Supplementary material Guided Adversarial Attack for Evaluating and Enhancing Adversarial Defenses

In this section, we present details on the improved local properties achieved using the proposed single-step defense, GAT (Guided Adversarial Training). We examine the local properties of networks trained using the proposed methodology here. Thus, given that we want to obtain the strongest adversary achievable within a single backward-pass of the loss, we find x as given in Alg.1, L6 to L9. Hence, imposing the proposed regularizer encourages the optimization procedure to produce a network that is locally Lipschitz continuous, with a smaller local Lipschitz constant. The value of λ can be chosen so as to achieve the desired trade-off between clean accuracy and robustness [16]. We run extensive evaluations on MNIST [10], CIFAR-10 [9] and ImageNet [5] datasets to validate our claims on the proposed attack and defense. MNIST [10] is a handwritten digit recognition dataset consisting of 60,000 training images and 10,000 test images. The images are grayscale, and of dimension 28 28. We split the training set into a random subset of 50,000 training images and 10,000 validation images.