DVERGE: Diversifying Vulnerabilities for Enhanced Robust Generation of Ensembles

TL;DR

DVERGE introduces a novel ensemble training method that isolates and diversifies adversarial vulnerabilities among sub-models, significantly improving robustness against transfer attacks while maintaining high accuracy on clean data.

Contribution

The paper proposes DVERGE, a new ensemble training technique that isolates and diversifies adversarial vulnerabilities, leading to enhanced robustness against transfer attacks.

Findings

DVERGE outperforms previous ensemble methods in robustness against transfer attacks.

DVERGE maintains high clean data accuracy with minimal loss.

Adding more sub-models further improves ensemble robustness.

Abstract

Recent research finds CNN models for image classification demonstrate overlapped adversarial vulnerabilities: adversarial attacks can mislead CNN models with small perturbations, which can effectively transfer between different models trained on the same dataset. Adversarial training, as a general robustness improvement technique, eliminates the vulnerability in a single model by forcing it to learn robust features. The process is hard, often requires models with large capacity, and suffers from significant loss on clean data accuracy. Alternatively, ensemble methods are proposed to induce sub-models with diverse outputs against a transfer adversarial example, making the ensemble robust against transfer attacks even if each sub-model is individually non-robust. Only small clean accuracy drop is observed in the process. However, previous ensemble training methods are not efficacious in inducing such diversity and thus ineffective on reaching robust ensemble. We propose DVERGE, which isolates the adversarial vulnerability in each sub-model by distilling non-robust features, and diversifies the adversarial vulnerability to induce diverse outputs against a transfer attack. The novel diversity metric and training procedure enables DVERGE to achieve higher robustness against transfer attacks comparing to previous ensemble methods, and enables the improved robustness when more sub-models are added to the ensemble. The code of this work is available at https://github.com/zjysteven/DVERGE