Regularized Training and Tight Certification for Randomized Smoothed Classifier with Provable Robustness

Feng, Huijie; Wu, Chunpeng; Chen, Guoyang; Zhang, Weifeng; Yang, Ning

doi:10.1609/aaai.v34i04.5798

Cited by 8 publications

(8 citation statements)

References 7 publications

(8 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…4) Robust Training for Randomized Models [24,65,95,19,71,54,129,43,5,130,128]: This subsection mainly summarizes robust training approaches for randomized models, along with other efforts towards robust randomized models. Data augmentation.…”

Section: F Probabilistic Robustness Verificationmentioning

confidence: 99%

“…MACER [129] derives a regularization term which directly maximizes the certified robustness. ADRE [43] proposes another regularizer to penalize the misclassified samples and improve the certified robustness of the correctly predicted samples. Adversarial training.…”

Section: F Probabilistic Robustness Verificationmentioning

confidence: 99%

“…Smooth ImageNet 1 -Teng [108] Rand. Smooth ImageNet ADRE [43] Rand. Smooth ImageNet Zhang-Dual [130] Rand.…”

Section: Full Experiments Details Of Evaluation Of Deterministic Veri...mentioning

confidence: 99%

See 2 more Smart Citations

SoK: Certified Robustness for Deep Neural Networks

Li¹,

Qi²,

Xie³

et al. 2020

Preprint

View full text Add to dashboard Cite

Great advancement in deep neural networks (DNNs) has led to state-of-the-art performance on a wide range of tasks. However, recent studies have shown that DNNs are vulnerable to adversarial attacks, which have brought great concerns when deploying these models to safety-critical applications such as autonomous driving. Different defense approaches have been proposed against adversarial attacks, including: 1) empirical defenses, which can be adaptively attacked again without providing robustness certification; and 2) certifiably robust approaches, which consist of robustness verification providing the lower bound of robust accuracy against any attacks under certain conditions and corresponding robust training approaches. In this paper, we focus on these certifiably robust approaches and provide the first work to perform large-scale systematic analysis of different robustness verification and training approaches. In particular, we 1) provide a taxonomy for the robustness verification and training approaches, as well as discuss the detailed methodologies for representative algorithms, 2) reveal the fundamental connections among these approaches, 3) discuss current research progresses, theoretical barriers, main challenges, and several promising future directions for certified defenses for DNNs, and 4) provide an open-sourced unified platform to evaluate 20+ representative verification and corresponding robust training approaches on a wide range of DNNs.

show abstract

Section: F Probabilistic Robustness Verificationmentioning

confidence: 99%

Section: F Probabilistic Robustness Verificationmentioning

confidence: 99%

See 1 more Smart Citation

SoK: Certified Robustness for Deep Neural Networks

Li¹,

Qi²,

Xie³

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…The certificate then determines the radius in which p a (x ) will remain above 0.5: this guarantees that a will remain the top class, regardless of the other logits. While some works (Lecuyer et al, 2019;Feng et al, 2020) independently estimate each smoothed logit, this incurs additional estimation error as the number of classes increases. In this work, we assume that only estimates for the top-class smoothed logit p a (x) and its gradient ∇ x p a (x) are available (although we briefly discuss the case with more estimated logits in Section 3.2).…”

Section: Preliminaries Assumptions and Notationmentioning

confidence: 99%

“…If estimates and gradients are available for multiple classes, it would then be possible to achieve an even larger certificate, by setting the lower bound of the top logit equal to the upper bounds of each of the other logits. Note, however, that unlike first-order smoothing works (Lecuyer et al, 2019;Feng et al, 2020) which use this approach, it is not sufficient to compare against just the "'runner-up" class, because other logits may have less restrictive upper-bounds due to having larger gradients. As discussed above, gradient norm estimation can be computationally expensive, so gradient estimation for many classes may not be feasible.…”

Section: Upper-bound and Multi-class Certificatesmentioning

confidence: 99%

Tight Second-Order Certificates for Randomized Smoothing

Levine,

Kumar,

Goldstein

et al. 2020

Preprint

View full text Add to dashboard Cite

Randomized smoothing is a popular way of providing robustness guarantees against adversarial attacks: randomly-smoothed functions have a universal Lipschitz-like bound, allowing for robustness certificates to be easily computed. In this work, we show that there also exists a universal curvature-like bound for Gaussian random smoothing: given the exact value and gradient of a smoothed function, we compute a lower bound on the distance of a point to its closest adversarial example, called the Second-order Smoothing (SoS) robustness certificate. In addition to proving the correctness of this novel certificate, we show that SoS certificates are realizable and therefore tight. Interestingly, we show that the maximum achievable benefits, in terms of certified robustness, from using the additional information of the gradient norm are relatively small: because our bounds are tight, this is a fundamental negative result. The gain of SoS certificates further diminishes if we consider the estimation error of the gradient norms, for which we have developed an estimator. We therefore additionally develop a variant of Gaussian smoothing, called Gaussian dipole smoothing, which provides similar bounds to randomized smoothing with gradient information, but with much-improved sample efficiency. This allows us to achieve (marginally) improved robustness certificates on high-dimensional datasets such as CIFAR-10 and ImageNet. Code is available at https://github.com/alevine0/smoothing_second_ order.

show abstract