer before the softmax acti-
vation, and C(x) denote the classifier defined by the neural network.
Then,  . Í  value, and then dynamically adjusted based on the progress made
C(x) = arg max exp(z(x)i ) n exp(z(x) )
.
j=1 j by the iterative optimization process.
i  Í
Oftentimes, exp(z(x)i ) n exp(z(x)
is interpreted as the prob-
j=1 j
ability that the input x belongs to the i-th category, and the classifier
chooses the class with the highest probability. Under this interpre-
tation, the output z(x) is related to log of odds ratios, and is thus
called the logits output.
2.1 Adversarial Examples
Given a dataset D of instances, each of the form (x, y), where x
gives the features of the instance, and y the label, and a classifier
C(·) trained using a subset of D, we say that an instance x ′ is
an adversarial example if and only if there exists an instance
(x, y) ∈ D such that x ′ is close to x, C(x) = y, and C(x ′ ) , y.
Note that in the above we did not define what “x ′ is close to x”
means. Intuitively, when x represents an image, by closeness we
mean human perceptual similarity. However, we are unaware of
any mathematical distance metric that accurately measures human
perceptual similarity. In the literature Lp norms are often used as
the distance metric for closeness. Lp is defined as
Í  1/p
Lp (x, x ′ ) = ∥x − x ′ ∥p = n |x − x ′ |p .
i=1 i i
The commonly used Lp metrics include: L 0 , the number of changed
pixels [26]; L 1 , the sum of absolute values of the changes in all pixels
[13]; L 2 , the Euclidean norm [9, 11, 25, 33]; and L ∞ , the maximum
absolute change [16]. In this paper, we use L 2 , which reflects both
the number of changed pixels and the magnitude of their change.
We call L 2 (x, x ′ ) the distortion of the adversarial example x ′ .
When generating an adversarial example against a classifier C(·),
one typically starts from an existing instance (x, y) and generates
x ′ . In an untargeted attack, one generates x ′ such that C(x ′ ) , y.
In a targeted attack, one has a desired target label t , y and
generates x ′ such that C(x ′ ) = t.
Goodfellow et al. [16] proposed the fast gradient sign (FGS)
attack, which generates adversarial examples based on the gradient
sign of the loss value according to the input image. A more effective
attack is proposed by Carlini and Wagner [9], which we call the
C&W attack. Given a neural network with logits output z, an input
x, and a target class label t, the C&W attack tries to solve the
following optimization problem:
arg min ∥x − x ′ ∥p + c · l(x ′ )


(1)
x′
where the loss function l is defined as
l(x ′ ) = max max z(x ′ )i : i , t − z(x ′ )t , −K .


