Since the discovery of adversarial examples in machine learning, researchers have designed several techniques to train neural networks that are robust against different types of attacks (most notably $\ell_\infty$ and $\ell_2$ based attacks). However, it has been observed that the defense mechanisms designed to protect against one type of attack often offer poor performance against the other. In this paper, we introduce Randomized Adversarial Training (RAT), a technique that is efficient both against $\ell_2$ and $\ell_\infty$ attacks. To obtain this result, we build upon adversarial training, a technique that is efficient against $\ell_\infty$ attacks, and demonstrate that adding random noise at training and inference time further improves performance against \ltwo attacks. We then show that RAT is as efficient as adversarial training against $\ell_\infty$ attacks while being robust against strong $\ell_2$ attacks. Our final comparative experiments demonstrate that RAT outperforms all state-of-the-art approaches against $\ell_2$ and $\ell_\infty$ attacks.

本文探讨应对不同规范的对抗性攻击所产生的难题，并提供了一些理论和经验性的见解，讨论如何结合现有的防御机制来提高神经网络的鲁棒性。实验结果表明，这些新的防御机制能更好地保护神经网络不受两种规范攻击。

使用随机化对抗培训的鲁棒性神经网络