Adversarial Vulnerability of Randomized Ensembles

TL;DR

This paper critically examines the robustness of randomized ensembles against adversarial attacks, revealing they are more vulnerable than standard models and highlighting flaws in current evaluation methods.

Contribution

The work provides a theoretical and empirical analysis showing that randomized ensembles are less robust than previously believed and introduces a new attack method, ARC, that effectively compromises them.

Findings

Randomized ensembles are more vulnerable to adversarial attacks than standard adversarial training models.

Common evaluation methods like adaptive PGD can give a false sense of security.

The proposed ARC attack successfully compromises randomized ensembles where other methods fail.

Abstract

Despite the tremendous success of deep neural networks across various tasks, their vulnerability to imperceptible adversarial perturbations has hindered their deployment in the real world. Recently, works on randomized ensembles have empirically demonstrated significant improvements in adversarial robustness over standard adversarially trained (AT) models with minimal computational overhead, making them a promising solution for safety-critical resource-constrained applications. However, this impressive performance raises the question: Are these robustness gains provided by randomized ensembles real? In this work we address this question both theoretically and empirically. We first establish theoretically that commonly employed robustness evaluation methods such as adaptive PGD provide a false sense of security in this setting. Subsequently, we propose a theoretically-sound and efficient adversarial attack algorithm (ARC) capable of compromising random ensembles even in cases where adaptive PGD fails to do so. We conduct comprehensive experiments across a variety of network architectures, training schemes, datasets, and norms to support our claims, and empirically establish that randomized ensembles are in fact more vulnerable to $\ell_p$-bounded adversarial perturbations than even standard AT models. Our code can be found at https://github.com/hsndbk4/ARC.