Here, K is called the confidence value, and is a positive number
that one can choose. Intuitively, we desire z(x ′ )t to be higher than
any z(x ′ )i where i , t so that the neural network predicts label
t on input x ′ . Furthermore, we prefer the gap in the logit of the
class t and the highest of any class other than t to be as large as
possible (until the gap is K, at which point we consider the gap to
be sufficiently large). In general, choosing a large value K would
result in adversarial examples that have a higher distortion, but
will be classified to the desired label with higher confidence. The
parameter c > 0 in Eq. (1) is a regularization constant to adjust the
relative importance of minimizing the distortion versus minimizing
the loss function l. In the attack, c is initially set to a small initial
The C&W attack uses the Adam algorithm [19] to solve the
optimization problem in Eq. (1). Adam performs iterative gradient-
based optimization, based on adaptive estimates of lower-order
moments. Compared to other attacks, such as FGS, the C&W attack
is more time-consuming. However, it is able to find more effective
adversarial examples.
2.2 Existing Defenses
Many approaches have been proposed to help defend against ad-
versarial examples. Here we give an overview of some of them.
Adversarial Training. Goodfellow et al. [16] proposed to train a
neural network using both the training dataset and newly generated
adversarial examples. In [16], it is shown that models that have
gone through adversarial training provide some resistance against
adversarial examples generated by the FGS method.
Defensive Distillation. Distillation training was originally pro-
posed by Hinton et al. [18] for the purpose of distilling knowledge
out of a large model (one with many parameters) to train a more
compact model (one with fewer parameters). Given a model whose
knowledge one wants to distill, one applies the model to each in-
stance in the training dataset and generates a probability vector,
which is used as the new label for the instance. This is called the
soft label, because, instead of a single class, the label includes proba-
bilities for different classes. A new model is trained using instances
with soft labels. The intuition is that the probabilities, even those
that are not the largest in a vector, encode valuable knowledge.
To make this knowledge more pronounced, the probability vector
is generated after dividing the logits output with a temperature
constant T > 1. This has the effect of making the smaller probabili-
ties larger and more pronounced. The new model is trained with
the same temperature. However, when deploying the model for
prediction, temperature is set to 1.
Defensive Distillation [27] is motivated by the original distillation
training proposed by Hinton et al. [18]. The main difference between
the two training methods is that defensive distillation uses the same
network architecture for both initial network and distilled network.
This is because the goal of using Distillation here is not to train a
model that has a smaller size, but to train a more robust model.
Dropout. Dropout [30] was introduced to improve generalization
accuracy through the introduction of randomness in training. The
term “dropout” refers to dropping out units, i.e., temporarily remov-
ing the units along with all its incoming and outgoing connections.
In the simplest case, during each training epoch, each unit is re-
tained with a fixed probability p independent of other units, where
p can be chosen using a validation set or can simply be set to 0.5,
which was suggested by the authors of [30].
There are several intuitions why Dropout is effective in reduc-
ing generalization errors. One is that after applying Dropout, the
model is always trained with a subset of the units in the neural
network. This prevents units from co-adapting too much. That is,
a unit cannot depend on the existence of another unit, and needs
to learn to do something useful on its own. Another intuition is
that training with Dropout approximates simultaneous training
of an exponential number of “thinned” networks. In the original
proposal, dropout is applied in training, but not in testing. During
testing, without applying Dropout, the prediction approximates an
averaging output of all these thinned networks. In Monte Carlo
dropout [14], dropout is also applied in testing. The NN is run multi-
ple times, and the resulting prediction probabilities are averaged for
making prediction. This more directly approximates the behavior
of using the NN as an ensemble of models.
Since Dropout introduces randomness in the training process,
two models that are trained with Dropout are likely to be less
similar than two models that are trained without using Dropout.
Defensive Dropout [37] explicitly uses dropout for defense against
adversarial examples. It applies dropout in testing, but runs the
network just once. In addition, it tunes the dropout rate used in
testing by iteratively generating adversarial examples and choosing
a drop rate to both maximize the testing accuracy and minimize
the attack success rate.
Region-based Classification. Cao and Gong [6] proposed region-
based classification to defend against adversarial examples. Given
an input, region-based classification first generates m perturbed
inputs by adding bounded random noises to the original input,
then computes a prediction for each perturbed input, and finally
use voting to make the final prediction. This method slows down
prediction by a factor of m. In [6], m = 10, 000 was used for MNIST
and m = 1, 000 was used for CIFAR. Evaluation in [6] shows that this
can withstand adversarial examples generated by the C&W attack
under low confidence value K. However, if one slightly increases
the confidence value K when generating the adversarial examples,
this defense is no longer effective.
MagNet. Meng and Chen [24] proposed an approach that is called
MagNet. MagNet combines two ideas to defend against adversarial
examples. First, one trains detectors that attempt to detect and
reject adversarial examples. Each detector uses an autoencoder,
which is trained to minimize the L 2 distance between input image
and output. A threshold is then selected using validation dataset.
The detector rejects any image such that the L 2 distance between
it and the encoded image is above the threshold. Multiple detectors
can be used. Second, for each image that passes the detectors, a
reformer (another autoencoder) is applied to the image, and the
output (reformed image) is sent to the classifier for classification.
The evaluation of MagNet in [24] considers only adversarial
examples generated without knowledge of the MagNet defence.
Since one can combine all involved neural networks into a single
one, one can still apply the C&W attack on the composite network.
In [11], an effective attack is carried out against MagNet by adding
to the optimization objective a term describing the goal of evading
the detectors.
3 EVALUATION METHODOLOGY
We discuss several important factors for evaluation, and introduce
the translucent-box model to supplement white-box evaluation.
3.1 Adversary Knowledge
Adversary model plays an important role in any security evalua-
tions. One important part of the adversary model is the assumption
on adversary’s knowledge.
Knowledge of Model (white-box). The adversary has full knowl-
edge of the target model to be attacked, including the model ar-
chitecture, defense mechanism, and all the parameters, including
those used in the defense mechanisms. We call such an attack a
white-box attack.
Complete Knowledge of Process (translucent-box). The ad-
versary does not know the exact parameters of the target model, but
knows the training process, including model architecture, defense
mechanism, training algorithm, and distribution of the training
dataset. With this knowledge, the adversary can use the same train-
ing process that is used to generate the target model to train one
or more surrogate models. Depending on the degree of random-
ness involved in the training process, the surrogate models may be
similar or quite different from the target model, and adversarial ex-
amples generated by attacking the surrogate model(s) may or may
not work very well. The property of whether an adversarial exam-
ple generated by attacking one or more surrogate models can also
work against another target model is known as transferability.
We call such an attack a translucent-box attack.
Technically, it is possible for a white-box adversary to know less
than a translucent-box adversary in some aspects. For example, a
white-box adversary may not know the distribution of the training
data. However, for the purpose of generating adversarial examples,
knowing all details of the target model (white-box) is strictly more
powerful than knowing the training process (translucent-box).
Oracle access only (black-box). Some researchers have consid-
ered adversary models where an adversary uses only oracle accesses
to the target model. That is, the adversary may be able to query
the target model with instances and receive the output. This is also
called “decision-based adversarial attack” [5, 12]. We call such an
attack a black-box attack.
Some researchers also use black-box attack to refer to
what we call translucent-box attacks. We choose to distinguish
translucent-box attacks from black-box attacks for two reasons.
First, an adversary will have some knowledge about the target
model under attack, e.g., the neural network architecture and the
training algorithm. Thus the box is not really “black”. Second, the
two kinds of attacks are very different. One relies on training sur-
rogate models, and the other relies on issuing a large number of
oracle queries.
Other researchers use “black-box attack” to refer to the situation
that the adversary carries out the attack without specifically target-
ing the defense mechanism. We argue that such an evaluation has
limited values in understanding the security benefits of a defense
mechanism, as it is a clear deviation from the Kerckhoffs’s principle.
Our Choice of Adversary Model. We argue that defense
mechanisms should be evaluated under both white-box and
translucent-box attacks. While developing attacks that can gen-
erate adversarial examples using only oracle access is interesting,
for a defense mechanism to be effective, one must assume that
the adversary cannot break it even if it has the knowledge of the
defense mechanism.
Evaluation under white-box attack can be carried out by mea-
suring the level of distortion needed to attack a model. Effective
defense against white-box attacks is the ultimate objective. Un-
til defense in the white-box model is achieved, effective defense
against translucent-box attacks is valuable and help the research
community make progress. Translucent-box is a realistic assump-
tion especially in an academic setting, as published papers generally
include descriptions of the architecture, training process, defense
mechanisms and the exact dataset used in their experiments. Ro-
bustness and security evaluations under this assumption is also
consistent with the Kerckhoffs’s principle.
We also note that there are two possible flavors of attacks. Fo-
cusing on image classifiers, the goal of an untargeted attack is to
generate adversarial examples such that the classifier would give
