Ensemble Adversarial Training: Attacks and Defenses

Florian, Tram\`er,; Kurakin, Alexey; Papernot, Nicolas; Goodfellow, Ian; Boneh, Dan; McDaniel, Patrick

preprintarXiv (Cornell University)May 19, 2017GREEN OA

Ensemble Adversarial Training: Attacks and Defenses

TFTram\`er, FlorianAKAlexey Kurakin NPNicolas Papernot IGIan Goodfellow DBDan Boneh

Stanford University · Alphabet (United States) · +1 more institution

Indexed inarxiv

Abstract

Adversarial examples are perturbed inputs designed to fool machine learning models. Adversarial training injects such examples into training data to increase robustness. To scale this technique to large datasets, perturbations are crafted using fast single-step methods that maximize a linear approximation of the model's loss. We show that this form of adversarial training converges to a degenerate global minimum, wherein small curvature artifacts near the data points obfuscate a linear approximation of the loss. The model thus learns to generate weak perturbations, rather than defend against strong ones. As a result, we find that adversarial training remains vulnerable to black-box attacks, where we transfer…

Citation impact

1,859

total citations

FWCI: 195.65
Percentile: 100%
References: 0

Citations per year

Authors

6

TF
Tram\`er, FlorianCorresponding
Stanford University
AK
Alexey Kurakin
Alphabet (United States)
NP
Nicolas Papernot
Pennsylvania State University
IG
Ian Goodfellow
Alphabet (United States)
DB
Dan Boneh
Stanford University

Topics & keywords

Topics

Keywords

Adversarial system
Transferability
Robustness (evolution)
Computer science
Training set
Training (meteorology)
Artificial intelligence
Machine learning

No related works found for this paper.