Ensemble everything everywhere: Multi-scale aggregation for adversarial robustness

Thank you for your thoughtful review. We address your concerns and questions:

ImageNet Results

We agree that ImageNet results are needed to verify the generalization of our method. During rebuttal, we trained and evaluated on different subsets of ImageNet (224x224):

• Multi-resolution backbone: 65% → 32% under AutoAttack (L∞=4/255)
• CrossMax self-ensemble: 63% → 59% after attack
• Comparable to current SOTA (59.64%)

The key limitation here is that due to the time constraints, the numbers we provide are only for the first 32 images of the ImageNet validation set under the RobustBench AutoAttack attacks with the rand flag for randomized defenses on. However, we still believe that such high numbers for adversarial accuracy suggest at least a decent amount of our method’s generality even in case of higher resolution datasets.

Adaptive Attack Evaluation

We implemented focused adaptive attacks:

1. Created surrogate model removing CrossMax max operations
2. Replaced median/top-k with simple mean aggregation
3. Ran increasingly stronger PGD attacks

Results on CIFAR-100 (L∞=8/255):

Key findings:

• Attack transfer is effective
• Performance stabilizes ~25% despite 16x step increase
• Successful attacks produce semantically meaningful changes (we can’t show them here but we even ran a small scale verification with a human audience at a talk and they too were convinced that the attack was successful – they saw the target class in the image)

Appendix Clarification

A.8: Attack transfer analysis between network layers C: Additional CrossMax ablation experiments showing effect of different aggregation functions D: Detailed validation across architectures (ResNet, ViT)

We'll improve appendix organization in the final version. Thank you for pointing this out.

Training from Scratch

We trained ResNet18 from scratch on CIFAR-10:

• Clean accuracy: 76.94%
• Adversarial accuracy: 64.06% (AutoAttack)
• Comparable to finetuned models

We don’t think that what makes the model robust is its training from a brittle ImageNet checkpoint, given that we experimentally show a very similar robustness of a model trained from scratch. Conversely, many models that are specifically trained for adversarial robustness via adversarial training train from scratch to make sure they induce robustness from the very beginning, and finetuning a pretrained model might even be detrimental. There are in literature cases where people do apply only finetuning as well (for example https://arxiv.org/abs/2401.04350). We believe that this is not a crucial factor in our models’ robustness.

These results strengthen our claims by demonstrating:

1. (Preliminary) Scalability to high-resolution ImageNet
2. Robustness against adaptive attacks
3. Effectiveness when trained from scratch

Thank you for your thoughtful review. We address your concerns and questions:

1. Generalization to New Architectures

The method adapts well across architectures and we actually have implementations for ResNets and Vision Transformers already. The only things that are needed are:

1. Modifying the very first layer of the model to accept 3N instead 3 channel images (N being the number of resolutions used)
2. Adding linear classifiers at selected intermediate layers (similar to standard linear probes used in mechanistic interpretability)
3. The aggregation of the intermediate layer outputs is as easy as standard ensembling, the the aggregation function not being mean but a crossmax instead

Overall, the method generalizes well to other vision architecture and we even ran tests with ensembling several ViTs and ResNets trained from scratch rather than a self-ensemble of a single model's hidden layers. This also yields more robustness against adversarial attacks compared to the standard mean ensemble.

2. ImageNet Results

Preliminary ImageNet validation results (ResNet152):

• Multi-resolution backbone: 65% → 32% under AutoAttack (L∞=4/255)
• CrossMax self-ensemble: 63% → 59% after attack
• Comparable to current SOTA (59.64%)

The key limitation is that we only performed the attack on the first 32 images of the ImageNet validation set for time reasons. While these results are very preliminary and we only added them during the rebuttal period on limited hardware, we believe that they are a solid indication of generalization beyond the simpler CIFAR-10 and CIFAR-100 cases.

3. CrossMax Training Stability

Max operations don't significantly impact training because:

• Applied post backbone training
• Multiple gradient paths through ensemble structure
• Final loss remains smooth and differentiable

In fact, we took the simplest method to train the model we could and because it worked, we didn’t really explore the more complex version. Our path:

1. Train a single backbone model to accept multi-resolution inputs
2. Freeze its weights
3. Train one layer’s linear projection at a time on top a frozen backbone model
4. Ensemble all layer’s predictions via a simple post-processing function = crossmax

This simple training process proved sufficient because the backbone learns robust multi-resolution features independently of the probes, which then only need to learn to read out class information from those features.

4. Technical Questions

White-box Attacks

Multi-resolution expansion is fully differentiable and therefore suitable for white box attacks. All transformations (downsampling, jittering, noise) maintain gradient flow, enabling complete white-box access.

Linear Probe Training

The probes were added on top of a frozen backbone model, no additional training was applied to the backbone while the probes were trained.

Thank you for your detailed feedback. We hope we answered all your questions.

