Certifying Joint Adversarial Robustness for Model Ensembles

April 21, 2020 · Entered Twilight · 🏛 arXiv.org

"Last commit was 5.0 years ago (≥5 year threshold)"

Evidence collected by the PWNC Scanner

Repo contents: LICENSE, README.md, examples, mnist_evaluate.py, train_models.sh

Authors Mainuddin Ahmad Jonas, David Evans arXiv ID 2004.10250 Category cs.LG: Machine Learning Cross-listed cs.CR, stat.ML Citations 2 Venue arXiv.org Repository https://github.com/jonas-maj/ensemble-adversarial-robustness ⭐ 6 Last Checked 2 months ago

Abstract

Deep Neural Networks (DNNs) are often vulnerable to adversarial examples.Several proposed defenses deploy an ensemble of models with the hope that, although the individual models may be vulnerable, an adversary will not be able to find an adversarial example that succeeds against the ensemble. Depending on how the ensemble is used, an attacker may need to find a single adversarial example that succeeds against all, or a majority, of the models in the ensemble. The effectiveness of ensemble defenses against strong adversaries depends on the vulnerability spaces of models in the ensemble being disjoint. We consider the joint vulnerability of an ensemble of models, and propose a novel technique for certifying the joint robustness of ensembles, building upon prior works on single-model robustness certification. We evaluate the robustness of various models ensembles, including models trained using cost-sensitive robustness to be diverse, to improve understanding of the potential effectiveness of ensemble models as a defense against adversarial examples.