Robust Neural Networks using Randomized Adversarial Training

TL;DR

This paper investigates the limitations of existing adversarial defense mechanisms against different attack norms and proposes combined strategies that improve robustness against both _ and _ attacks.

Contribution

It provides theoretical and empirical analysis of the ineffectiveness of single-norm defenses and introduces combined defense strategies for enhanced robustness.

Findings

Single-norm defenses are ineffective against the other norm.

Combined defenses improve robustness against both _ and _ attacks.

Empirical results show increased protection with new defense mechanisms.

Abstract

This paper tackles the problem of defending a neural network against adversarial attacks crafted with different norms (in particular $\ell_\infty$ and $\ell_2$ bounded adversarial examples). It has been observed that defense mechanisms designed to protect against one type of attacks often offer poor performance against the other. We show that $\ell_\infty$ defense mechanisms cannot offer good protection against $\ell_2$ attacks and vice-versa, and we provide both theoretical and empirical insights on this phenomenon. Then, we discuss various ways of combining existing defense mechanisms in order to train neural networks robust against both types of attacks. Our experiments show that these new defense mechanisms offer better protection when attacked with both norms.