Fig. 5: FIPs in weight space generate ensembles of networks that confer adversarial robustness.

a, Schematic to generate FIP ensemble (P₁–P₄) by sampling networks along the FIP (purple dotted line) beginning at network N₁. FIP is constructed by identifying a series of weight perturbations that minimize the distance moved in the networks’ output space. b, Original CIFAR-10 images (left) and adversarial CIFAR-10 images (right) are shown. The text labels (left and right) above the images are predictions made by a network trained on CIFAR-10. Trained networks’ accuracy on the original and adversarial images are also shown (bottom). c, Top: the solid line plot shows the individual network performance on adversarial inputs and the dashed line plot shows the joint ensemble accuracy on adversarial inputs for FIP ensemble (purple) and DeepNet ensemble (orange). Left: FIP ensemble in purple (P₁–P₁₀) (i) and DeepNet ensemble in orange (N₁–N₁₀) (ii) are visualized on weight-space PCA. Right: heat maps depict the classification score of networks in FIP ensemble (i) and DeepNet ensemble (ii) on 6,528 adversarial CIFAR-10 examples. d, Box plot compares the adversarial accuracy (over 10k adversarial examples) across different ensembling techniques (n = 3 trials). Box and whiskers represent the interquartile range. ADP, adaptive diversity promoting; FGE, fast geometric ensembling. e, Histogram of coherence values for FIP (purple) and DeepNet (orange) ensembles. f, Box plot shows the ensemble diversity score across VGG16 layers over n = 1,000 CIFAR-10 image inputs. The box plot compares adversarial accuracy (over 10k adversarial examples) across different ensembling techniques (n = 3 trials). Box and whiskers represent the interquartile range. The cartoon in the bottom depicts the VGG16 network architecture.