any output labels different from what human perception would
classify. A targeted attack would additionally require the working
adversarial examples to induce the classifier into giving specific
output labels of the attacker’s choosing. In this paper, we consider
only targeted attacks when evaluating defense mechanisms, as it
models an adversary with a more specific objective.
3.2 Adversary Strategy
Even after the assumption about the adversary’s knowledge is made,
there are still possibilities regarding what strategy the adversary
takes. For example, when evaluating a defense mechanism under
the translucent-box assumption, a standard method is to train m
models, and, for each model, generate n adversarial examples. Then
for each of the m model, treat it as the target model, and feed the
(m − 1)n adversarial examples generated on other models to it, and
report the percentage of success among the m(m − 1)n trials.
Such an evaluation method is assessing the success probability
of the following naive adversary strategy: The adversary trains
one surrogate model, generates an adversarial example that works
against the surrogate model, and then deploy that adversarial exam-
ple. We call this a one-surrogate attack. A real adversary, however,
can use a more effective strategy. It can try to generate adversar-
ial examples that can fool multiple surrogate models at the same
time. After generating them, it can first test whether the adver-
sarial examples can fool surrogate models that are not used in the
generation. We call this a multi-surrogate attack.
For any defense mechanism that is more effective against ad-
versarial examples under the translucent-box attack than under
the white-box model, the additional effectiveness must be due to
the randomness in the training process. When that is the case, the
above adversary strategy would have much higher success rate than
the naive adversary strategy. Evaluation should be done against
this adversary strategy.
We thus propose the following procedure for evaluating a de-
fense mechanism in the translucent-box setting. One first trains
t +v surrogate models. Then a set of t models are randomly selected,
and adversarial examples are generated that can simultaneously
attack all t of them; that is, the optimization objective of the attack
includes all t models. For the remaining v models, we use leave-
one-out validation. That is, for each model, we use v − 1 model as
validation models, and select only adversarial examples that can fool
a certain fraction of the validation models. Only for the examples
that pass this validation stage, do we record whether it success-
fully transfer to the target model or not. We call such an attack a
multi-surrogate with validation attack. The percentage of the
successful transfer is used for evaluation. In our experiments, we
use t = v = 8, and an example is selected when it can successfully
attack at least 5 out of 7 validation models.
3.3 Parameters and Data Interpretation
Training a defense mechanism often requires multiple parameters
as inputs. For example, a defense mechanism may be tuned to be
more vigilant against adversarial examples, at the cost of reduced
classification accuracy. When comparing defense mechanisms, one
should choose parameters in a way that the classification accuracy
on test dataset is similar.
At the same time, when using the C&W attack to generate ad-
versarial examples, an important parameter is the confidence value
K. A defense mechanism may be able to resist adversarial examples
generated under a low K value, but may prove much less effective
against those generated under a higher value K (see, e.g., [6]). Using
the same K value for different defenses, however, may not be suffi-
cient for providing a level playing field for comparison. The K value
represents an input to the algorithm, and what really matters is the
quality of the adversarial examples. We propose to run the C&W
attack against a defense mechanism under multiple K values, and
group the resulting adversarial examples based on their distortion.
We can then compare how well a defense mechanism performs
against adversarial examples with similar amount of distortion.
That is, we group adversarial examples based on the L 2 distance
and compute the average transferability for each group.
4 PROPOSED DEFENSE
From a statistical point of view, the problem with adversarial exam-
ples is that of classification under covariate shifts [29]. A covariate
shift happens when the training and test observations follow differ-
ent distributions. In the case of adversarial examples, this is clearly
the case, as new adversarial examples are generated and added to
the test distribution. If the test distribution with adversarial ex-
amples can be known, a simple and optimal way for dealing with
covariate shifts is training the model with samples from the test dis-
tribution, rather than using the original training data [17, 29, 31, 32],
assuming that we have access to enough such examples. Training
with adversarial examples can be viewed as a robust optimization
procedure [23] approximating this approach.
Unfortunately, training with adversarial examples does not fully
solve the defense problem. Adversaries can adapt the test distri-
bution (a new covariate shift) to make the new classifier perform
poorly again on test data. That is, given a model trained with ad-
versarial examples, the adversary can find additional adversarial
examples and use them. In this minimax game, where the adversary
is looking for a covariate shift and the defender is training with
the latest covariate shift, the odds are stacked against the defender,
who is always one step behind the attacker [34, 43].
Fundamentally, to win this game, the defender needs to mimic
human perception. That is, as long as there are instances (real or
fabricated) where humans and ML models classify differently, these
can be over represented in the test data by the adversary’s covariate
shift. Models that either underfit or overfit both make mistakes
by definition, and these mistakes can be used in the adversary’s
covariate shift. Only a model with no training or generalization
errors under all covariate shifts is not vulnerable to attacks.
4.1 Motivation of Our Approach
While it is impossible to completely eliminate classification errors,
several things can be done to help defend against adversarial exam-
ples by making them harder to find.
One approach is to reduce the number of instances that the ML
models disagree with human perception. Training with adversarial
examples help in this regard. Using more robust model architecture
and training procedure can also help. When giving an image to
train the model, intuitively we want to say that “all instances that
look similar to this instance from a human’s perspective should also
have the same label”. Unfortunately, finding which images humans
will consider to be “similar to this instace” and thus should be of
the same class is not a well-defined procedure. Today, the best we
can hope for is that for some mathematical distance measure (such
as L 2 distance) and with a smaller enough threshold, humans will
consider the images to be similar. If we substitute “look similar to
... from a human’s perspective” with “within a certain L 2 distance”,
this is a precise statement. This suggests that one training instance
should be interpreted as a set of instances (e.g., those within a
certain L 2 distance of the given one) all have the same given label.
Our proposed defense is to some extent motivated by this intuition.
Another way is to make it more difficult for adversaries to dis-
cover adversarial examples, even if they exist. One approach is
to use an ensemble model, wherein multiple models are trained
and applied to an instance and the results are aggregated in some
fashion. For an adversarial example to work, it must be able to fool
a majority of the models in the ensemble.
If we consider defense in the translucent box adversary model,
another approach is to increase the degree of randomness in the
training process, so that adversarial examples generated on the
surrogate models do not transfer well.
Our proposed new defense against adversarial examples are moti-
vated by these ideas, which are recapped below. First, each training
instance should be viewed as representatives of instances within
a certain L 2 distance. Second, we want to increase the degree of
randomness in the training process. Third, we want to approximate
the usage of an ensemble of models for decision.
4.2 Random Spiking
As discussed in Section 2.2, dropout has been proposed as a way to
defend against adversarial examples. Dropout can be interpreted
as a way of regularizing a neural network by adding noise to its
hidden units. The idea of adding noise to the states of units has
also been used in the context of Denoising Autoencoders (DAEs)
by Vincent et al. [35, 36], where noise is added to the input units
of an autoencoder and the network is trained to reconstruct the
noise-free input. Dropout changes the behavior of the hidden units.
Furthermore, instead of adding random noises, in Dropout, values
are set to zero.
Our proposed approach generalizes both Dropout and Denoising
Autoencoders. Instead of training with removed units or injecting
random noises into the input units, we inject random activations
into some hidden units near the input level. We call this method
Random Spiking. Similar to dropout, there are two approaches at
inference time. The first is to use random spiking only in training,
and does not use it at inference time. The second is to use a Monte
Carlo decision procedure. That is, at decision time, one runs the
NN multiple times with random spiking, and aggregate the result
into one decision.
The motivations for random spiking are many-fold. First, we are
simulating the interpretation that each training instance should be
treated as a set of instances, each with some small changes. Injecting
random perturbations at a level near the input simulates the effect of
training with a set of instances. Second, adversarial examples make
only small perturbations on benign images that do not significantly
affect human perception. These perturbations inject noises that
will be amplified through multiple layers and change the prediction
of the networks. Random Spiking trains the network to be more
robust to such noises. Third, if one needs to increase the degree of
randomness in the training process beyond Dropout, using random
noises instead of setting activations to zero is a natural approach.
Fourth, when we use the Monte Carlo decision procedure, we are
approximating the behavior of a model ensemble.
More specifically, random spiking adds a filtering layer in be-
tween two layers of nodes in a DNN. The effect of the filtering
layer may change the output values of units in the earlier layer,
affecting the values going into the later layer. With probability p, a
unit’s value is kept unchanged. With probability 1 −p, a unit’s value
is set to a randomly sampled noise. If a unit has its output value
thus randomly perturbed, in back-propagation we do not propagate
backward through this unit, since any gradient computed is related
to the random noise, and not the actual behavior of this unit. For
layers after the Random Spiking filtering layer, back-propagation
update would occur normally.
