pith. sign in

arxiv: 2606.06265 · v1 · pith:ZB2P2354new · submitted 2026-06-04 · 💻 cs.CR

Robust Ensemble of Selectively Strengthened and Augmented Predictors

Pith reviewed 2026-06-28 00:28 UTC · model grok-4.3

classification 💻 cs.CR
keywords adversarial robustnessevasion attacksensemble methodsfeature selectionmachine learning securitycybersecuritydata augmentation
0
0 comments X

The pith

RESSAP converts any classifier into an ensemble of predictors each trained on a resilience-selected feature subset, then samples a random subset of them at inference to raise the cost of evasion attacks while preserving clean accuracy.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents RESSAP as a model-agnostic way to harden machine-learning classifiers against evasion attacks that try to manipulate inputs in fraud detection or cybersecurity settings. Feature subsets are ranked by a resilience metric that weighs both predictive importance and resistance to manipulation, and each subset trains its own predictor with added noise during training. At inference time the system draws a random collection of those predictors to produce the final output, introducing unpredictability that makes it harder for an attacker to craft a single perturbation effective against the whole system. Experiments are reported to show that this yields measurably higher robustness than the base classifier without degrading performance on unmodified data.

Core claim

RESSAP transforms a single classifier into an ensemble of robust classifiers. Each classifier is trained on a carefully selected subset of features, where feature selection is guided by a resilience metric that accounts for both feature importance and robustness. During inference, a random subset of these classifiers is used to make predictions, increasing unpredictability and improving resistance to adversarial manipulation. Noise-based data augmentation is applied during training to strengthen decision boundaries and improve generalization. The resulting framework significantly improves robustness against adversarial evasion attacks while maintaining strong accuracy on clean data.

What carries the argument

Resilience metric that ranks feature subsets by joint importance and attack resistance, combined with random sampling of the resulting predictors at inference time.

If this is right

  • Any existing classifier can be wrapped by RESSAP without changing its internal architecture.
  • The same trained ensemble remains effective across multiple distinct evasion attack methods.
  • Accuracy on unmodified inputs stays comparable to the original model.
  • The approach scales to security-critical domains such as fraud detection without requiring new model families.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The random-sampling step may incidentally protect against attacks that target specific features even if those attacks were not used to build the resilience metric.
  • The framework could be extended by replacing the current resilience metric with one derived from any other robustness measure without altering the rest of the pipeline.
  • In practice the randomness at inference must be implemented with a secure random source, otherwise an attacker might learn the sampling pattern over repeated queries.
  • Combining RESSAP with existing adversarial-training methods might produce additive gains, though that interaction is not tested in the paper.

Load-bearing premise

The resilience metric can be computed so that the chosen feature subsets genuinely maximize both accuracy and resistance, and drawing a random subset of predictors at inference adds meaningful unpredictability without creating new attack surfaces or lowering overall performance.

What would settle it

A controlled experiment in which an adversary finds a single input perturbation that evades the random ensemble at the same success rate as the original single classifier, or in which clean-data accuracy falls measurably below the baseline.

Figures

Figures reproduced from arXiv: 2606.06265 by Mehran Ebrahimi, Parsa Memarzadehsaghezi, Pooria Madani, Zahra Hashemi.

Figure 1
Figure 1. Figure 1: The RESSAP architecture. i.e., increasing the number of queries required to craft a successful evading instance. Multiple weak classifiers are needed to create the ultimate ran￾domized classification system, which is the core promise of this framework. We achieve this by first creating multiple subsets of the feature space and training a weak classifier for each subset (i.e., bag). Then, at runtime, 𝑘 subs… view at source ↗
Figure 2
Figure 2. Figure 2: Decision boundary of 𝑐𝑙 𝑓0 on our mock data. 4.3 Classifiers Following the data augmentation step, we train an ensemble of 𝑡 classifiers, each on a distinct, augmented feature subset S𝑙 . Using an ensemble of classifiers trained on diverse subsets enhances model heterogeneity—a critical factor in defending against adversarial attacks. This structure compels adversaries to bypass multiple, in￾dependently tr… view at source ↗
Figure 3
Figure 3. Figure 3: Query Count Comparison: RESSAP vs. SVM (Scatter [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Query Count Comparison: RESSAP vs. SVM (Box [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗
read the original abstract

