[Paper Review] Improving Adversarial Robustness via Promoting Ensemble Diversity
The paper introduces an adaptive diversity promoting (ADP) regularizer to train ensembles by promoting diversity among non-maximal predictions, improving robustness to adversarial attacks while preserving accuracy on normal data.
Though deep neural networks have achieved significant progress on various tasks, often enhanced by model ensemble, existing high-performance models can be vulnerable to adversarial attacks. Many efforts have been devoted to enhancing the robustness of individual networks and then constructing a straightforward ensemble, e.g., by directly averaging the outputs, which ignores the interaction among networks. This paper presents a new method that explores the interaction among individual networks to improve robustness for ensemble models. Technically, we define a new notion of ensemble diversity in the adversarial setting as the diversity among non-maximal predictions of individual members, and present an adaptive diversity promoting (ADP) regularizer to encourage the diversity, which leads to globally better robustness for the ensemble by making adversarial examples difficult to transfer among individual members. Our method is computationally efficient and compatible with the defense methods acting on individual networks. Empirical results on various datasets verify that our method can improve adversarial robustness while maintaining state-of-the-art accuracy on normal examples.
Motivation & Objective
- Motivate robustness challenges in ensemble models beyond single-network defenses.
- Define a new ensemble diversity measure suitable for adversarial settings (non-maximal predictions).
- Develop the adaptive diversity promoting (ADP) regularizer combining ensemble entropy and diversity terms.
- Show that ADP training yields stronger ensemble robustness with efficient computation and compatibility with existing defenses.
Proposed method
- Define ensemble diversity as the determinant of the Gram matrix of normalized non-maximal predictions across ensemble members.
- Introduce the ADP regularizer with two terms: ensemble entropy and log-determinant of diversity (LED).
- Train all ensemble members jointly with an augmented objective combining ensemble cross-entropy (ECE) loss and ADP regularizer.
- Provide theoretical analysis showing how hyperparameters alpha (entropy) and beta (LED) influence optimal solutions.
- Demonstrate compatibility with adversarial attacks and other defenses through experiments on MNIST, CIFAR-10, and CIFAR-100.
Experimental results
Research questions
- RQ1Can promoting diversity among non-maximal predictions in an ensemble reduce transferability of adversarial examples across ensemble members?
- RQ2How should the ADP regularizer be designed to improve robustness without harming accuracy on clean data?
- RQ3What is the theoretical role of ensemble entropy and LED terms in shaping optimal predictions?
- RQ4Is the ADP approach scalable and compatible with defenses acting on individual networks?
- RQ5How does ADP perform under common white-box adversarial attacks across standard benchmarks?
Key findings
- ADP training significantly improves ensemble robustness against a range of attacks (FGSM, BIM, PGD, MIM, JSMA, C&W, EAD) on MNIST, CIFAR-10, and CIFAR-100.
- The ensemble accuracy on normal examples is maintained or improved, while individual networks may have higher error rates compared to baselines.
- Non-maximal predictions become more diverse and, visually, feature distributions among ensemble members diverge (as shown by t-SNE).
- ADP remains computationally efficient (about 10% slower with larger K) and is compatible with adversarial training as an orthogonal defense.
- The LED component alone can fail to regularize without the ensemble entropy term, illustrating the necessity of both components for effective optimization.
- Corollaries show that when (L−1) is divisible by K, non-maximal predictions can be made mutually orthogonal, leading to structured diversity.
Better researchstarts right now
From paper design to paper writing, dramatically reduce your research time.
No credit card · Free plan available
This review was created by AI and reviewed by human editors.