Adversarial training of neural networks using information about activation path differentials

What is claimed is: 1. An apparatus, comprising: a memory; and a processor to: create, from a first deep neural network (DNN) model, a first plurality of DNN models; generate a first set of adversarial examples that are misclassified by the first plurality of deep neural network (DNN) models; determine a first set of activation path differentials between the first plurality of adversarial examples, each activation path in the first set of activation paths characterized by a loss function; generate, from the first set of activation path differentials, at least one composite adversarial example which incorporates at least one intersecting critical path that is shared between at least two adversarial examples in the first set of adversarial examples, the at least one composite adversarial example selected to minimize a sum of the loss functions of the activation paths in the first set of activation paths; and use the at least one composite adversarial example to generate a set of inputs for a subsequent training iteration of the DNN model. 2. The apparatus of claim 1 , the processor to: introduce pseudo-random noise into one or more weight parameters of the first DNN model to generate a derivative DNN model from the first DNN model. 3. The apparatus of claim 1 , the processor to: apply the first set of adversarial examples as inputs to the first plurality of DNN models. 4. The apparatus of claim 3 , the processor to: determine a first plurality of intersecting paths in a plurality of activation paths through the first plurality of DNN models. 5. The apparatus of claim 4 , the processor to: generate at least one ensemble adversarial example from the first set of adversarial examples; determine a second plurality of intersecting paths in the plurality of activation paths through the first plurality of DNN models and the at least one adversarial example; determine a second set of activation path differentials between the first plurality of adversarial examples and the ensemble adversarial example; select, from the second set of activation path differentials, a subset of activation path differentials that strengthens a cumulative differential signal measure through the second plurality of intersecting paths; and apply the subset of adversarial examples as inputs to the first plurality of DNN models. 6. The apparatus of claim 1 , the processor to: select at least one generated composite adversarial example to use as a starting point in a gradient descent adversarial attack. 7. The apparatus of claim 6 , the processor to: employ a regularization term that includes a cumulative differential signal measure in the gradient descent adversarial attack to generate a second set of adversarial examples to use in subsequent adversarial attacks. 8. A non-transitory computer-readable medium comprising instructions which, when executed by a processor, configure the processor to: create, from a first deep neural network (DNN) model, a first plurality of DNN models; generate a first set of adversarial examples that are misclassified by the first plurality of deep neural network (DNN) models; determine a first set of activation path differentials between the first plurality of adversarial examples, each activation path in the first set of activation paths characterized by a loss function; generate, from the first set of activation path differentials, at least one composite adversarial example which incorporates at least one intersecting critical path that is shared between at least two adversarial examples in the first set of adversarial examples, the at least one composite adversarial example selected to minimize a sum of the loss functions of the activation paths in the first set of activation paths; and use the at least one composite adversarial example to generate a set of inputs for a subsequent training iteration of the DNN model. 9. The non-transitory computer-readable medium of claim 8 , further comprising instructions which, when executed by the processor, configure the processor to: introduce pseudo-random noise into one or more weight parameters of the first DNN model to generate a derivative DNN model from the first DNN model. 10. The non-transitory computer-readable medium of claim 8 , further comprising instructions which, when executed by the processor, configure the processor to: apply the first set of adversarial examples as inputs to the first plurality of DNN models. 11. The non-transitory computer-readable medium of claim 10 , further comprising instructions which, when executed by the processor, configure the processor to: determine a first plurality of intersecting paths in a plurality of activation paths through the first plurality of DNN models. 12. The non-transitory computer-readable medium of claim 11 , further comprising instructions which, when executed by the processor, configure the processor to: generate at least one ensemble adversarial example from the first set of adversarial examples; determine a second plurality of intersecting paths in the plurality of activation paths through the first plurality of DNN models and the at least one adversarial example; determine a second set of activation path differentials between the first plurality of adversarial examples and the ensemble adversarial example; select, from the second set of activation path differentials, a subset of activation path differentials that strengthens a cumulative differential signal measure through the second plurality of intersecting paths; and apply the subset of adversarial examples as inputs to the first plurality of DNN models. 13. The non-transitory computer-readable medium of claim 8 , further comprising instructions which, when executed by the processor, configure the processor to: select at least one generated composite adversarial example to use as a starting point in a gradient descent adversarial attack. 14. The non-transitory computer-readable medium of claim 13 , further comprising instructions which, when executed by the processor, configure the processor to: employ a regularization term that includes a cumulative differential signal measure in the gradient descent adversarial attack to generate a second set of adversarial examples to use in subsequent adversarial attacks. 15. A computer-implemented method, comprising: creating, from a first deep neural network (DNN) model, a first plurality of DNN models; generating a first set of adversarial examples that are misclassified by the first plurality of deep neural network (DNN) models; determining a first set of activation path differentials between the first plurality of adversarial examples, each activation path in the first set of activation paths characterized by a loss function; generating, from the first set of activation path differentials, at least one composite adversarial example which incorporates at least one intersecting critical path that is shared between at least two adversarial examples in the first set of adversarial examples, the at least one composite adversarial example selected to minimize a sum of the loss functions of the activation paths in the first set of activation paths; and using the at least one composite adversarial example to generate a set of inputs for a subsequent training iteration of the DNN model. 16. The computer-implemented method of claim 15 , further comprising: introducing pseudo-random noise into one or more weight parameters of the first DNN model to generate a derivative DNN model from the first DNN model. 17. The computer-implemen