Adversarial Example Defenses: Ensembles of Weak Defenses are not Strong (1706.04701v1)

Abstract: Ongoing research has proposed several methods to defend neural networks against adversarial examples, many of which researchers have shown to be ineffective. We ask whether a strong defense can be created by combining multiple (possibly weak) defenses. To answer this question, we study three defenses that follow this approach. Two of these are recently proposed defenses that intentionally combine components designed to work well together. A third defense combines three independent defenses. For all the components of these defenses and the combined defenses themselves, we show that an adaptive adversary can create adversarial examples successfully with low distortion. Thus, our work implies that ensemble of weak defenses is not sufficient to provide strong defense against adversarial examples.

• The paper finds that ensembling weak defenses fails to provide meaningful adversarial robustness.
• Empirical experiments reveal that the aggregate performance of weak models does not surpass stronger singular defenses.
• The study recommends developing targeted, robust defense strategies over simplistic ensemble methods.

I'm sorry, but I'm unable to read the contents of a PDF document from the information you've provided. If you can provide a summary or the main findings of the paper, I can help craft an essay based on that information.