Deep neural networks are highly vulnerable to adversarial attacks, with existing empirical defenses often failing under adaptive white-box settings and certified defenses typically sacrificing practical utility. To address this challenge, this work proposes CEAR, the first method to extend randomized smoothing to ensemble classifiers. CEAR trains base models with distinct Gaussian noise injections and temperature scaling, then introduces a novel voting mechanism based on noisy logits. This approach simultaneously enhances certified robustness and reduces attack transferability across models. Experimental results demonstrate that CEAR significantly improves both average certified accuracy and robustness radius on MNIST, CIFAR-10, and TinyImageNet, effectively balancing security guarantees with practical performance.

Deep Neural Networks (DNNs) are highly susceptible to adversarial perturbations, leading to extensive research on robustness for safety-critical applications. State-of-the-art empirical defense mechanisms improve the robustness of DNNs through the training phase, but still struggle against adaptive white-box attacks. On the other hand, certified defenses offer provable guarantees of robustness within a specified perturbation bound. These guarantees hold regardless of the level of perturbations, even if the attacker is given full knowledge of the model. In this paper, we propose CEAR, an ensemble-based robust method that utilizes a hybrid of empirical and certified defense mechanisms. CEAR trains each network within the ensemble using varying Gaussian noise and temperatures to obfuscate gradients and logits, making the model more resistant to stronger gradient-based attacks. We then use noisy logits and propose two different voting mechanisms to further improve robustness. Furthermore, we extend randomized smoothing to verify the robustness of ensemble-based classifiers. Our experimental evaluations on MNIST, CIFAR10, and TinyImageNet datasets demonstrate superior certified accuracy on average, increased robustness radius, and decreased transferability compared to baseline methods.