We use the Random Spiking filtering layer just once, after the
first convolutional layer (and before any max pooling layer if one is
used). This is justified by the design intuition. We also experimented
with adding the Random Spiking filtering layer later in the NN, and
test accuracy drops. There are two explanations for that. First, since
units chosen to have random noises stop back-propagation, having
them later in the network has more impact on training. Second,
when random noises are injected early in the network, there are
more layers after it, and there is sufficient capacity in the model
to deal with such noises without too much accuracy cost. When
random noises are injected late, fewer layers exist to deal with their
effect, and the network lacks the capacity to do so.
Generating Random Noises. To implement Random Spiking, we
have to decide how to sample the noises that are to be used to
replace the unit outputs. Sampling from a distribution with a fixed
range is problematic because the impact of noise depends on the
distribution of other values in the same layer. If a random pertur-
bation is too small compared to other values in the same layer,
then its randomization effect is too small. If, on the other hand,
the magnitude of the noise is significantly larger than the other
values, it overwhelms the network. In our approach, we compute
the minimum and maximum value among all values in the layers to
be filtered, and sample a value uniformly at random in that range.
Since training NN is often done using mini-batches, the minimum
and maximum values are computed from the whole batch.
Monte Carlo Random Spiking as a Model Ensemble. For test-
ing, we can use the Monte Carlo decision procedure of running the
network multiple times and use the average. This has attractive
theoretical guarantees, at the cost of overhead for decision time,
since the NN needs to be computed multiple times for one instance.
We now show that the Monte Carlo Random Spiking approximates
a model ensemble. Let (x, y) be a training example, where x is an
image and y is the image’s one-hot encoded label. Consider a RS
neural network with softmax output ŷ(x, b, ϵ,W ), neuron weights
W , and spike parameters b and ϵ, where bit vector b i = 1 indicates
that the i-th hidden neuron of the RS layer gives out a noise output
ϵ i ∈ R sampled with density f (ϵ), otherwise b i = 0 and the output
of the RS layer is a copy of its i-th input from the previous layer
(i.e., the original value of the neuron). By construction, b i = 1 with
probability 1 − p independent of other RS neurons. Let L(y, ŷ) be a
convex loss function over ŷ, such as the cross-entropy loss, the neg-
ative log-likelihood, or the square error loss. Then, the following
proposition holds:
Proposition 1. Consider the ensemble RS model
Õ∫
ŷ(x,W ) ≡ ŷ(x, b, ϵ,W )p(b)f (ϵ)dϵ, (2)
∀b ϵ the result, all 9 schemes result in small accuracy drop.
Table 1: Overview of datasets
Training Test Color
Dataset Image size
Instances Instances space
MNIST 28 × 28 60,000 10,000 8-bits Gray-scale
Fashion-MNIST 28 × 28 60,000 10,000 8-bits Gray-scale
CIFAR-10 32 × 32 50,000 10,000 24-bits True-Color
where f is a density function, p(b) is the probability that bit vector b
is sampled, and ŷ is a RS neural network with one spike layer. Then,
by stochastically optimizing the original RS neural network ŷ by
sampling bit vectors and noises, we are performing the minimization
W ⋆ = argmin L(y, ŷ(x,W ))
W
through a variational approximation model using an upper bound of
the loss L(y, ŷ(x,W )). A proof of Prop. 1 is presented in Appendix A.2.
Definition 2 (MC Avg. Inference). At inference time, we use Monte
Carlo sampling to estimate the RS ensemble
Õ∫
ŷ(x,W ) = ŷ(x, b, ϵ,W )p(b)f (ϵ)dϵ,
∀b ϵ
where f is a density function, p(b) is the probability that bit vector
b is sampled.
Adaptive Attack against Random Spiking. Since Random Spik-
ing introduces randomness during training, an adaptive attacker
knowing that Random Spiking has been deployed but is unaware
of the exact parameters of the target model can train multiple sur-
rogate models, and try to generate adversarial examples that can
simultaneously cause all these models to misbehave. That is, the
multi-surrogate with validation is a natural adaptive attack against
Random Spiking, and any other defense mechanisms that rely on
randomness during training. In this attack, one uses probabilities
from all surrogate models to generate the adversarial example. This
is similar to the Expectation over Transformation (EOT) [2] ap-
proach for generating adversarial examples.
5 EXPERIMENTAL EVALUATION
We present experimental results comparing the various defense
mechanisms using our proposed approach.
5.1 Dataset and Model Training
For our experiments, we use the following 3 datasets: MNIST [21],
Fashion-MNIST [38], and CIFAR-10 [20]. Table 1 gives an overview
of their characteristics.
We consider 9 schemes equipped with different defense mecha-
nisms, all of which share the the same network architectures and
training parameters. For MNIST, we follow the architecture given
in the C&W paper [9]. Fashion-MNIST was not studied in the liter-
ature in an adversarial setting, and the model architectures used
for CIFAR-10 in previous papers delivered a fairly low accuracy.
Thus for Fashion-MNIST and CIFAR-10, we use the state-of-the-art
WRN-28-10 instantiation of the wide residual networks [42]. We
are able to achieve state-of-the-art test accuracy using these archi-
tectures. Some of these mechanisms have adjustable parameters,
and we choose values for these parameters so that the resulting
models have a comparable level of accuracy on the testing data. As
 Table 2: Test errors (mean±std). Table 3: Parameters used for generating adversarial exam-
MNIST Fashion-MNIST CIFAR-10 ples. The values for K reported here were chosen so that the
Standard Single pred. 0.77 ± 0.05% 4.94 ± 0.19% 4.38 ± 0.21% generated examples would fit a predetermined L 2 cut-off.
Dropout MC Avg. 0.67 ± 0.07% 4.75 ± 0.09% 4.46 ± 0.25% L2 Working confidence Examples for
Dataset
Distillation MC Avg. 0.78 ± 0.05% 4.81 ± 0.18% 4.33 ± 0.27% cut-off values (K) each K (n)
RS-1 MC Avg. 0.88 ± 0.09% 5.34 ± 0.10% 5.59 ± 0.22%
MNIST 3.0 {0, 5, 10, 15} 3000
RS-1-Dropout MC Avg. 0.71 ± 0.07% 5.32 ± 0.17% 5.81 ± 0.27%
RS-1-Adv MC Avg. 0.98 ± 0.11% 5.49 ± 0.16% 6.20 ± 0.40%
Fashion-MNIST 1.0 {0, 20, 40, 60} 3000
Det. Thrs. 0.001 0.004 0.004 CIFAR-10 1.0 {0, 20, 40, 60, 80, 100} 2000
Magnet
MC Avg. 0.87 ± 0.06% 5.36 ± 0.17% 5.52 ± 0.24%
Dropout-Adv MC Avg. 0.69 ± 0.07% 4.76 ± 0.11% 4.71 ± 0.19% Table 4: C&W targeted Adv Examples L2 (mean±std) when
L 2 noise 0.4 0.02 0.02 attacking a single model.
RC
Voting 0.77 ± 0.11% 5.39 ± 0.23% 5.72 ± 0.46%
MNIST Fashion-MNIST CIFAR-10
Standard 2.12 ± 0.69 0.12 ± 0.08 0.17 ± 0.08
Table 2 gives the test errors, and Tables 6 and 7 in the Appen-
Dropout 1.80 ± 0.52 0.14 ± 0.07 0.17 ± 0.08
dix give details of the model architecture, and training parameters.
Distillation 2.02 ± 0.63 0.13 ± 0.07 0.17 ± 0.07
When a scheme uses either Dropout or Random Spiking, we con-
RS-1 2.06 ± 0.76 0.31 ± 0.16 0.32 ± 0.14
sider 3 possible decision procedures at test time. By “Single pred.”,
RS-1-Dropout 1.79 ± 0.86 0.36 ± 0.21 0.32 ± 0.15
we mean dropout and random spiking are not used at test time.
RS-1-Adv 2.36 ± 0.80 0.56 ± 0.30 0.39 ± 0.18
By “Voting”, we mean running the network with Dropout and/or
Magnet 2.22 ± 0.65 0.28 ± 0.15 0.29 ± 0.21
Random Spiking 10 times, and use majority voting for decision
Dropout-Adv 2.44 ± 0.66 0.33 ± 0.15 0.18 ± 0.07
(with ties decided in favor of the label with smaller index). By “MC
Avg.”, we mean using Definition 2 by running the network with
Dropout and/or Random Spiking 10 times, and averaging the 10 Table 5: C&W Adv Examples L2 (mean±std) with Multi 8 at-
probability vectors. For each scheme, we train 16 models (with tack strategy.
different initial parameter values) on each dataset, and report the MNIST Fashion-MNIST CIFAR-10
mean and standard deviation of their test accuracy. We observe Standard 2.50 ± 0.77 0.22 ± 0.15 0.25 ± 0.10
that using Voting or MC Avg, one can typically achieve a slight Dropout 2.29 ± 0.65 0.25 ± 0.13 0.26 ± 0.10
reduction in test error. Distillation 2.37 ± 0.71 0.24 ± 0.14 0.33 ± 0.13
5.1.1 Adversarial training. Two defense mechanisms require train- RS-1 2.77 ± 0.82 0.54 ± 0.25 0.49 ± 0.18
ing with adversarial examples, which are generated by applying RS-1-Dropout 2.77 ± 0.93 0.61 ± 0.30 0.51 ± 0.18
the C&W L 2 targeted attack on a target model, using randomly RS-1-Adv 3.18 ± 0.88 1.04 ± 0.44 0.64 ± 0.23
sampled training instances and target class labels. Magnet 2.68 ± 0.75 0.54 ± 0.25 0.47 ± 0.24
Dropout-Adv 2.93 ± 0.70 0.57 ± 0.23 0.29 ± 0.10
5.1.2 Upper Bounds on Perturbation. For each dataset, we gener-
ated thousands of adversarial examples with varying confidence
values for each training scheme, and have them sorted according single model, and multi-8 attack, where the adversarial example
to the added amount of perturbation, measured in L 2 . We have ob- aims at attacking 8 similarly trained model at the same time. This
served that from instances that have high amount of perturbation can be considered as a form of ensemble white-box attack [22].
one can visually observe the intention of adversarial example. We Tables 4 and 5 present the average L 2 distances of the gener-
thus chose a cut-off upper bound on L 2 distance. The chosen L 2 ated examples for those generated adversarial examples. RS-1-Adv
cut-off bounds are included in Table 3, and used as upper limits results in models that are more difficult to attack, requires on av-
in many of our later experiments. With the bounds on L 2 fixed, erage the highest perturbations (measured in L 2 distance) among
we then empirically determine an upper bound for the confidence all evaluated defenses. Comparing to other methods, adversarial
value to be used in the C&W-L 2 attacks for generating adversarial examples generated by RS-1 and RS-1-Dropout have either higher
examples for training purposes. To diversify the set of generated or comparable amount of distortion. These again suggest RS offers
adversarial examples, we sample several different confidence values additional protection against adversarial examples.
within the bound, which are also reported in Table 3.
Appendix A.1 provides additional details on training for each 5.3 Model Stability
defense scheme. Given a benign image and its variants with added noise, a more
robust model should intuitively be able to tolerate a higher level
5.2 White-box Evaluation of noise without changing its prediction results. We refer to this
We first evaluate the effectiveness of the defense mechanisms under property as model stability. Here we evaluate whether models from
white-box attacks. We apply the C&W white-box attack with con- a defense mechanism can correct label instances that are perturbed.
fidence 0 to generate targeted adversarial examples, and measure This serves several purposes. First, in [15], it is suggested that
the L 2 . distance of the generated adversarial examples. We consider vulnerability to adversarial examples and low performance on ran-
both single-model attack, where the adversarial example targets a domly corrupted images, such as images with additive Gaussian
 Standard Dropout Distillation ADV RC Magnet RS-1 RSD-1 RS-1-ADV

