@misc{yang2020dverge,
archivePrefix = {arXiv},
arxivId = {cs.LG/2009.14720},
author = {Yang, Huanrui and Zhang, Jingyang and Dong, Hongliang and Inkawhich, Nathan and Gardner, Andrew and Touchet, Andrew and Wilkes, Wesley and Berry, Heath and Li, Hai},
eprint = {2009.14720},
title = {{DVERGE: Diversifying Vulnerabilities for Enhanced Robust Generation of Ensembles}},
year = {2020}
}
This paper aims to enhance the robustness under black-box attacks. It ensembles several models and forces them to learn different non-robust features. This is based on the assumption that transferability is caused by non-robust features.
Sub-models in ensemble are vulnerable along the same axis of a transfer attack, which is the reason of high transferability of adversarial attacks.
without adversarial training
with adversarial training $$ \min {f{i}} \mathbb{E}{(x, y),\left(x{s}, y_{s}\right), l}[\underbrace{\lambda \cdot \sum_{j \neq i} \mathcal{L}{f{i}}\left(x_{f_{j}^{l}}^{\prime}\left(x, x_{s}\right), y_{s}\right)}{\text {DVERGE loss }}+\underbrace{\max {\delta \in \mathcal{S}} \mathcal{L}{f{i}}\left(x_{s}+\delta, y_{s}\right)}_{\text {AdvT loss }}] $$
It is worth noting that with adversarial training, the performance is worse than simply adversarial training.