Randomized ensemble classifiers (RECs), where one classifier is randomly selected during inference, have emerged as an attractive alternative to traditional ensembling methods for realizing adversarially robust classifiers with limited compute requirements. However, recent works have shown that existing methods for constructing RECs are more vulnerable than initially claimed, casting major doubts on their efficacy and prompting fundamental questions such as: "When are RECs useful?", "What are their limits?", and "How do we train them?". In this work, we first demystify RECs as we derive fundamental results regarding their theoretical limits, necessary and sufficient conditions for them to be useful, and more. Leveraging this new understanding, we propose a new boosting algorithm (BARRE) for training robust RECs, and empirically demonstrate its effectiveness at defending against strong $\ell_\infty$ norm-bounded adversaries across various network architectures and datasets.

翻译：随机集成分类器（RECs）在推理过程中随机选择一个分类器，已成为在有限计算资源下实现对抗鲁棒分类器的一种有吸引力的替代传统集成方法。然而，近期研究表明，现有构建RECs的方法比最初声称的更为脆弱，这对其有效性提出了重大质疑，并引发了一系列基本问题，例如：“RECs何时有用？”“它们的极限是什么？”以及“我们如何训练它们？”在本工作中，我们首先通过推导关于其理论极限、有用的必要且充分条件等基本结果，揭示了RECs的本质。借助这一新认识，我们提出了一种新的提升算法（BARRE）用于训练鲁棒的RECs，并通过实验证明了其在各种网络架构和数据集上，抵御强$\ell_\infty$范数有界攻击的有效性。