Deep neural networks are known to be vulnerable to adversarial attacks: A small perturbation that is imperceptible to a human can easily make a well-trained deep neural network misclassify. To defend against adversarial attacks, randomized classifiers have been proposed as a robust alternative to deterministic ones. In this work we show that in the binary classification setting, for any randomized classifier, there is always a deterministic classifier with better adversarial risk. In other words, randomization is not necessary for robustness. In many common randomization schemes, the deterministic classifiers with better risk are explicitly described: For example, we show that ensembles of classifiers are more robust than mixtures of classifiers, and randomized smoothing is more robust than input noise injection. Finally, experiments confirm our theoretical results with the two families of randomized classifiers we analyze.

翻译：深度神经网络已知易受对抗攻击影响：对人类而言不可察觉的微小扰动便能轻易使训练良好的深度神经网络产生误分类。为抵御对抗攻击，随机化分类器被提出作为确定性分类器的稳健替代方案。本研究证明，在二元分类场景中，对于任意随机化分类器，总存在一个确定性分类器具有更优的对抗风险。换言之，随机化并非实现鲁棒性的必要条件。在许多常见随机化方案中，具有更优风险的确定性分类器可被明确描述：例如，我们证明分类器集成比分类器混合更鲁棒，随机平滑比输入噪声注入更鲁棒。最后，实验通过我们分析的两类随机化分类器验证了理论结果。