Deep neural networks (DNNs) are well known to be vulnerable to adversarial examples (AEs). In addition, AEs have adversarial transferability, which means AEs generated for a source model can fool another black-box model (target model) with a non-trivial probability. In previous studies, it was confirmed that the vision transformer (ViT) is more robust against the property of adversarial transferability than convolutional neural network (CNN) models such as ConvMixer, and moreover encrypted ViT is more robust than ViT without any encryption. In this article, we propose a random ensemble of encrypted ViT models to achieve much more robust models. In experiments, the proposed scheme is verified to be more robust against not only black-box attacks but also white-box ones than convention methods.

翻译：深度神经网络（DNNs）已知容易受到对抗样本（AEs）的攻击。此外，AEs具有对抗迁移性，这意味着为源模型生成的AEs能够以非平凡概率欺骗另一个黑盒模型（目标模型）。以往研究证实，视觉变换器（ViT）在对抗迁移性方面比卷积神经网络（CNN）模型（如ConvMixer）更具鲁棒性，并且加密ViT比未加密的ViT更鲁棒。本文提出一种随机集成的加密ViT模型，以实现更强的鲁棒性。实验验证表明，该方案不仅在面对黑盒攻击时，同时在白盒攻击下也比传统方法更具鲁棒性。