A Random Ensemble of Encrypted models for Enhancing Robustness against Adversarial Examples
Ryota Iijima, Sayaka Shiota, Hitoshi Kiya
TL;DR
The paper addresses the susceptibility of deep neural networks to adversarial examples and their transferability across models. It introduces a random ensemble of encrypted Vision Transformer (ViT) sub-models trained with distinct secret keys and evaluated via a randomness-based inference scheme, achieving robustness against both white-box and black-box attacks. Key contributions include integrating key-based encryption with a stochastic ensemble to disrupt transferability and demonstrating strong performance on CIFAR-10 under AutoAttack while preserving high clean accuracy. This approach offers a practical defense mechanism that can enhance robustness in security-sensitive vision systems without substantial performance loss on clean data.
Abstract
Deep neural networks (DNNs) are well known to be vulnerable to adversarial examples (AEs). In addition, AEs have adversarial transferability, which means AEs generated for a source model can fool another black-box model (target model) with a non-trivial probability. In previous studies, it was confirmed that the vision transformer (ViT) is more robust against the property of adversarial transferability than convolutional neural network (CNN) models such as ConvMixer, and moreover encrypted ViT is more robust than ViT without any encryption. In this article, we propose a random ensemble of encrypted ViT models to achieve much more robust models. In experiments, the proposed scheme is verified to be more robust against not only black-box attacks but also white-box ones than convention methods.