惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
Simon Willison's Weblog
Simon Willison's Weblog
Microsoft Security Blog
Microsoft Security Blog
Y
Y Combinator Blog
The GitHub Blog
The GitHub Blog
Engineering at Meta
Engineering at Meta
F
Fortinet All Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
A
About on SuperTechFans
Last Week in AI
Last Week in AI
月光博客
月光博客
有赞技术团队
有赞技术团队
P
Proofpoint News Feed
MyScale Blog
MyScale Blog
Martin Fowler
Martin Fowler
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
Check Point Blog
U
Unit 42
The Register - Security
The Register - Security
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Hugging Face - Blog
Hugging Face - Blog
阮一峰的网络日志
阮一峰的网络日志
V
Visual Studio Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
D
DataBreaches.Net
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏
H
Hacker News: Front Page
Recent Announcements
Recent Announcements
C
CXSECURITY Database RSS Feed - CXSecurity.com
Latest news
Latest news
小众软件
小众软件
P
Palo Alto Networks Blog
PCI Perspectives
PCI Perspectives
Security Latest
Security Latest
S
Secure Thoughts
Scott Helme
Scott Helme
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
M
MIT News - Artificial intelligence
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Google DeepMind News
Google DeepMind News
Recorded Future
Recorded Future
O
OpenAI News
S
Securelist
云风的 BLOG
云风的 BLOG
H
Help Net Security
T
Troy Hunt's Blog

OpenAI News

Using custom GPTs ChatGPT for customer success teams Applications of AI at OpenAI Research with ChatGPT Analyzing data with ChatGPT Financial services Responsible and safe use of AI Writing with ChatGPT ChatGPT for research Creating images with ChatGPT Personalizing ChatGPT ChatGPT for finance teams Getting started with ChatGPT Working with files in ChatGPT ChatGPT for sales teams Prompting fundamentals ChatGPT for managers Using projects in ChatGPT ChatGPT for marketing teams Brainstorming with ChatGPT AI fundamentals ChatGPT for operations teams Healthcare Our response to the Axios developer tool compromise Using skills OpenAI Full Fan Mode Contest: Terms & Conditions CyberAgent moves faster with ChatGPT Enterprise and Codex The next phase of enterprise AI Introducing the Child Safety Blueprint Introducing the OpenAI Safety Fellowship Industrial policy for the Intelligence Age OpenAI acquires TBPN Codex now offers more flexible pricing for teams Gradient Labs gives every bank customer an AI account manager OpenAI raises $122 billion to accelerate the next phase of AI Helping disaster response teams turn AI into action across Asia STADLER reshapes knowledge work at a 230-year-old company Inside our approach to the Model Spec Introducing the OpenAI Safety Bug Bounty program Helping developers build safer AI experiences for teens Update on the OpenAI Foundation Powering Product Discovery in ChatGPT Creating with Sora Safely How we monitor internal coding agents for misalignment OpenAI to acquire Astral Introducing GPT-5.4 mini and nano OpenAI Japan announces Japan Teen Safety Blueprint to put teen safety first Equipping workers with insights about compensation Why Codex Security Doesn’t Include a SAST Report Designing AI agents to resist prompt injection From model to agent: Equipping the Responses API with a computer environment Rakuten fixes issues twice as fast with Codex Wayfair boosts catalog accuracy and support speed with OpenAI Improving instruction hierarchy in frontier LLMs New ways to learn math and science in ChatGPT OpenAI to acquire Promptfoo Codex Security: now in research preview How Descript engineers multilingual video dubbing at scale How Balyasny Asset Management built an AI research engine Reasoning models struggle to control their chains of thought, and that’s good Introducing GPT-5.4 GPT-5.4 Thinking System Card Ensuring AI use in education leads to opportunity VfL Wolfsburg turns ChatGPT into a club-wide capability OpenAI and NORAD team up to bring new magic to “NORAD Tracks Santa” Accenture and OpenAI accelerate enterprise AI success OpenAI takes an ownership stake in Thrive Holdings to accelerate enterprise AI adoption What to know about a recent Mixpanel security incident Expanding data residency access to business customers worldwide Our approach to mental health-related litigation Inside JetBrains—the company reshaping how the world writes code Introducing shopping research in ChatGPT How GPT-5 helped mathematician Ernest Ryu solve a 40-year-old open problem OpenAI and Foxconn collaborate to strengthen U.S. manufacturing across the AI supply chain Disrupting malicious uses of AI: June 2025 Creating websites in minutes with AI Website Builder Addendum to OpenAI o3 and o4-mini system card: OpenAI o3 Operator OpenAI Deutschland Shipping code faster with o3, o4-mini, and GPT-4.1 Introducing Stargate UAE New tools and features in the Responses API Introducing Codex Addendum to o3 and o4-mini system card: Codex AI powers Expedia’s marketing evolution Strengthening America’s AI leadership with the U.S. National Laboratories Introducing ChatGPT Gov Operator System Card Computer-Using Agent Introducing Operator Bertelsmann powers creativity and productivity with OpenAI Trading Inference-Time Compute for Adversarial Robustness Announcing The Stargate Project Stargate Infrastructure The power of personalized AI Delivering LLM-powered health solutions Increasing accuracy of pediatric visit notes Practices for Governing Agentic AI Systems Superalignment Fast Grants Weak-to-strong generalization Partnership with Axel Springer to deepen beneficial use of AI in journalism
Attacking machine learning with adversarial examples
2017-02-24 · via OpenAI News

