Enhanced Security against Adversarial Examples Using a Random Ensemble of Encrypted Vision Transformer Models
This work addresses security concerns for AI systems, particularly in vision applications, by improving defense mechanisms against adversarial attacks, though it appears incremental as it builds on existing encrypted ViT approaches.
The paper tackles the vulnerability of deep neural networks to adversarial examples by proposing a random ensemble of encrypted vision transformer models, achieving enhanced robustness against both black-box and white-box attacks compared to conventional methods.
Deep neural networks (DNNs) are well known to be vulnerable to adversarial examples (AEs). In addition, AEs have adversarial transferability, which means AEs generated for a source model can fool another black-box model (target model) with a non-trivial probability. In previous studies, it was confirmed that the vision transformer (ViT) is more robust against the property of adversarial transferability than convolutional neural network (CNN) models such as ConvMixer, and moreover encrypted ViT is more robust than ViT without any encryption. In this article, we propose a random ensemble of encrypted ViT models to achieve much more robust models. In experiments, the proposed scheme is verified to be more robust against not only black-box attacks but also white-box ones than convention methods.