Thank you for your positive review. We address your questions and concerns:

Empirical Claims & Generalization

We've now tested generalization to ImageNet, achieving promising preliminary results despite limited compute:

• Multi-resolution backbone: 65% → 32% under AutoAttack (L∞ = 4/255)
• CrossMax self-ensemble: 63% → 59% after attack
• Comparable to current SOTA (59.64%)

While preliminary (32 validation images), this indicates scalability beyond CIFAR datasets.

Computational Efficiency

The multi-resolution approach does increase computation, but only in a very limited way and with practical benefits:

1. In the backbone, the only architectural difference is the first convolution layer accepting as input 4x more channels than before. After that, all layers stay the same. This is a very small overhead compared to the standard ResNet152

2. For the self-ensemble, a selected layers have an additional linear projection (=a batch norm + a single affine layer) attached to them. In the implementations in the paper, we only use a selection of 8 such layers, inducing a limited computational overhead of 8 matrix multiplication in addition to the standard ResNet152

3. The preprocessing of a single image to a cascade for lower resolution version is very computationally efficient and does not pose a significant overhead.

Overall the additional compute needed to run a multi-resolution self-ensemble is not large and not a major concern.

Resolution Selection

We have not studied resolution sensitivity in detail but found, by unguided experimentation, that a relatively small number of them sufficed. In the multi-resolution prior applied to generation, we see that even a set of resolutions corresponding to 2x multiples from the full resolution to the lowest possible (e.g. [224, 112, 56, 28, 14, 7]) was sufficient to generate interpretable images. We therefore believe a similar effect might be at play for the multi-resolution prior for defense.

Implicit Multi-resolution Learning

“ explicitly feed in N images of different resolution”

We actually found that feeding N images in doesn’t work, and that we needed to stack these versions along the channel dimension into a single 224x224x(3N) image and pass it through the network all at once.

We tried a large number of ways of providing the model with the image at multiple resolutions, including passing them through multiple forward passes and aggregating their predictions at the end somehow. The only method that found to work as the one presented: producing a channel-wise stack of multiple resolutions, fed into the model all at once as channels of the same image. What makes this even more interesting is that this, on its own, wasn’t enough. We still need to train with a very low learning rate to get the accuracy as well as adversarial accuracy from such a model. With a high learning rate, we saw the accuracy being high, while adversarial accuracy keeping to around 0%. This to us suggests that it is indeed relatively difficult to make a model make use of such multiresolution input.

Vickrey Auction in Self-ensembling

The key insight was that intermediate layers make partially independent predictions under attack and that the layer the attack is not designed to specifically fool retains some ability to see the ground truth class. CrossMax's aggregation mechanism prevents any single layer from dominating, similar to how Vickrey auctions prevent bidder manipulation.

We tested CrossMax for general ensemble aggregation:

• 10 independently trained ResNet18s
• L∞ = 8/255 AutoAttack
• CrossMax improves robustness by 17x vs standard mean
• Similar gains on other architectures, including Vision Transformers

This suggests CrossMax's benefits extend beyond self-ensembling to general robust aggregation of even independently trained models.

We will add these analyses to the final version to better support our method's broad applicability.

Thank you for your thoughtful and detailed review. We address your concerns and questions:

1. Adaptive Attacks

During the rebuttal period, we implemented adaptive attacks specifically targeting our model's key components. Our approach:

1. Created a surrogate model removing CrossMax's max operations
2. Replaced median/top-k with simple mean aggregation
3. Ran PGD (simpler than AutoAttack to make sure we get as clean a signal as possible) attacks with increasing steps (20 to 640)

Results on CIFAR-100 (L∞ = 8/255):

Key findings:

• Attack transfer is effective, demonstrating the adaptive attacks’ strength
• Performance stabilizes at ~25% despite exponential step increase
• Successful attacks produce semantically meaningful changes (we would love to show you but can’t link images – we even ran a small human experiment during a talk at a university and the audience agreed that the “successfully attacked” image looked like the target label to them too! We will include it in the revised final version of the paper)

2. Preliminary ImageNet Results

We agreed this would be valuable and have now run ImageNet evaluations. We were unfortunately limited to a single A100 in the end so could only perform a limited number of experiments. Using an ImageNet pretrained ResNet152 backbone and following our CIFAR-100 training procedure, we achieved promising results without any adversarial training:

Multi-resolution setup:

• Resolutions: [224, 112, 84, 56]
• Noise level: 0.5
• X-Y jitter: up to 42 pixels

Results on ImageNet validation subset:

• Multi-resolution backbone alone: 65% → 32% under AutoAttack (L∞ = 4/255)
• CrossMax self-ensemble (layers [52,50,45,40,35,30], top-2): 63% → 59% after attack

The RobustBench AutoAttack (with rand flag) shows as its detailed output:

• Initial accuracy: 62.50%
• Robust accuracy after APGD-CE: 46.88%
• Robust accuracy after APGD-DLR: 43.75%
• Final adversarial accuracy: 59.38% (due to some “successful” attacks being reversed by the random noise etc in the multi-resolution input preprocessing)

(For comparison, the current best models get adversarial accuracy of 59.64% on the full ImageNet test set.)