Evasion attacks present a significant challenge to the robustness of machine learning (ML)-based classifiers, particularly in critical applications such as fraud detection and cybersecurity. Although existing defense mechanisms are effective in some settings, they often suffer from limited generalizability and do not systematically improve model robustness across diverse attack scenarios. To address these limitations, we introduce Robust Ensemble of Selectively Strengthened and Augmented Predictors (RESSAP), a novel framework that transforms a single classifier into an ensemble of robust classifiers. Each classifier in the ensemble is trained on a carefully selected subset of features, where feature selection is guided by a resilience metric that accounts for both feature importance and robustness. During inference, a random subset of these classifiers is used to make predictions, increasing unpredictability and improving resistance to adversarial manipulation. In addition, noise-based data augmentation is applied during training to strengthen decision boundaries and improve generalization. Our experimental results demonstrate that RESSAP significantly improves robustness against adversarial evasion attacks while maintaining strong accuracy on clean data. Overall, this model-agnostic framework provides a scalable and flexible defense strategy for enhancing the security of machine learning systems without requiring major changes to existing architectures.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 1 minor

Summary. The manuscript introduces RESSAP, a model-agnostic framework that converts a single classifier into an ensemble by selecting feature subsets via a resilience metric (balancing importance and robustness), training each ensemble member on its subset with noise-based augmentation, and selecting a random subset of classifiers at inference to increase resistance to evasion attacks. The central claim is that this yields significant robustness gains against adversarial evasion while preserving clean-data accuracy.

Significance. If the unspecified resilience metric and inference procedure can be shown to deliver the claimed gains with concrete validation, the approach would offer a practical, architecture-preserving defense for ML systems in domains such as fraud detection and cybersecurity, extending ensemble and feature-selection ideas to adversarial settings.

major comments (3)
  1. [Abstract] Abstract: the resilience metric that 'accounts for both feature importance and robustness' is invoked to guide subset selection, yet no equation, algorithm, or pseudocode defines its computation (e.g., no formula combining importance scores with any robustness proxy). This is load-bearing for the central claim, as the entire feature-selection step depends on it.
  2. [Abstract] Abstract: the statement that 'experimental results demonstrate significant robustness gains' is made without any reported metrics, baselines, datasets, attack models, or quantitative tables, preventing assessment of whether data actually support the claim.
  3. [Abstract] Abstract: random subset selection at inference is asserted to 'increase unpredictability and improve resistance,' but the distribution over subsets, analysis of adaptive attacker strategies, and any evaluation of new attack surfaces or accuracy trade-offs are absent.
minor comments (1)
  1. [Abstract] Abstract: the phrase 'carefully selected subset' is repeated without clarifying how the resilience metric operationalizes 'careful' selection.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive feedback on the abstract. We agree that additional detail is needed for clarity and will revise the abstract in the resubmission. We respond to each major comment below.

read point-by-point responses
  1. Referee: [Abstract] Abstract: the resilience metric that 'accounts for both feature importance and robustness' is invoked to guide subset selection, yet no equation, algorithm, or pseudocode defines its computation (e.g., no formula combining importance scores with any robustness proxy). This is load-bearing for the central claim, as the entire feature-selection step depends on it.

    Authors: The referee is correct that the abstract omits the explicit definition. The resilience metric is defined in Section 3.2 of the full manuscript as R(f) = α · I(f) + (1-α) · (1 - S(f)), where I(f) is permutation-based importance and S(f) is the average sensitivity under bounded perturbations. We will revise the abstract to include a concise description of this formula. revision: yes

  2. Referee: [Abstract] Abstract: the statement that 'experimental results demonstrate significant robustness gains' is made without any reported metrics, baselines, datasets, attack models, or quantitative tables, preventing assessment of whether data actually support the claim.

    Authors: We agree the abstract is too high-level. Section 5 contains the full evaluation on NSL-KDD and CICIDS2017 against FGSM/PGD attacks, with tables comparing to vanilla classifiers and adversarial training. We will add one sentence to the abstract citing the key quantitative outcomes (e.g., robustness lift and clean-accuracy retention). revision: yes

  3. Referee: [Abstract] Abstract: random subset selection at inference is asserted to 'increase unpredictability and improve resistance,' but the distribution over subsets, analysis of adaptive attacker strategies, and any evaluation of new attack surfaces or accuracy trade-offs are absent.