(a) Prediction Stability (MNIST) (b) Prediction Stability (Fashion-MNIST) (c) Prediction Stability (CIFAR-10)
100 100
100

Unchanged Predictions (%)

Unchanged Predictions (%)

Unchanged Predictions (%)

99 80 80
98 60 60
97 40 40
96
20 20
95 Magnet's stability 0 when L2 1
0 1 2 3 4 5 0 0
Amount of Guassian Noise Added (L2 distance) 0.0 0.5 1.0 1.5 2.0 2.5 0.0 0.5 1.0 1.5 2.0 2.5
Amount of Guassian Noise Added (L2 distance) Amount of Guassian Noise Added (L2 distance)
Figure 1: Evaluating model stability with Gaussian Noise
(a) Prediction Stability (MNIST) (b) Prediction Stability (Fashion-MNIST) (c) Prediction Stability (CIFAR-10)
100 100 100
Unchanged Predictions (%)

Unchanged Predictions (%)

Unchanged Predictions (%)

99 80 80
98 60 60
97 40 40
96 20 20
95 Magnet's stability 50 when JPEG QUALITY 70
0 0
100 80 60 40 20 0 100 80 60 40 20 0 100 80 60 40 20 0
JPEG Compression Quality JPEG Compression Quality JPEG Compression Quality
Figure 2: Evaluating model stability with JPEG compression

noise, are two manifestations of the same underlying phenome- For MNIST, most schemes have stability above 99%, even when
non. Hence it is suggested that adversary defenses should consider L 2 is as large as 5. However, Magnet has stability approaching 0
robustness under such perturbations, as robustness under such when the L 2 distance is greater than 1, because majority of those
perturbations are also indications of resistance against adversary instances are rejected by Magnet.
attacks. Second, evaluating stability is identified in [1, 7] as a way to For Fashion-MNIST, we see more interesting differences among
check whether a defense relies on obfuscated gradients to achieve the schemes. The two approaches that have highest stability are
its defense. For such a defense, random perturbation may discover the two with adversarial training. When L 2 = 2.5, RS-1-ADV has
adversarial examples when optimized search based on gradients stability 87.4%, and ADV has stability 86%. Other schemes have
fail. Third, some defense mechanisms (such as Magnet) rely on de- stability around 60%; among them, RS-1 and RSD-1 have slightly
tecting whether an instance belongs to the same distribution as the higher stability than others.
training set, and consider an instance to be an adversarial example For CIFAR-10, we see that RS-1-ADV, RSD-1, and RS-1 have
if it does. However, when an input instance goes through some the highest stability as the amount of noise increases. When L 2 =
transformation that has little impact on human visual detection 2.5, they have stability 87.9%, 81.7%, 83%, respectively. The other
(such as JPEG compression), it will be considered as an adversarial schemes have stability 70% or lower.
example by the defense. This will impact accuracy of deployed Furthermore, on all datasets, RS-1-ADV, RSD-1, and RS-1 give
systems, as the encountered instances may not always follow the consistent results. Recall that we trained 16 models for each scheme,
training distribution. Fig. 1 also plots the standard deviation of the stability result of the
16 models. RS-1-ADV, RSD-1, and RS-1 have very low standard
deviation, which in turn also suggest more consistent behavior
5.3.1 Stability with Added Gaussian Noise. We measure how many when facing perturbed images.
predictions would change if a certain amount of Gaussian noise
is introduced to a set of benign images. For a given dataset and a 5.3.2 Stability with JPEG compression. Given a set of benign im-
model, we use the first 1, 000 images from the test dataset. We first ages, we measure how many predictions would change if JPEG
make a prediction on those selected images and store the results as compression is applied to images. For a given test dataset and a
reference predictions. Then, for each selected image and chosen L 2 model, we compare the prediction on the benign test dataset (ref-
distance, we sample Gaussian noise, scale it to the desired L 2 value, erence predictions) with the prediction on JPEG compressed test
and add the noise to the image. Pixel values are clipped if necessary, dataset with a fixed chosen JPEG compression quality (JCQ). For
to make sure the new noisy variant is a valid image. We repeat this the sake of time efficiency, for this particular set of experiments,
process 20 times (noise sampled independently per iteration). we reduced the number of iterations used by RC to one-tenth of its
Fig. 1 shows the effect of Gaussian noise on prediction stability original algorithm.
for each training method (averaged over the 16 models trained in Fig. 2 shows the effect of JPEG compression on prediction stabil-
Sec. 5.1). Model stability inevitably drops for each scheme as the ity for each training method (averaged over the 16 models trained).
amount of Gaussian noise as measured by L 2 increases. However, Model stability decreases for each scheme as the JCQ (ranges
different schemes behave differently when L 2 increases. 10 − 100) decreases.
 For MNIST, most schemes achieve stability over 99, even if the
JCQ is 10. Magnet is the outlier, which has a stability of around 50
when the JCQ is 70, and has a stability of less than 20 when the
JCQ is less than or equal to 40, because of the high rejection rate
of MagNet. We believe that both of these results are related to the
fact that MNIST images have black backgrounds that span most of
the image. Noises introduced by JPEG compression result mostly
in perturbations in the background that are ignored by most NN
models. Since Magnet uses autoencoders to detect deviations from
the input distributions, these noises trigger detection. Since Magnet
aims at detecting perturbed images, this should not be considered
as a weakness of Magnet.
For Fashion-MNIST, we see that RS-1-ADV, RSD-1, and RS-1
outperform other schemes on the stability as the JCQ decreases.
When JCQ = 10, they have stability 85.2%, 80.9%, 84.4%, respectively.
The other schemes have stability 80% or lower; The closest to the
RS-class among other schemes is ADV.
For CIFAR-10, we see that RS-1-ADV, RSD-1, and RS-1 have the
highest stability as the JCQ decreases. When JCQ = 10, they have
stability 60.9%, 55.6%, 55.4%, respectively. The other schemes have
stability 50% or lower; the highest among the other schemes is RC.
5.4 Evaluating Attack Strategies
Here we empirically show that our proposed attack strategy, as
presented in Sec. 3.2, can indeed generate adversarial examples
that are more transferable. In attacks like the C&W attack, a higher
confidence value will typically lead to more transferable examples,
but the amount of perturbation would usually increase as well,
sometimes making the example noticeably different under human
perception.
Intuitively, a better attack strategy should give more transferable
adversarial examples using less amount of distortion. Hence we
use Distortion vs Transferability to compare 3 possible attack strate-
gies. Similar to previous experiments, we measure the amount of
distortion using L 2 distance. In Fig. 3 we present the effectiveness
of each attack strategy, averaged across the 9 schemes.
The first strategy we evaluated is a standard C&W attack which
generates adversarial examples using only one surrogate model,
dubbed ‘Single’. Recall that for each training/defense method, we
have 16 models that are surrogates of each other (Sec. 5.1). For each
surrogate model, we randomly select half of the original dataset as
the training dataset, since the adversary may not have full knowl-
edge of the training dataset under the transfer attack setting. For
the Single strategy, we apply the C&W attack on 4 of the models
independently to generate a pool of adversarial examples. The trans-
ferability of those examples are then measured and averaged on the
remaining 12 target models. Regardless of the training methods and
defense mechanisms in place, adversarial examples generated us-
ing the Single strategy often have limited transferability, especially
when the allowed amount of distortion (L 2 distance) is small.
The second attack strategy that we evaluate is to generate ad-
versarial examples using multiple surrogate models. For this, we
use 8 of the 16 surrogate models for generating attack examples.
The C&W attack can be adapted to handle this case with a slightly
different loss function. In our experiments, we use the sum of the
loss functions of the 8 surrogate models as the new loss function.
We also use slightly lower confidence values than in Sec. 5.1.1
({0, 10, 20, 30} for Fashion-MNIST, {0, 20, 40, 60} CIFAR-10). The
transferability of the generated adversarial examples are then mea-
sured and averaged on the remaining 8 models as the target. We
refer to this as ‘Multi 8’. As shown in Fig. 3, given the same limit
on the amount of distortion (L 2 distance), a significantly higher
percentage of examples generated using the Multi 8 strategy are
transferable than those found using the Single strategy.
Additionally, we evaluate a third attack strategy that is based
on Multi 8. As discussed in Sec. 3.2, given enough surrogate mod-
els, one can further use some of them for validating adversarial
examples. For those adversarial examples generated by the Multi 8
strategy, we keep them only if they can be transferred to at least 5
of the 7 validation models, hence we refer to this strategy Multi 8
& Passing 5/7 Validation. The remaining model is used as the attack
target, and we measure the transferability of examples that passed
the 5/7 Validation. For this attack strategy, the measurements shown
in Fig. 3 is the average of 8 rotations between target model and
validation models. Comparing to Multi 8 and Single, adversarial ex-
amples that passed the 5/7 Validation are significantly more likely to
transfer to the target model, even when the amount of perturbation
is small.
This shows that simple strategies like Single are indeed not real-
izing the full potential of a resourceful attacker, and our proposed
attack strategy of using multiple models for the generation and
validation of adversarial examples is indeed superior. In the reset
of this section, we will be using the most effective attack strategy
of Multi 8 & Passing 5/7 Validation.
5.5 Translucent-box Evaluation
Here we evaluate the effectiveness of different schemes based on the
transferability of adversarial examples generated using the Multi 8
& Passing 5/7 Validation attack strategy.
The results of our translucent-box evaluation are shown in Fig. 4.
Adversarial examples are grouped into buckets based on their L 2
distance. For each bucket, we use grayscale to indicate the aver-
age validation passing rate for each scheme. Passing rate from 0%
to 100% are mapped to pixel value from 0 to 255 in a linear scale.
There are four rows, each correspond to adversarial examples with a
certain L 2 range. Each column illustrates to what extent a target de-
fense scheme resist adversarial examples generated from attacking
different methods.
Examining the columns for Standard and Dropout, we can see
that Standard and Dropout are in general most vulnerable. Distilla-
tion and RC are almost equally vulnerable. Magnet can often resist
adversarial examples generated by targeting other defenses, but are
vulnerable to ones generated specifically targeting it.
Overall, across the three datasets, RS-1-Adv performs the best,
and is significantly better than Dropout-Adv. This suggests that
Random Spiking offers additional protection against adversarial
examples. RS-1 and RS-1-Dropout also perform consistently well
across the three datasets. RC performs noticeably well on MNIST
and Fashion-MNIST, likely because the images were all in 8-bit
grayscale, and its advantages diminish on CIFAR-10 which contains
images of 24-bit color.
 Single Multi 8 Multi 8 & Passing 5/7 Validation
MNIST Fashion-MNIST CIFAR-10
1.0 1.0 1.0
Transferability

