Guardian of the Ensembles: Introducing Pairwise Adversarially Robust Loss for Resisting Adversarial Attacks in DNN Ensembles

TL;DR

This paper introduces a novel ensemble training method called Pairwise Adversarially Robust Loss (PARL) that enhances the robustness of deep neural network ensembles against adversarial attacks by promoting diverse decision boundaries.

Contribution

The paper proposes PARL, a new loss function that improves ensemble robustness against black-box attacks while maintaining accuracy and reducing training time.

Findings

PARL achieves 24.8% higher robust accuracy at $b5$=0.07 compared to state-of-the-art methods.

PARL maintains similar clean accuracy as previous methods.

PARL reduces training time relative to existing ensemble approaches.

Abstract

Adversarial attacks rely on transferability, where an adversarial example (AE) crafted on a surrogate classifier tends to mislead a target classifier. Recent ensemble methods demonstrate that AEs are less likely to mislead multiple classifiers in an ensemble. This paper proposes a new ensemble training using a Pairwise Adversarially Robust Loss (PARL) that by construction produces an ensemble of classifiers with diverse decision boundaries. PARL utilizes outputs and gradients of each layer with respect to network parameters in every classifier within the ensemble simultaneously. PARL is demonstrated to achieve higher robustness against black-box transfer attacks than previous ensemble methods as well as adversarial training without adversely affecting clean example accuracy. Extensive experiments using standard Resnet20, WideResnet28-10 classifiers demonstrate the robustness of PARL against state-of-the-art adversarial attacks. While maintaining similar clean accuracy and lesser training time, the proposed architecture has a 24.8% increase in robust accuracy ($\epsilon$ = 0.07) from the state-of-the art method.