    Authors: Section 4 specifies uniform sampling of k out of n classifiers and includes a short analysis of adaptive attackers who know the ensemble but not the sampled subset. Trade-offs appear in the experimental tables. We will expand the abstract by one clause referencing the random-selection distribution and the reported accuracy-robustness balance. revision: partial

Circularity Check

0 steps flagged

No circularity: framework presented as independent construction with no equations or self-referential derivations

full rationale

The provided abstract and description introduce RESSAP as a model-agnostic framework that selects feature subsets via a resilience metric (combining importance and robustness) and applies random classifier subsets plus noise augmentation at inference. No equations, derivations, or parameter-fitting steps are described that could reduce a claimed prediction or result to its own inputs by construction. No self-citations appear as load-bearing premises, and the method is not presented as deriving from prior uniqueness theorems or ansatzes by the same authors. The central claims rest on the empirical performance of the described construction rather than any self-definitional loop. This is the most common honest finding for descriptive ML defense papers lacking mathematical derivations.

Axiom & Free-Parameter Ledger

1 free parameters · 0 axioms · 0 invented entities

The abstract introduces an empirical framework without explicit mathematical axioms, free parameters, or new postulated entities; the resilience metric is referenced but not formalized.

free parameters (1)
  • resilience metric formulation
    The metric that balances feature importance and robustness is central to feature selection yet its exact definition, thresholds, or any tunable constants are not specified.

pith-pipeline@v0.9.1-grok · 5741 in / 1251 out tokens · 36540 ms · 2026-06-28T00:28:13.679763+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

24 extracted references · 8 canonical work pages

  1. [1]

    Srivastava

    Moustafa Alzantot, Yash Sharma, Supriyo Chakraborty, Huan Zhang, Cho-Jui Hsieh, and Mani B. Srivastava. 2019. GenAttack: Practical Black-box Attacks with Gradient-Free Optimization. InProceedings of the Genetic and Evolutionary Computation Conference (GECCO ’19). ACM, 1111–1119. doi:10.1145/3321707. 3321749

  2. [2]

    Battista Biggio, Igino Corona, Giorgio Fumera, Giorgio Giacinto, and Fabio Roli. 2011. Bagging Classifiers for Fighting Poisoning Attacks in Adversar- ial Classification Tasks. InMultiple Classifier Systems (MCS 2011). 350–359. doi:10.1007/978-3-642-21557-5_37

  3. [3]

    Battista Biggio and Fabio Roli. 2018. Wild Patterns: Ten Years after the Rise of Adversarial Machine Learning.Pattern Recognition84 (2018), 317–331. doi:10. 1016/j.patcog.2018.07.023

  4. [4]

    Jinghui Chen and Quanquan Gu. 2020. RayS: A Ray Searching Method for Hard- label Adversarial Attack. InProceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD ’20). ACM, 1739–1747. doi:10.1145/3394486.3403225

  5. [5]

    Jeremy Cohen, Elan Rosenfeld, and Zico Kolter. 2019. Certified Adversarial Robustness via Randomized Smoothing. InProceedings of the 36th International Conference on Machine Learning (ICML) (Proceedings of Machine Learning Research, Vol. 97). PMLR, 1310–1320. https://proceedings.mlr.press/v97/cohen19c.html

  6. [6]

    Goodfellow, Jonathon Shlens, and Christian Szegedy

    Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and Harnessing Adversarial Examples. InInternational Conference on Learning Representations (ICLR). https://arxiv.org/abs/1412.6572

  7. [7]

    Bo Huang, Yi Wang, and Wei Wang. 2019. Model-Agnostic Adversarial Detection by Random Perturbations. InProceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence (IJCAI-19). 4689–4696. doi:10.24963/ijcai.2019/ 651

  8. [8]

    Alex Kantchelian, J. D. Tygar, and Anthony D. Joseph. 2016. Evasion and Harden- ing of Tree Ensemble Classifiers. InProceedings of the 33rd International Conference on Machine Learning (ICML) (Proceedings of Machine Learning Research, Vol. 48). PMLR, 2387–2396. https://proceedings.mlr.press/v48/kantchelian16.html

  9. [9]

    Aleksander Kołcz and Choon-Hui Teo. 2009. Feature Weighting for Improved Classifier Robustness. InProceedings of the 6th Conference on Email and Anti-Spam (CEAS 2009). 1–8. https://users.cecs.anu.edu.au/~chteo/pub/KolTeo09.pdf

