# DAVIDSTUTZ

26thJUNE2018

Florian Tramèr, Alexey Kurakin, Nicolas Papernot, Dan Boneh, Patrick D. McDaniel. Ensemble Adversarial Training: Attacks and Defenses. CoRR abs/1705.07204, 2017.

Based on the above observations, Tramèr et al. First introduce a new one-shot attack exploiting the fact that the adversarially trained model is trained on overfitted perturbations and second introduce a new counter-measure for training more robust networks. Their attack is quite simple; they consider one Fast-Gradient Sign Method (FSGM) step, but apply a random perturbation first to leave the local vicinity of the sample first:

$x' = x + \alpha \text{sign}(\mathcal{N}(0, I))$

$x'' = x' + (\epsilon - \alpha)\text{sign}(\nabla_{x'} J(x', y))$

where $J$ is the loss function and $y$ the label corresponding to sample $x$. In experiments, they show that the attack has higher success rates on adversarially trained models.

To counter the proposed attack, they propose ensemble adversarial training. The key idea is to train the model utilizing not only adversarial samples crafted on the model itself but also transferred from pre-trained models. On MNIST, for example, they randomly select 64 FGSM samples from 4 different models (including the one in training). Experimentally, they show that ensemble adversarial training improves the defense again all considered attacks, including FGSM, iterative FGSM as well as the proposed attack.

Also find this summary on ShortScience.org.

What is your opinion on the summarized work? Or do you know related work that is of interest? Let me know your thoughts in the comments below: