Ensemble methods, which combine predictions from multiple individual models, are frequently employed not just to enhance predictive accuracy but also as a heuristic defense against adversarial attacks. The intuition is that an adversarial example crafted to fool one specific model might not be effective against others, especially if the ensemble members are diverse (e.g., different architectures, trained on different data subsets). However, ensembles are not impervious to evasion attacks. Attacking them requires specific strategies that account for the aggregated decision-making process.

Let's consider an ensemble $F$ composed of $M$ individual models $f_1, f_2, \ldots, f_M$ . The final prediction $F(x)$ is typically derived by combining the individual predictions $f_i(x)$ , often through mechanisms like majority voting (for classification) or averaging probabilities.

F(x) = \text{aggregate}(f_1(x), f_2(x), \ldots, f_M(x))

An attacker's goal is to find a perturbation $\delta$ such that $F(x + \delta) \neq F(x)$ , while $||\delta||_p \le \epsilon$ .

Strategies for Attacking Ensembles

Several approaches can be employed to generate adversarial examples against ensemble models:

Leveraging Transferability: As discussed in the section on transferability, adversarial examples crafted for one model often have some effectiveness against other models, particularly those trained on similar data or having similar architectures. An attacker can generate an adversarial example targeting a single, potentially weaker, member $f_i$ of the ensemble and hope it transfers sufficiently to fool the aggregate decision $F$ . Alternatively, an attacker might train their own surrogate model that mimics the ensemble's behavior (if the ensemble is black-box) or use a known, accessible model from the ensemble as a proxy. The attack is then performed on this surrogate/proxy model. While simpler, this approach might be less effective than attacks directly targeting the ensemble.
Optimization Against Aggregate Output: A more direct approach involves formulating the attack as an optimization problem that targets the ensemble's combined output.
- Averaging Ensembles: If the ensemble averages prediction probabilities (or logits), the attacker can aim to maximize the loss function calculated on this average output. For instance, if $p_i(x)$ is the probability vector output by model $f_i$ , the ensemble output might be $\bar{p}(x) = \frac{1}{M} \sum_{i=1}^M p_i(x)$ . An optimization-based attack (like PGD or C&W) can be adapted to use the gradient of the loss function with respect to $\bar{p}(x + \delta)$ when searching for $\delta$ .
- Voting Ensembles: Attacking majority voting ensembles is trickier because the aggregation function is non-differentiable. However, approximations can be used. One common strategy is to target the average probability/logit output as a surrogate objective, assuming that pushing the average prediction towards the wrong class will likely flip the majority vote. Another approach involves iteratively attacking individual models that currently contribute to the correct consensus, aiming to flip their votes one by one until the majority shifts.
Attacking All Members Simultaneously: An attacker can try to find a single perturbation $\delta$ that is effective against all or a majority of the individual models $f_i$ . This often involves modifying the objective function in optimization-based attacks. For example, instead of minimizing the loss for one model, the objective could be to minimize the sum or maximum of the losses across all ensemble members:
$\text{maximize } \sum_{i=1}^M \mathcal{L}(f_i(x+\delta), y_{\text{target}}) \quad \text{or} \quad \text{maximize } \max_{i} \mathcal{L}(f_i(x+\delta), y_{\text{target}})$
subject to $||\delta||_p \le \epsilon$ . This generally increases the computational cost of the attack significantly, as gradients need to be computed for all models in each step.

Process of attacking an ensemble model. The attacker searches for a perturbation $\delta$ to create $x_{adv}$ , which is fed into multiple models ( $f_1, f_2, f_3$ ). The individual outputs are combined by an aggregation mechanism, and the goal is to make the final ensemble prediction $F(x_{adv})$ incorrect.

Challenges and Considerations

Attacking ensembles is generally more computationally expensive than attacking single models, especially when optimizing against the aggregate output or targeting all members simultaneously. The effectiveness of the attack often depends on the diversity of the ensemble members. Ensembles composed of highly similar models might not offer much additional resilience compared to a single model. Conversely, highly diverse ensembles can be significantly more challenging to attack successfully using a single small perturbation.

When evaluating the robustness of an ensemble defense, it's important to use attacks specifically designed for ensembles, rather than relying solely on the transferability of attacks generated against individual members. As we will see in Chapter 6, evaluating defenses requires adaptive attacks tailored to the specific defense mechanism being tested.

The next section provides a hands-on practical session where you'll implement some of the evasion attacks discussed in this chapter, potentially including basic ensemble attack concepts.