Understanding Model Ensemble in Transferable Adversarial Attack

TL;DR

This paper develops a theoretical framework for understanding and reducing transferability error in model ensemble adversarial attacks, validated by extensive experiments on 54 models.

Contribution

It introduces a novel theoretical analysis of transferability error, decomposing it into vulnerability and diversity, and provides practical guidelines for improving ensemble attack effectiveness.

Findings

Transferability error decomposes into vulnerability and diversity components.

Increasing model diversity reduces transferability error.

Using more surrogate models and reducing their complexity improves attack transferability.

Abstract

Model ensemble adversarial attack has become a powerful method for generating transferable adversarial examples that can target even unknown models, but its theoretical foundation remains underexplored. To address this gap, we provide early theoretical insights that serve as a roadmap for advancing model ensemble adversarial attack. We first define transferability error to measure the error in adversarial transferability, alongside concepts of diversity and empirical model ensemble Rademacher complexity. We then decompose the transferability error into vulnerability, diversity, and a constant, which rigidly explains the origin of transferability error in model ensemble attack: the vulnerability of an adversarial example to ensemble components, and the diversity of ensemble components. Furthermore, we apply the latest mathematical tools in information theory to bound the transferability error using complexity and generalization terms, contributing to three practical guidelines for reducing transferability error: (1) incorporating more surrogate models, (2) increasing their diversity, and (3) reducing their complexity in cases of overfitting. Finally, extensive experiments with 54 models validate our theoretical framework, representing a significant step forward in understanding transferable model ensemble adversarial attacks.