To give an example of how a simple defense can fail, let’s consider why a technique called “gradient masking” does not work.

Gradient masking” is a term introduced in Practical Black-Box Attacks against Deep Learning Systems using Adversarial Examples(opens in a new window). to describe an entire category of failed defense methods that work by trying to deny the attacker access to a useful gradient.

Most adversarial example construction techniques use the gradient of the model to make an attack. In other words, they look at a picture of an airplane, they test which direction in picture space makes the probability of the “cat” class increase, and then they give a little push (in other words, they perturb the input) in that direction. The new, modified image is mis-recognized as a cat.

But what if there were no gradient — what if an infinitesimal modification to the image caused no change in the output of the model? This seems to provide some defense because the attacker does not know which way to “push” the image.

We can easily imagine some very trivial ways to get rid of the gradient. For example, most image classification models can be run in two modes: one mode where they output just the identity of the most likely class, and one mode where they output probabilities. If the model’s output is “99.9% airplane, 0.1% cat”, then a little tiny change to the input gives a little tiny change to the output, and the gradient tells us which changes will increase the probability of the “cat” class. If we run the model in a mode where the output is just “airplane”, then a little tiny change to the input will not change the output at all, and the gradient does not tell us anything.

Let’s run a thought experiment to see how well we could defend our model against adversarial examples by running it in “most likely class” mode instead of “probability mode.” The attacker no longer knows where to go to find inputs that will be classified as cats, so we might have some defense. Unfortunately, every image that was classified as a cat before is still classified as a cat now. If the attacker can guess which points are adversarial examples, those points will still be misclassified. We haven’t made the model more robust; we have just given the attacker fewer clues to figure out where the holes in the models defense are.

Even more unfortunately, it turns out that the attacker has a very good strategy for guessing where the holes in the defense are. The attacker can train their own model, a smooth model that has a gradient, make adversarial examples for their model, and then deploy those adversarial examples against our non-smooth model. Very often, our model will misclassify these examples too. In the end, our thought experiment reveals that hiding the gradient didn’t get us anywhere.

The defense strategies that perform gradient masking typically result in a model that is very smooth in specific directions and neighborhoods of training points, which makes it harder for the adversary to find gradients indicating good candidate directions to perturb the input in a damaging way for the model. However, the adversary can train a substitute model: a copy that imitates the defended model by observing the labels that the defended model assigns to inputs chosen carefully by the adversary.