“Towards Deep Learning Models Resistant to Adversarial Attacks” was submitted to arXiv on June 19, 2017 by Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu, then at MIT. It studied the problem of building neural networks that stay accurate even when an attacker is allowed to nudge each input by a small, bounded amount, and it gave the field a clean way to think about the goal.
The paper’s central idea is to treat robustness as a min-max optimization problem: train the network to minimize its loss against an adversary that is simultaneously trying to maximize that loss by perturbing the input. To approximate the inner maximization, the authors used Projected Gradient Descent (PGD), an iterative attack that takes several small gradient steps and projects back into the allowed perturbation region after each one. They argued PGD is a strong, near-universal first-order adversary, so a model trained to withstand it gains “security against a first-order adversary.”
PGD adversarial training became the default baseline defense against which almost every later method is measured, and PGD itself became the standard attack for evaluating whether a claimed defense actually works. The authors released code and pre-trained models, which made their MNIST and CIFAR-10 results easy to reproduce and attack.
For a business reader, the lesson is that defending a model is not a one-time patch but an optimization against an active opponent, and that the most reliable way to harden a model is to train it on the worst-case inputs an attacker could construct. That mindset now underlies much of how teams stress-test deployed AI systems.