Transferability

Transferability
0.5 0.5 0.5

0.0 0.0 0.0

0 2.25 2.5 2.75 3.0 0 0.4 0.6 0.8 1.0 0 0.4 0.6 0.8 1.0
L2 L2 L2
Figure 3: Transferability of adversarial examples found by the 3 attack strategies

(a) MNIST (b) Fashion-MNIST (c) CIFAR-10

RS-1-Dropout

RS-1-Dropout

RS-1-Dropout
Dropout-Adv

Dropout-Adv

Dropout-Adv
Distillation

Distillation

Distillation
RS-1-Adv

RS-1-Adv

RS-1-Adv
Standard

Standard

Standard
Dropout

Dropout

Dropout
Magnet

Magnet

Magnet
RS-1

RS-1

RS-1
RC

RC

RC
All

All

All
L2 : 0 − 2.25 L2 : 0 − 0.4 L2 : 0 − 0.4
Standard Standard Standard
Dropout Dropout Dropout
Distillation Distillation Distillation
ADV ADV ADV
Magnet Magnet Magnet
RS-1 RS-1 RS-1
RSD-1 RSD-1 RSD-1
RS-1-ADV RS-1-ADV RS-1-ADV
all all all
L2 : 2.25 − 2.5 L2 : 0.4 − 0.6 L2 : 0.4 − 0.6
Standard Standard Standard
Dropout Dropout Dropout
Distillation Distillation Distillation
ADV ADV ADV
Magnet Magnet Magnet
RS-1 RS-1 RS-1
RSD-1 RSD-1 RSD-1
RS-1-ADV RS-1-ADV RS-1-ADV
all all all
L2 : 2.5 − 2.75 L2 : 0.6 − 0.8 L2 : 0.6 − 0.8
Standard Standard Standard
Dropout Dropout Dropout
Distillation Distillation Distillation
ADV ADV ADV
Magnet Magnet Magnet
RS-1 RS-1 RS-1
RSD-1 RSD-1 RSD-1
RS-1-ADV RS-1-ADV RS-1-ADV
all all all
L2 : 2.75 − 3 L2 : 0.8 − 1 L2 : 0.8 − 1
Standard Standard Standard
Dropout Dropout Dropout
Distillation Distillation Distillation
ADV ADV ADV
Magnet Magnet Magnet
RS-1 RS-1 RS-1
RSD-1 RSD-1 RSD-1
RS-1-ADV RS-1-ADV RS-1-ADV
all all all

Figure 4: Average passing rate of 5/7 validation

This heat map shows the resilience of each scheme against the adversarial examples generated from all schemes, under a fixed allowance of
L 2 . Each column illustrates to what extent a target defense scheme resists adversarial examples generated from attacking different methods.

6 RELATED WORK bit depths reduction and pixel spatial smoothing to detect adversar-
ial examples [41]. Xie et al.. proposed to use Feature Denoising [40]
Other attack algorithms. There are other attack algorithms such to improve the robustness of the Neural Network Model. Due to
as JSMA [26], FGS [16], PGD[23], and DeepFool [25]. The general limit in time and space, we selected representative methods from
consensus seems to be that the C&W attack is the current state-of- each broad class (e.g., MagNet for the detection approach). We leave
the-art [8, 9, 13]. Though our evaluation results are based on the comparison with other mechanisms as future work.
C&W attack, our evaluation framework is not tied to a particular
attack and can use other algorithms. Beyond images. Other research efforts have explored possible at-
tacks against neural network models specialized for other purposes,
Other defense mechanisms. Some other defense mechanisms for example, speech to text [10]. We focus on images, although the
have been proposed [6, 24, 27, 39–41] in the literature. For example,
Xu et al.. proposed to use feature squeezing techniques such as color
evaluation methodology and the idea of random spiking should be
applicable to these other domains.
Alternative similarity metrics. Some researchers have argued
that Lp norms insufficiently capture human perception, and have
proposed alternative similarity metrics like SSIM [28]. It is however,
not immediately clear how to adapt such metrics in the C&W at-
tack. We leave further investigations on the impacts of alternative
similarity metrics on adversarial examples for future work.
7 CONCLUSION
In this paper, we present a careful analysis of possible adversar-
ial models for studying the phenomenon of adversarial examples.
We propose an evaluation methodology that can better illustrate
the strengths and limitations of different mechanisms. As part of
the method, we introduce a more powerful and meaningful adver-
sary strategy. We also introduce Random Spiking, a randomized
technique that generalizes dropout. We have conducted extensive
evaluation of Random Spiking and several other defense mech-
anisms, and demonstrate that Random Spiking, especially when
combined with adversarial training, offers better protection against
adversarial examples when compared with other existing defenses.
ACKNOWLEDGEMENTS
This work is supported by the Northrop Grumman Cybersecu-
rity Research Consortium under a Grant titled “Defenses Against
Adversarial Examples” and by the United States National Science
Foundation under Grant No. 1640374.
REFERENCES
[1] Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated Gradients
Give a False Sense of Security: Circumventing Defenses to Adversarial Examples.
In ICML, Vol. 80. PMLR, StockholmsmÃďssan, Stockholm Sweden, 274–283.
[2] Anish Athalye, Logan Engstrom, Andrew Ilyas, and Kevin Kwok. 2018. Synthe-
sizing Robust Adversarial Examples. In ICML, Vol. 80. PMLR, 284–293.
[3] David M Blei, Alp Kucukelbir, and Jon D McAuliffe. 2017. Variational inference:
A review for statisticians. J. Amer. Statist. Assoc. 112, 518 (2017), 859–877.
[4] Léon Bottou. 2010. Large-scale machine learning with stochastic gradient descent.
In Proceedings of COMPSTAT’2010. Springer, 177–186.
[5] Wieland Brendel, Jonas Rauber, and Matthias Bethge. 2018. Decision-Based Ad-
versarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models.
In ICLR.
[6] Xiaoyu Cao and Neil Zhenqiang Gong. 2017. Mitigating evasion attacks to deep
neural networks via region-based classification. In ACSAC. ACM, 278–287.
[7] Nicholas Carlini, Anish Athalye, Nicolas Papernot, Wieland Brendel, Jonas
Rauber, Dimitris Tsipras, Ian J. Goodfellow, Aleksander Madry, and Alexey Ku-
rakin. 2019. On Evaluating Adversarial Robustness. CoRR (2019). arXiv:1902.06705
[8] Nicholas Carlini and David Wagner. 2017. Adversarial Examples Are Not Easily
Detected: Bypassing Ten Detection Methods. In Proceedings of the 10th Workshop
on Artificial Intelligence and Security. ACM, 3–14.
[9] Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of
neural networks. In 2017 IEEE S&P. IEEE, 39–57.
[10] Nicholas Carlini and David Wagner. 2018. Audio Adversarial Examples: Tar-
geted Attacks on Speech-to-Text. Deep Learning and Security Workshop, Article
arXiv:1801.01944 (2018), arXiv:1801.01944 pages. arXiv:cs.LG/1801.01944
[11] Nicholas Carlini and David A. Wagner. 2017. MagNet and “Efficient Defenses
Against Adversarial Attacks” are Not Robust to Adversarial Examples. CoRR
abs/1711.08478 (2017). arXiv:1711.08478 http://arxiv.org/abs/1711.08478
[12] Jianbo Chen and Michael I. Jordan. 2019. Boundary Attack++: Query-Efficient
Decision-Based Adversarial Attack. (2019). arXiv:1904.02144
[13] Pin-Yu Chen, Yash Sharma, Huan Zhang, Jinfeng Yi, and Cho-Jui Hsieh. 2018.
EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples.
AAAI Conference on Artificial Intelligence (2018).
[14] Yarin Gal and Zoubin Ghahramani. 2016. Dropout as a Bayesian Approximation:
Representing Model Uncertainty in Deep Learning. ICML 48, 1050–1059.
[15] Justin Gilmer, Nicolas Ford, Nicholas Carlini, and Ekin Cubuk. 2019. Adversarial
Examples Are a Natural Consequence of Test Error in Noise. In ICML, Vol. 97.
2280–2289.
[16] Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and
Harnessing Adversarial Examples. In ICLR.
[17] James J Heckman. 1977. Sample selection bias as a specification error (with an
application to the estimation of labor supply functions). (1977).
[18] G. Hinton, O. Vinyals, and J. Dean. 2014. Distilling the Knowledge in a Neural
Network. NIPS 2014 Deep Learning and Representation Learning Workshop (2014).
[19] D. P. Kingma and J. Ba. 2015. Adam: A Method for Stochastic Optimization. In
International Conference on Learning Representations.
[20] Alex Krizhevsky. 2009. Learning multiple layers of features from tiny images.
Technical Report.
[21] Yann LeCun, Corinna Cortes, and Christopher JC Burges. 1998. The MNIST
database of handwritten digits. (1998). http://yann.lecun.com/exdb/mnist/
[22] Yanpei Liu, Xinyun Chen, Chang Liu, and Dawn Song. 2017. Delving into
Transferable Adversarial Examples and Black-box Attacks. In ICLR.
[23] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and
Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks.
In ICLR.
[24] Dongyu Meng and Hao Chen. 2017. Magnet: a two-pronged defense against
adversarial examples. In CCS. ACM, 135–147.
[25] Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, and Pascal Frossard. 2016.
Deepfool: a simple and accurate method to fool deep neural networks. In CVPR.
2574–2582.
[26] Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z Berkay Celik,
and Ananthram Swami. 2016. The limitations of deep learning in adversarial
settings. In 2016 EuroS&P. IEEE, 372–387.
[27] Nicolas Papernot, Patrick D. McDaniel, Xi Wu, Somesh Jha, and Ananthram
Swami. 2016. Distillation as a Defense to Adversarial Perturbations Against Deep
Neural Networks. In 2016 IEEE S&P. 582–597.
[28] Mahmood Sharif, Lujo Bauer, and Michael K. Reiter. 2018. On the Suitability of
Lp -norms for Creating and Preventing Adversarial Examples. IEEE CVPRW.
[29] Hidetoshi Shimodaira. 2000. Improving predictive inference under covariate
shift by weighting the log-likelihood function. Journal of statistical planning and
inference 90, 2 (2000), 227–244.
[30] Nitish Srivastava, Geoffrey Hinton, Alex Krizhevsky, Ilya Sutskever, and Ruslan
Salakhutdinov. 2014. Dropout: a simple way to prevent neural networks from
overfitting. The Journal of Machine Learning Research 15, 1 (2014), 1929–1958.
