Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, & Adrian Vladu (2017)
International Conference on Learning Representations.
URL: https://arxiv.org/abs/1706.06083
Abstract. Reformulates adversarial robustness as a min-max optimisation problem $\min_\theta \mathbb{E}\!\left[\max_{\delta \in \mathcal{S}} \mathcal{L}(\theta, \mathbf{x}+\delta, y)\right]$ and solves the inner maximisation with projected gradient descent (PGD), multi-step FGSM with projection back into the $\ell_\infty$ ball. PGD-trained models are the gold standard of empirically robust networks; the paper is the canonical reference for adversarial training and PGD remains the standard inner-attack and the standard adversarial-training procedure.
Tags: adversarial safety robustness
Cited in: