What problem does this paper attempt to address?

### What problem does this paper attempt to solve? This paper aims to explore and answer a key question: **Is the improvement in adversarial robustness provided by randomized ensembles real and reliable?** Specifically, although recent research has shown that randomized ensembles models have demonstrated significant robustness improvements in adversarial attacks and have a relatively small computational cost, it is still doubtful whether these improvements truly reflect the actual robustness of the models. To answer this question, the author has conducted in - depth research from both theoretical and empirical perspectives. #### Decomposition of the main problems: 1. **Effectiveness of standard attack algorithms**: - The paper first points out that commonly - used attack algorithms such as adaptive projected gradient descent (adaptive PGD, APGD) may have fundamental flaws when attacking randomized ensembles models. Specifically, APGD cannot guarantee to find an $\ell_p$-bounded adversarial perturbation, even if such a perturbation does exist. 2. **Proposing a new attack algorithm**: - To solve the above problem, the author proposes a new attack algorithm - **ARC (Attacking Randomized ensembles of Classifiers)**. This algorithm is specifically designed to evaluate the robustness of randomized ensembles models against $\ell_p$-bounded adversarial perturbations. 3. **Experimental verification**: - Through extensive experiments, the author shows that randomized ensembles models are actually more vulnerable to ARC attacks than standard adversarial training (adversarial training, AT) models. This indicates that the robustness gain obtained by previous evaluations using APGD may be a false sense of security. #### Formula summary: - **Auxiliary classifier**: \[ \bar{f}(x)=\left(\sum_{i = 1}^M\alpha_i\lambda_iw_i\right)^Tx+\bar{b} \] where $w_i$ and $b_i$ are the weights and biases of the $i$-th binary linear classifier respectively. - **APGD update rule**: \[ \delta^{(k)}=\Pi_{p,\epsilon}\left(\delta^{(k - 1)}+\eta\mu_p\left(\nabla_xl(x+\delta^{(k - 1)},y)\right)\right) \] - **ARC algorithm update rule**: \[ \hat{\delta}=\gamma(\delta+\beta g) \] where $g$ is the optimal unit $\ell_p$-norm perturbation direction that causes the classifier $f_i$ to misclassify. Through these studies, the paper reveals the potential problems in the evaluation of adversarial robustness of randomized ensembles models and proposes a more effective evaluation method.