Deep neural networks (DNNs) are well known to be vulnerable to adversarial examples (AEs). In addition, AEs have adversarial transferability, which means AEs generated for a source model can fool another black-box model (target model) with a non-trivial probability. In previous studies, it was confirmed that the vision transformer (ViT) is more robust against the property of adversarial transferability than convolutional neural network (CNN) models such as ConvMixer, and moreover encrypted ViT is more robust than ViT without any encryption. In this article, we propose a random ensemble of encrypted ViT models to achieve much more robust models. In experiments, the proposed scheme is verified to be more robust against not only black-box attacks but also white-box ones than convention methods.

翻译：深度神经网络（DNN）众所周知易受对抗样本（AEs）攻击。此外，对抗样本具有可迁移性，即为源模型生成的对抗样本能以非平凡概率欺骗另一个黑盒模型（目标模型）。以往研究证实，视觉Transformer（ViT）比卷积神经网络（CNN）模型（如ConvMixer）对对抗可迁移性具有更强的鲁棒性，且加密ViT比未加密ViT更为鲁棒。本文提出一种加密ViT模型的随机集成方案，以实现更强的鲁棒性。实验表明，该方案在黑盒攻击和白盒攻击下均比传统方法具有更优的鲁棒性。