[link]
Sinha et al. introduce a variant of adversarial training based on distributional robust optimization. I strongly recommend reading the paper for understanding the introduced theoretical framework. The authors also provide guarantees on the obtained adversarial loss – and show experimentally that this guarantee is a realistic indicator. The adversarial training variant itself follows the general strategy of training on adversarially perturbed training samples in a minmax framework. In each iteration, an attacker crafts an adversarial examples which the network is trained on. In a nutshell, their approach differs from previous ones (apart from the theoretical framework) in the used attacker. Specifically, their attacker optimizes $\arg\max_z l(\theta, z)  \gamma \z – z^t\_p^2$ where $z^t$ is a training sample chosen randomly during training. On a side note, I also recommend reading the reviews of this paper: https://openreview.net/forum?id=Hk6kPgZA Also view this summary at [davidstutz.de](https://davidstutz.de/category/reading/).
Your comment:

[link]
A novel method for adversariallyrobust learning with theoretical guarantees under small perturbations. 1) Given the default distribution P_0, defines a proximity of it as a set of distributions which are \rhoclose to P_0 in terms of Wasserstein metric with a predefined cost function c (e.g. L2); 2) Formulates the robust learning problem as minimization of the worstcase example in the proximity and proposes a Lagrangian relaxation of it; 3) Given it, provides a datadependent upper bound on the worstcase loss, demonstrates that the problem of finding the worstcase adversarial perturbation, which is generally NP hard, renders to optimization of a concave function if the maximum amount of perturbation \rho is low. 