Evaluating the Robustness of the "Ensemble Everything Everywhere" Defense

TL;DR

This paper critically evaluates the 'Ensemble Everything Everywhere' defense against adversarial attacks, revealing that its apparent robustness is due to gradient masking and demonstrating its vulnerability through adaptive attacks.

Contribution

The study exposes the weaknesses of the ensemble defense, showing it is not genuinely robust and can be bypassed with standard adaptive attack techniques.

Findings

Defense causes severe gradient masking

Adaptive attacks significantly reduce robustness

Robust accuracy drops from 48% to 14% on CIFAR-100

Abstract

Ensemble everything everywhere is a defense to adversarial examples that was recently proposed to make image classifiers robust. This defense works by ensembling a model's intermediate representations at multiple noisy image resolutions, producing a single robust classification. This defense was shown to be effective against multiple state-of-the-art attacks. Perhaps even more convincingly, it was shown that the model's gradients are perceptually aligned: attacks against the model produce noise that perceptually resembles the targeted class. In this short note, we show that this defense is not robust to adversarial attack. We first show that the defense's randomness and ensembling method cause severe gradient masking. We then use standard adaptive attack techniques to reduce the defense's robust accuracy from 48% to 14% on CIFAR-100 and from 62% to 11% on CIFAR-10, under the $\ell_\infty$-norm threat model with $\varepsilon=8/255$.