While preliminary (tested on first 32 validation images), these results indicate a promising robustness scaling to ImageNet. A complete evaluation and optimization would be valuable future work and we will try to add as much as we can to the final version.

3. Multi-resolution Implementation Details

For each input image:

• Resolutions: Fixed set {32×32, 16×16, 8×8, 4×4}
• Randomization per forward pass:
• Random jitter (±3 pixels)
• Random noise (σ=0.1)
• Random contrast changes
• Random color-grayscale shifts

The attacker has full white-box access to all parameters. The image transformations are all differentiable and do not block the white box access the attacker enjoys, making our model suitable for white-box evaluation. For PGD attacks, randomization occurs at each step with different seeds.

4. BatchNorm in Training from Scratch

BatchNorm was disabled when training from scratch to maintain consistent statistics across the multi-resolution branches. With BatchNorm on, different resolutions developed significantly different statistics, harming performance. This is not a fundamental limitation, as BatchNorm can be re-enabled with appropriate normalization strategies across resolutions.

5. Method Comparisons

We will enhance baseline descriptions in the final version by:

• Adding method names
• Including key architectural details
• Providing clearer comparison tables

We appreciate your thorough review, particularly regarding the appendix materials. The new adaptive attack results demonstrate our method's robustness even under targeted attacks while producing interpretable perturbations.

Taken together, these results strengthen our paper's contributions by: (1) demonstrating robustness under adaptive attacks with asymptotic ~25% accuracy even with 640 PGD steps, (2) showing promising scalability to ImageNet with 59% adversarial accuracy (on RobustBench AutoAttack with a random small subset of images), and (3) clarifying technical implementation details. The interpretable nature of successful attacks against our model, verified through a small scale human evaluation, further supports our approach's soundness. We will incorporate these insights and clarifications in the final version.

Dear Professor Hein,

Thank you for your detailed comment. We will address specific points below, including the results for additional experiments and ablations we ran to clarify several points you raised. We must, however, strongly disagree with your sweeping conclusion that, as you say:

Thus we think that the claims of this paper are invalid.

We hope that through our detailed reply you will revise your conclusion.

Our step by step rebuttal of your detailed points follows:

1. Robust accuracy going to zero with large perturbation size

You are concerned that we didn’t show explicitly that with large enough perturbation sizes, the adversarial accuracy goes to zero. We did perform this most basic check, but didn't include them in the paper, as it did not seem to add any value. However, as you suggested, here’s an additional experiment that we just ran, gradually increasing the $L_\mathrm{inf}$ of the RobustBench AutoAttack with the rand flag on, showing that our model’s robust accuracy decreases monotonically and all the way to 0% with the attack strength:

The Table shows the Attack size L_inf out of 255 for the RobustBench AutoAttack with the rand flag on a subset of the CIFAR-100 test set and its effect on our Multi-resolution self-ensemble

As you can see, the increasing L_inf of the attack decreases adversarial accuracy quickly all the way to 0%, as is expected.

2. Adaptive attacks against our model

You are correct to point out (as our reviewers also did) that we are missing an “adaptive” attack on our model. The word adaptive might mean e.g. adaptive learning rate in the attack etc, which is used as part of the AutoAttack already, but we believe that what is meant by it in this context is an attack that is specifically tailored to our multi-resolution self-ensemble.

During the rebuttal period, we actually added new experiments to address this very issue. To make gradients as smooth as possible for the attack, we

1. removed the 2 max subtractions from cross-max, and
2. aggregated predictions from different layers using a simple mean instead of median or top_k. For the sake of simplicity, we used a standard Projected Gradient Descent (implemented in standard package as an attack = fb.attacks.LinfProjectedGradientDescentAttack(steps=attack_steps)), attacked this surrogate model, and then evaluate the attacked images on our original model, using their similarity for attack transfer.

Our results for CIFAR-100 follow: PGD attack, steps = below (all using 8/255 L_inf size limit)

We do see transfer from the surrogate model to our model, demonstrating that we are indeed using a strong, suitable adaptive attack here. The accuracy on the directly attacked surrogate model is lower than on our original model that we transfer the attacked images to (as expected), and the gap increases with the number of PGD attack steps used. Notice that even though we are increasing the number of steps geometrically (2x each step), the “returns” to this increase are flatlining and there seems to be a ~25% asymptotic accuracy, demonstrating that even against a specifically tailored attack, our model’s robust performance does not go to 0%, even when allowing the attacker to use an exponentially increasing number of iterations to design the attack.

An interesting point we see is that when we visualize the resulting perturbations that successfully changed the images’ classes, they are universally very smooth, non-noisy, and interpretable, suggesting that our model is genuinely robust, as you suggested with one of the references you cite. In fact the changed images often do end up looking like the target class. This to us suggests that the issue could be more with the brittleness of the CIFAR-100 dataset and the task of measuring adversarially robustness as a resistance to a class flip from the original class to any other class, rather than with the model itself, but to properly address this we would need to write a separate paper.