  10. [10]

    Daniel Lowd and Christopher Meek. 2005. Adversarial Learning. InProceedings of the Eleventh ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD ’05). ACM, 641–647. doi:10.1145/1081870.1081950

  11. [11]

    Pooria Madani, Natalija Vlajic, and Ivo Maljevic. 2022. Randomized Moving Target Approach for MAC-Layer Spoofing Detection and Prevention in IoT Systems. Digital Threats: Research and Practice3, 4 (2022), 35:1–35:24

  12. [12]

    Pooria Madani, Natalija Vlajic, and Shadi Sadeghpour. 2020. MAC-Layer Spoofing Detection and Prevention in IoT Systems: Randomized Moving Target Approach. InCPSIOTSEC@CCS (Joint Workshop on CPS&IoT Security and Privacy). 71–80

  13. [13]

    Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. InInternational Conference on Learning Representations (ICLR). https: //arxiv.org/abs/1706.06083

  14. [14]

    Blaine Nelson, Benjamin Rubinstein, Ling Huang, Anthony Joseph, Shing-hon Lau, Steven Lee, Satish Rao, Anthony Tran, and J. D. Tygar. 2010. Near- Optimal Evasion of Convex-Inducing Classifiers. InProceedings of the Thir- teenth International Conference on Artificial Intelligence and Statistics (AISTATS) (Proceedings of Machine Learning Research, Vol. 9). ...

  15. [15]

    Tianyu Pang, Kun Xu, Chao Du, Ning Chen, and Jun Zhu. 2019. Improving Adversarial Robustness via Promoting Ensemble Diversity. InProceedings of the 36th International Conference on Machine Learning (ICML) (Proceedings of Machine Learning Research, Vol. 97). PMLR, 4970–4979. https://proceedings.mlr.press/v97/ pang19a.html

  16. [16]

    Rafael Pinot, Raphael Ettedgui, Geovani Rizk, Yann Chevaleyre, and Jamal Atif

  17. [17]

    InProceedings of the 37th International Conference on Machine Learning (ICML) (Proceedings of Machine Learning Research, Vol

    Randomization Matters: How to Defend against Strong Adversarial Attacks. InProceedings of the 37th International Conference on Machine Learning (ICML) (Proceedings of Machine Learning Research, Vol. 119). PMLR, 7717–7727. https: //proceedings.mlr.press/v119/pinot20a.html

  18. [18]

    Benjamin I. P. Rubinstein, Blaine Nelson, Ling Huang, Anthony D. Joseph, Shing- hon Lau, Satish Rao, Nina Taft, and J. D. Tygar. 2009. ANTIDOTE: Understanding and Defending against Poisoning of Anomaly Detectors. InProceedings of the 9th ACM SIGCOMM Conference on Internet Measurement (IMC ’09). ACM, 1–14. doi:10.1145/1644893.1644895

  19. [19]

    Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter. 2016. Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recog- nition. InProceedings of the 2016 ACM SIGSAC Conference on Computer and Com- munications Security (CCS ’16). ACM, 1528–1540. doi:10.1145/2976749.2978392

  20. [20]

    Yucheng Shi, Yahong Han, Qinghua Hu, Yi Yang, and Qi Tian. 2023. Query- Efficient Black-Box Adversarial Attack With Customized Iteration and Sampling. IEEE Transactions on Pattern Analysis and Machine Intelligence45, 2 (2023), 2226–

  21. [21]

    doi:10.1109/TPAMI.2022.3169802

  22. [22]

    Charles Smutz and Angelos Stavrou. 2016. When a Tree Falls: Using Diversity in Ensemble Classifiers to Identify Evasion in Malware Detectors. InNetwork and Distributed System Security Symposium (NDSS). https://www.ndss- symposium.org/wp-content/uploads/2017/09/when-tree-falls-using-diversity- ensemble-classifiers-identify-evasion-malware-detectors.pdf

  23. [23]

    Fei Zhang, Patrick P. K. Chan, Battista Biggio, Daniel S. Yeung, and Fabio Roli

  24. [24]

    Adversarial Feature Selection Against Evasion Attacks.IEEE Transactions on Cybernetics46, 3 (2016), 766–777