4.3.1 Adversarial Training

2025.10.06.
AI Security Blog

What if you could vaccinate your model against attacks? Instead of waiting for a malicious input to cause a failure, you could proactively expose the model to controlled “infections” during its development, forcing it to build up its own immunity. This is the core idea behind adversarial training, one of the most intuitive and empirically effective defenses against adversarial examples.

At its heart, adversarial training is a brute-force approach. You find what fools the model, and then you explicitly teach it not to be fooled in that exact way. It’s a process of augmenting the training dataset not with more clean data, but with the very adversarial examples designed to break the model. By incorporating these examples into the training process, you compel the model to learn more robust features and develop a less brittle decision boundary.

Kapcsolati űrlap - EN

Do you have a question about AI Security? Reach out to us here:

The Core Loop: Augment, Train, Repeat

The mechanism of adversarial training is a straightforward extension of the standard training loop. Instead of just feeding batches of clean data to the model, you add an intermediate step: generating adversarial counterparts for those data points. The model is then trained on a mix of clean and adversarial samples, or sometimes exclusively on the adversarial ones.

The process can be broken down into these fundamental steps:

  1. Sample Data: Draw a mini-batch of clean inputs (e.g., images) and their corresponding true labels from the training set.
  2. Generate Adversaries: For each input in the mini-batch, use an attack algorithm (like FGSM or PGD, discussed in previous sections) to generate a corresponding adversarial example. The goal of this generated example is to be misclassified by the current state of the model.
  3. Augment Dataset: Combine these newly crafted adversarial examples with the original clean data. The adversarial examples retain the *correct* labels of their clean counterparts.
  4. Train Model: Perform a standard training step (forward pass, loss calculation, backpropagation) on this augmented mini-batch.
  5. Repeat: Continue this process for all mini-batches and epochs until the model converges.
Clean Data (x, y) Attack Module (e.g., PGD) Adversarial Data (x’, y) Model Training Uses current model state

A Glimpse into Implementation

While the concept is simple, the implementation requires integrating an attack generation step directly into your training pipeline. Below is a simplified pseudocode example using a PyTorch-like structure to illustrate how this works in practice. This example uses a generic `generate_adversarial_example` function, which would contain an attack like PGD.

# model: your neural network
# optimizer: your optimization algorithm (e.g., Adam)

# criterion: your loss function (e.g., CrossEntropyLoss)

for epoch in range(num_epochs):
for clean_inputs, labels in training_loader:
# Step 1: Zero the gradients
optimizer.zero_grad()

# Step 2: Generate adversarial examples for the current batch
# This requires gradients, so we enable them for the input
clean_inputs.requires_grad = True
adv_inputs = generate_adversarial_example(model, clean_inputs, labels)

# Step 3: Forward pass with the adversarial examples
outputs = model(adv_inputs)
loss = criterion(outputs, labels)

# Step 4: Backward pass and optimization
loss.backward()
optimizer.step()

Key Considerations and Common Variants

Not all adversarial training is created equal. The effectiveness of the defense is highly dependent on the strength and type of attack used to generate the training examples.

PGD-Based Training: The Gold Standard

Early attempts at adversarial training used weaker, single-step attacks like the Fast Gradient Sign Method (FGSM). While this provided some robustness, researchers quickly found that models trained against FGSM were still vulnerable to stronger, iterative attacks. This led to the development of PGD-based adversarial training, which uses Projected Gradient Descent to generate more potent adversarial examples. PGD is a powerful first-order attack, and training against it has become the de facto standard for achieving meaningful empirical robustness.

The Inevitable Trade-off: Robustness vs. Standard Accuracy

One of the most critical and well-documented phenomena in adversarial training is the trade-off between a model’s robustness to attacks and its accuracy on clean, unperturbed data. When you force a model to become robust, it often learns smoother, more generalizable features. This can cause it to ignore subtle, “non-robust” features that, while brittle, are genuinely useful for classifying clean data. As a result, an adversarially trained model will almost always have a lower accuracy on the standard test set compared to a model trained only on clean data. For any application, you must balance the need for security with the requirement for baseline performance.

Evaluating Adversarial Training: A Balanced View

Adversarial training remains a cornerstone of practical defense, but it is not a silver bullet. Understanding its strengths and limitations is crucial for both defenders implementing it and red teamers attempting to bypass it.

Strengths Weaknesses
Empirically Effective: It is one of the few defenses that has consistently demonstrated meaningful robustness against a wide range of strong attacks. Computationally Expensive: Generating adversarial examples for every batch significantly increases training time and resource requirements.
Intuitive and Flexible: The core concept is easy to understand and can be adapted by swapping in different attack generators. Robustness-Accuracy Trade-off: Invariably leads to a drop in performance on clean, non-adversarial data.
Acts as Regularization: By exposing the model to more varied inputs around the data manifold, it can prevent overfitting and improve generalization in some cases. Specificity of Defense: A model trained against L-infinity attacks may remain vulnerable to L2, L0, or other types of perturbations. The defense is tailored to the threat model used during training.
Raises the Bar for Attackers: Successfully forces attackers to use more sophisticated, adaptive, and computationally intensive attacks to find vulnerabilities. Vulnerable to Unseen Attacks: Robustness does not always generalize to attack methods that are fundamentally different from the one used in training.

The Red Teamer’s Takeaway

When you are testing a system, the potential presence of adversarial training should change your strategy. Simple, off-the-shelf attacks might fail outright. Your initial probes should test for this defense. If you suspect adversarial training is in use, you must escalate your methods. This means employing stronger attacks (e.g., Auto-PGD), testing different perturbation norms (L2, L1), and designing adaptive attacks that specifically try to circumvent the learned robust features. Adversarial training isn’t an impenetrable wall; it’s a higher fence that requires a more determined and resourceful climber to get over.

4.2.5 Black-box attack strategies

2025.10.06.

4.3.2 Defensive Distillation

2025.10.06.

Contact

Attila Rácz-Akácosi, AI Security Strategy Consultant, Aiq.hu ©

Send an email with the details, and I will help you outline concrete steps toward safer AI operation.
Ai Red Teaming Hungary, Global Ai Safety / LLM Security Audit

Ai Red Teaming Dictionary

AI Security Audit - Checklist