RED: Efficiently Boosting Ensemble Robustness via Random Sampling Inference

The strengths of this paper include:

• The RED (randomly sampling a model) design, as well as the gradient similarity and Lipschitz regularizer terms, are all fairly simple. I haven't kept up with the latest advances, but I believe there have be many defense works that use similar ideas, making this paper's technical contributions less significant.

• According to Eq. (13), it seems that RED does not use adversarial training. I wonder if RED is compatible with advanced adversarial training methods (e.g., those listed on RobustBench); besides, if using models larger than ResNet-18, can RED achieve higher (or even SOTA) acc under AutoAttack?

1. The core idea of selecting subsets from an ensemble model to enhance defense capabilities has similarities with previous works on ensemble-based transfer attacks [1].
2. The effectiveness of hypernetworks proposed might be contingent on the types of network backbones used. It is essential to evaluate the hypernetworks’ performance across a variety of architectures to ascertain their general utility.
3. The manuscript lacks a thorough comparative analysis with the latest ensemble-based defense methods [2].
4. For real-time devices, it is critical to evaluate not just the parameter efficiency but also the runtime performance of the PS-RED. The manuscript should include runtime comparisons to support claims of suitability for real-time applications.

[1] Meta-gradient adversarial attack. ICCV 2021. [2] Understanding and improving ensemble adversarial defense. NeurIPS 2023.

• This paper's proposed similarity-based regularization is very similar to the ones proposed in its references, specifically GAL. For instance, GAL minimizes the cosine similarity between the gradients of sub-models, Could you elaborate the design rationale of eq. 3? In addition, the underlying objective of eq. 4 appears to be similar to DVERGE. It is not clear how the core contribution of the proposed method is different from these existing methods.

• I am not convinced that random sampling inference (RSI) is effective in improving robustness. This appears to use randomness as a form of gradient masking. Unfortunately, no ablation study regarding the above weaknesses are found in the main submission.

• It is surprising that AutoAttack is not as effective as PGD, C&W, BIM, MIM, and even FGSM, as AutoAttack includes a momentum-based PGD in its toolbox, which is typically more effective than vanilla PGD. This suggests that either AutoAttack is not properly tuned or the proposed method uses gradient masking to appear robust. This paper is also missing stronger adversarial attacks that specifically target ensemble models, such as MORA [a].

• Regarding the loss landscape figures, could you elaborate on the meanings of axes and the right-most plots?

[a]: Yu et al., MORA: Improving Ensemble Robustness Evaluation with Model-Reweighing Attack. NeurIPS 2022. https://arxiv.org/abs/2211.08008

1. The main objective of this paper is still to enhance the robustness. In this case, what if the attacker directly attacks the hypernetwork? As the hypernetwork has an even simpler model architecture, injecting attacks might not be challenging. But this paper does not study the case when the hypernetwork itself is attacked.

2. Limitation and cost concerns of the hypernetwork. In the paper, the hypernetwork is used to predict each layer's weight. The prediction is restricted to certain model architectures and weight shapes, which limits the practicality of the method. Furthermore, training a hypernetwork to predict weights also takes additional effort. It involves the collection of the data for hypernetwork training and the actual training time of the hypernetwork. It's unclear how much the hyperparameter training will cause.

3. Limited evaluations. Current experiments are only conducted on the ResNet18 model architecture, which is mainly composed of 3x3 CONV layers that the hypernetwork predicts. Only showing the results for one model architecture type is insufficient. Also, it's unclear whether this method can work on other model architectures with multiple different layer types.

• Principally, my biggest concern is the lack of adaptive attack evaluation:

Though the submission evaluates the effectiveness against several state-of-the-art attacks, these attacks are not adaptive in terms of not being tailored for the random model selection mechanism. Since the attacker knows that the RED framework selects a random model each time, the attacker can query multiple times and maintain a corresponding adversarial example for each model to iterate within the ensemble. In this way, though at a higher query cost, the attack strategy is boiled down to maintaining a set of PGD iterations and should be more effective than directly applying existing attacks. As a result, the evaluation result may give a false sense of robustness.

• Another concern is the lack of novelty. The ideas of Lipschitz regularization and diversity promotion have long existed. Though the submission proposes different formats, like using $\hat x$ along with $x$, the difference is relatively minor. The hypernetwork is novel to be applied here, but may not suffice at a top-tier conference like ICLR.

Minor:

1. Line 119, Line 122, etc: citation format can be improved. Maybe try \citet{xxx}.

2. Would be good to have some discussion on limitations and broader societal impacts.