It is becoming increasingly imperative to design robust ML defenses. However, recent work has found that many defenses that initially resist state-of-the-art attacks can be broken by an adaptive adversary. In this work we take steps to simplify the design of defenses and argue that white-box defenses should eschew randomness when possible. We begin by illustrating a new issue with the deployment of randomized defenses that reduces their security compared to their deterministic counterparts. We then provide evidence that making defenses deterministic simplifies robustness evaluation, without reducing the effectiveness of a truly robust defense. Finally, we introduce a new defense evaluation framework that leverages a defense's deterministic nature to better evaluate its adversarial robustness.

翻译：设计稳健的ML防御正变得日益紧迫。然而，近期研究发现，许多最初能够抵抗先进攻击的防御方法仍可被自适应对手攻破。本研究致力于简化防御设计流程，并主张白盒防御在可能情况下应避免使用随机性。我们首先阐明了随机化防御部署中的一个新问题——其安全性相较于确定性防御有所降低。随后提供证据表明：使防御方法具有确定性可简化鲁棒性评估流程，同时不影响真正稳健防御的有效性。最后，我们提出一种新的防御评估框架，通过利用防御的确定性特性来更有效地评估其对抗鲁棒性。