Revisiting Ensembles in an Adversarial Context: Improving Natural Accuracy
This work addresses the challenge of maintaining high natural accuracy while ensuring adversarial robustness for real-world deployment of deep learning models, representing an incremental improvement.
The paper tackles the problem of bridging the natural accuracy gap between robust and non-robust deep learning models by exploring ensemble methods, finding that ensembling robust models can withstand larger attacks and improve natural accuracy.
A necessary characteristic for the deployment of deep learning models in real world applications is resistance to small adversarial perturbations while maintaining accuracy on non-malicious inputs. While robust training provides models that exhibit better adversarial accuracy than standard models, there is still a significant gap in natural accuracy between robust and non-robust models which we aim to bridge. We consider a number of ensemble methods designed to mitigate this performance difference. Our key insight is that model trained to withstand small attacks, when ensembled, can often withstand significantly larger attacks, and this concept can in turn be leveraged to optimize natural accuracy. We consider two schemes, one that combines predictions from several randomly initialized robust models, and the other that fuses features from robust and standard models.