Randomized ensemble classifiers (RECs), where one classifier is randomly selected during inference, have emerged as an attractive alternative to traditional ensembling methods for realizing adversarially robust classifiers with limited compute requirements. However, recent works have shown that existing methods for constructing RECs are more vulnerable than initially claimed, casting major doubts on their efficacy and prompting fundamental questions such as: "When are RECs useful?", "What are their limits?", and "How do we train them?". In this work, we first demystify RECs as we derive fundamental results regarding their theoretical limits, necessary and sufficient conditions for them to be useful, and more. Leveraging this new understanding, we propose a new boosting algorithm (BARRE) for training robust RECs, and empirically demonstrate its effectiveness at defending against strong $\ell_\infty$ norm-bounded adversaries across various network architectures and datasets.

翻译：随机集成分类器（RECs）在推理过程中随机选择单个分类器，已成为一种在有限计算资源下实现对抗鲁棒分类器的有吸引力替代方案，相较于传统集成方法。然而，近期研究表明现有构建RECs的方法比最初声称的更为脆弱，这对其有效性提出了重大质疑，并引发了一系列根本性问题，例如：“RECs何时有用？”、“它们的局限性是什么？”以及“如何训练它们？”在本研究中，我们首先从理论上阐明RECs的本质，推导出其理论极限的基本结论、使其有效的必要和充分条件等。基于这一新认识，我们提出了一种新的提升算法（BARRE）用于训练鲁棒的RECs，并通过实验证明了其在多种网络架构和数据集上防御强$\ell_\infty$范数有界攻击的有效性。