Ensemble Adversarial Training: Attacks and Defenses

Florian Tramèr, Alexey Kurakin, Nicolas Papernot, Dan Boneh, and Patrick McDaniel


Links


Abstract

Machine learning models are vulnerable to adversarial examples, inputs maliciously perturbed to mislead the model. These inputs transfer between models, thus enabling black-box attacks against deployed models. Adversarial training increases robustness to attacks by injecting adversarial examples into training data.

Surprisingly, we find that although adversarially trained models exhibit strong robustness to some white-box attacks (i.e., with knowledge of the model parameters), they remain highly
vulnerable to transferred adversarial examples crafted on other models. We show that the reason for this vulnerability is the model’s decision surface exhibiting sharp curvature in the vicinity of the data points, thus hindering attacks based on first-order approximations of the model’s loss, but permitting black-box attacks that use adversarial examples transferred from another model.

We harness this observation in two ways: First, we propose a simple yet powerful novel attack that first applies a small random perturbation to an input, before finding the optimal perturbation under a first-order approximation. Our attack outperforms prior “single-step” attacks on models trained with or without adversarial training.

Second, we propose Ensemble Adversarial Training, an extension of adversarial training that additionally augments training data with perturbed inputs transferred from a number of fixed pre-trained models. On MNIST and ImageNet, ensemble adversarial training vastly improves robustness to black-box attacks.


BibTeX
@misc{TKPB+17,
  author   =   {Tram{\`e}r, Florian and Kurakin, Alexey and Papernot, Nicolas and Boneh, Dan and McDaniel, Patrick},
  title   =   {Ensemble Adversarial Training: Attacks and Defenses},
  year   =   {2017},
  howpublished   =   {arXiv preprint arXiv:1705.07204},
  note   =   {\url{https://arxiv.org/abs/1705.07204}}
}