In guaranteeing that no adversarial examples exist within a bounded region, certification mechanisms play an important role in neural network robustness. Concerningly, this work demonstrates that the certification mechanisms themselves introduce a new, heretofore undiscovered attack surface, that can be exploited by attackers to construct smaller adversarial perturbations. While these attacks exist outside the certification region in no way invalidate certifications, minimising a perturbation's norm significantly increases the level of difficulty associated with attack detection. In comparison to baseline attacks, our new framework yields smaller perturbations more than twice as frequently as any other approach, resulting in an up to $34 \%$ reduction in the median perturbation norm. That this approach also requires $90 \%$ less computational time than approaches like PGD. That these reductions are possible suggests that exploiting this new attack vector would allow attackers to more frequently construct hard to detect adversarial attacks, by exploiting the very systems designed to defend deployed models.

翻译：在保证有界区域内不存在对抗性样本方面，认证机制在神经网络鲁棒性中扮演着重要角色。令人担忧的是，本研究表明认证机制本身引入了一个此前未被发现的新攻击面，攻击者可利用该攻击面构造更小的对抗扰动。尽管这些存在于认证区域之外的攻击丝毫不会使认证失效，但最小化扰动范数显著增加了攻击检测的难度。与基线攻击相比，我们的新框架生成更小扰动的频率是其他方法的至少两倍，导致中位扰动范数降低高达34%。同时，该方法所需的计算时间比PGD等方法减少90%。这些缩减表明，利用这一新攻击向量将使攻击者能够更频繁地构造难以检测的对抗攻击，而这种方式恰恰利用了旨在保护已部署模型的安全系统。