[31] Masashi Sugiyama, Neil D Lawrence, Anton Schwaighofer, et al. 2017. Dataset
shift in machine learning. The MIT Press.
[32] Masashi Sugiyama, Shinichi Nakajima, Hisashi Kashima, Paul V Buenau, and
Motoaki Kawanabe. 2008. Direct importance estimation with model selection and
its application to covariate shift adaptation. In Advances in neural information
processing systems. 1433–1440.
[33] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan,
Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks.
In International Conference on Learning Representations.
[34] Dimitris Tsipras, Shibani Santurkar, Logan Engstrom, Alexander Turner, and
Aleksander Madry. 2019. Robustness may be at odds with accuracy. In ICLR.
[35] Pascal Vincent, Hugo Larochelle, Yoshua Bengio, and Pierre-Antoine Manzagol.
2008. Extracting and Composing Robust Features with Denoising Autoencoders.
In ICML. ACM, 1096–1103.
[36] Pascal Vincent, Hugo Larochelle, Isabelle Lajoie, Yoshua Bengio, and Pierre-
Antoine Manzagol. 2010. Stacked Denoising Autoencoders: Learning Useful
Representations in a Deep Network with a Local Denoising Criterion. In ICML,
Vol. 11. 3371–3408.
[37] Siyue Wang, Xiao Wang, Pu Zhao, Wujie Wen, David Kaeli, Peter Chin, and
Xue Lin. 2018. Defensive Dropout for Hardening Deep Neural Networks Under
Adversarial Attacks. In ICCAD. ACM, Article 71, 8 pages.
[38] Han Xiao, Kashif Rasul, and Roland Vollgraf. 2017. Fashion-MNIST: a Novel Image
Dataset for Benchmarking Machine Learning Algorithms. CoRR abs/1708.07747
(2017). arXiv:1708.07747
[39] Cihang Xie, Jianyu Wang, Zhishuai Zhang, Zhou Ren, and Alan L. Yuille. 2018.
Mitigating adversarial effects through randomization. ICLR (2018).
[40] Cihang Xie, Yuxin Wu, Laurens van der Maaten, Alan L. Yuille, and Kaiming He.
2019. Feature Denoising for Improving Adversarial Robustness. In CVPR.
[41] Weilin Xu, David Evans, and Yanjun Qi. 2018. Feature Squeezing: Detecting
Adversarial Examples in Deep Neural Networks. NDSS.
[42] Sergey Zagoruyko and Nikos Komodakis. 2016. Wide Residual Networks. In
BMVC.
[43] Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric P. Xing, Laurent El Ghaoui, and
Michael I. Jordan. 2019. Theoretically Principled Trade-off between Robustness
and Accuracy. In ICML. 7472–7482.
A APPENDIX to what we used for RS-1. We also use RSD-1 as a shorthand to
refer to this scheme.
A.1 More Information on Training
Model architecture and training parameters are in Tables 6 Distillation. We use the same network architecture and parame-
and 7. For MNIST, we use the same as in MagNet [9, 24]). For ters as we did for the training of Dropout models. Identical to the
Fashion-MNIST and CIFAR-10, they are identical to the WRN [42]. configuration used in [9], we train with temperature T = 100 and
Test errors of the nine schemes are in Table 2. For each scheme test with T = 1 for all three datasets.
and dataset, we train 16 models and report the mean and standard Region-based Classification (RC). We use the Dropout models
deviation. Additional information is provided below. for RC. For each test example, we generate t additional examples,
where for each pixel, a noise was randomly chosen from (−r, r )
Table 6: Mode Architectures. We use WRN-28-10 for and added to it. Prediction is then made with majority voting on
Fashion-MNIST and CIFAR-10 (k = 10, N = 4). the t input examples. Identical to the original RC paper [6], we use
MNIST Fashion-MNIST CIFAR-10
t = 10, 000 for MNIST and t = 1, 000 for CIFAR-10. We also use
t = 1, 000 for Fashion-MNIST. We choose values for r (r = 0.4 for
Output Output
Group Kernel, Feature Kernel, Feature
Size Size
Conv.ReLU 3 × 3 × 32 Conv1 28 × 28 [3 × 3, 16] 32 × 32 [3 × 3, 16]
MNIST, and r = 0.02 for Fashion-MNIST and CIFAR-10) so that the
Conv.ReLU 3 × 3 × 32 " # " # test errors would be comparable to the other mechanisms.
3 × 3, 16 × k 3 × 3, 16 × k
Max Pooling 2×2 Conv2 28 × 28 ×N 32 × 32 ×N
3 × 3, 16 × k 3 × 3, 16 × k Adversarial Dropout (Dropout-Adv). To use adversarial training
Conv.ReLU 3 × 3 × 64
Conv.ReLU 3 × 3 × 64 " #
3 × 3, 32 × k
" #
3 × 3, 32 × k with Dropout, we leverage the trained Dropout model from before as
Max Pooling 2×2 Conv3 14 × 14 ×N 16 × 16 ×N
3 × 3, 32 × k 3 × 3, 32 × k the target model for generating adversarial examples. We generated
Dense.ReLU 200
12, 000 adversarial examples for each Dropout model by perturbing
" # " #
3 × 3, 64 × k 3 × 3, 64 × k
Dense.ReLU 200 Conv4 7×7 ×N 8×8 ×N
3 × 3, 64 × k 3 × 3, 64 × k training instances. To ensure that the adversarial examples indeed
Softmax 10 Softmax 10 10
should be classified under the original label, we sort the adversarial
Table 7: Training Parameters. examples according to their L 2 distances in ascending order, and
add only the first 10, 000 examples into the training dataset. These
Parameters MNIST Fashion-MNIST & CIFAR-10
examples have L 2 distances lower than the cutoff mentioned earlier.
Optimization Method SGD SGD We then apply the Dropout training procedure as described before
Learning Rate 0.01 0.1 initial, multiply by 0.2
at 60, 120 and 160 epochs on the new training dataset.
Momentum 0.9 0.9 Adversarial Random Spiking (RS-1-Adv). For this adversarial
Batch Size 128 128
Epochs 50 200
training method, we use RS-1 as the target model. The training pa-
Dropout (Optional) 0.5 0.1 rameters and procedure are largely identical to what were described
Data Augmentation - Fashion-MNIST: Shifting + Horizontal Flip for Dropout-Adv above.
CIFAR-10: Shifting + Rotation +
Horizontal Flip + Zooming + Shear
A.2 Proof of Proposition 1
Proof sketch. The Monte Carlo sampling used in the RS neural
Magnet. We use the trained Dropout model as the prediction network optimization gives an unbiased estimate of the gradient
model, and train the Magnet defensive models (reformers and de- Õ∫ ∂
tectors) [24] based on the publicly released Magnet implementa- L (y, ŷ(x, b, ϵ,W )) p(b)f (ϵ)dϵ
∂W
tion1 . Identical to the settings2 presented in the original Magnet pa- ∀b ϵ
∂ Õ
∫
per [24], for MNIST, we use Reformer I, Detector I/L 2 and Detector
= L (y, ŷ(x, b, ϵ,W )) p(b)f (ϵ)dϵ,
II/L 1 , with detection threshold set to 0.001. Since Fashion-MNIST ∂W ϵ ∀b
was not studied in [24], we use the same model architecture
as CIFAR-10 presented in the original Magnet paper [24]. For with the above equality given by the linearity of the expectation
Fashion-MNIST and CIFAR-10, we use Reformer II, Detector II/L 1 , and integral operators. That is, the RS neural network optimization
Detector II/T 10 and Detector II/T 40, and with a detection threshold is a Robbins-Monro stochastic optimization [4] that minimizes
Õ∫
(rate of false positive) of 0.004, which results in test error rates W ′ = argmin L(y, ŷ(x,W ))p(b)f (ϵ)dϵ .
comparable to those of the other schemes. W ϵ
∀b
Random Spiking with standard model (RS-1). A Random Spik- L is convex on ŷ, then by Jensen’s inequality
ing (RS) layer is added after the first convolution layer in the stan- Õ∫
dard architecture. We choose p = 0.8, so that 20% of all neuron L (y, ŷ(x, b, ϵ,W )) p(b)f (ϵ)dϵ ≥
∀b ϵ
outputs are randomly spiked. !
Õ∫
Random Spiking with Dropout (RS-1-Dropout). We add the
 
L y, ŷ(x, b, ϵ,W )p(b)f (ϵ)dϵ ≡ L y, ŷ(x,W ) .
RS layer to the Dropout scheme. All other parameters are identical ϵ
∀b
1 https://github.com/Trevillie/MagNet
2 Regarding
Thus, the RS neural network minimizes an upper bound of the loss
of the ensemble RS model ŷ(x,W ), yielding a proper variational
the Detector settings, a small discrepancy exists between the paper and
the released source code. After confirming with the authors, we follow what is given
by the source code. inference procedure [3]. □