Where Does the Robustness Come from? A Study of the Transformation-based Ensemble Defence
It addresses the problem of evaluating and improving adversarial robustness in machine learning models, but the findings are incremental as they clarify existing defense mechanisms without major breakthroughs.
This paper investigates the transformation-based ensemble defense for image classification to understand its robustness against evasion attacks, finding that robustness is limited and primarily stems from irreversible transformations rather than model ensembling.
This paper aims to provide a thorough study on the effectiveness of the transformation-based ensemble defence for image classification and its reasons. It has been empirically shown that they can enhance the robustness against evasion attacks, while there is little analysis on the reasons. In particular, it is not clear whether the robustness improvement is a result of transformation or ensemble. In this paper, we design two adaptive attacks to better evaluate the transformation-based ensemble defence. We conduct experiments to show that 1) the transferability of adversarial examples exists among the models trained on data records after different reversible transformations; 2) the robustness gained through transformation-based ensemble is limited; 3) this limited robustness is mainly from the irreversible transformations rather than the ensemble of a number of models; and 4) blindly increasing the number of sub-models in a transformation-based ensemble does not bring extra robustness gain.