Adversarial Example Defenses: Ensembles of Weak Defenses are not Strong
This work addresses the security of machine learning models for practitioners, showing that incremental improvements through ensemble methods are insufficient against adaptive attacks.
The paper tackles the problem of defending neural networks against adversarial examples by investigating whether combining multiple weak defenses can create a strong defense, and finds that an adaptive adversary can still generate successful adversarial examples with low distortion for all tested combinations.
Ongoing research has proposed several methods to defend neural networks against adversarial examples, many of which researchers have shown to be ineffective. We ask whether a strong defense can be created by combining multiple (possibly weak) defenses. To answer this question, we study three defenses that follow this approach. Two of these are recently proposed defenses that intentionally combine components designed to work well together. A third defense combines three independent defenses. For all the components of these defenses and the combined defenses themselves, we show that an adaptive adversary can create adversarial examples successfully with low distortion. Thus, our work implies that ensemble of weak defenses is not sufficient to provide strong defense against adversarial examples.