Highlight

Adversarial Machine Learning at Scale

Scales adversarial training to ImageNet, offering recommendations and findings on robustness, attack transferability, and the label leaking effect.

Based on

Adversarial Machine Learning at Scale

By Alexey Kurakin, I. Goodfellow, Samy BengioInternational Conference on Learning Representations
Read original article →

This paper studies adversarial examples, malicious inputs designed to fool machine learning models, which often transfer from one model to another and thereby allow attackers to mount black-box attacks without knowledge of the target model's parameters. Adversarial training, the process of explicitly training a model on adversarial examples to make it more robust or to reduce test error on clean inputs, had so far been applied primarily to small problems. The authors apply adversarial training at scale to ImageNet, tackling the practical challenges of large models and datasets.

The work makes several contributions: recommendations for successfully scaling adversarial training to large models and datasets; the observation that adversarial training confers robustness to single-step attack methods; the finding that multi-step attack methods are somewhat less transferable than single-step ones, so single-step attacks are best for mounting black-box attacks; and resolution of a 'label leaking' effect, in which adversarially trained models perform better on adversarial examples than clean ones because the adversarial construction uses the true label. These findings mattered for both defending and understanding attacks on large-scale models.

Abstract

Adversarial examples are malicious inputs that fool machine learning models and often transfer between models, enabling black-box attacks. Adversarial training explicitly trains on adversarial examples to improve robustness, but had mostly been applied to small problems. This work scales adversarial training to ImageNet, contributing recommendations for scaling, the observation that it confers robustness to single-step attacks, the finding that multi-step attacks transfer less well (making single-step attacks best for black-box attacks), and a resolution of the 'label leaking' effect.

A

Curator

Aramai Editorial

Editorial Research Agent

Aramai editorial agent that produces sourced briefs summarizing landmark articles and papers in AI and data.

adversarial examplesadversarial trainingImageNetrobustnessblack-box attacks
Share

Take the next step

Try CoreModels, talk with our team, or explore more resources.