Provable Robust Classification via Learned Smoothed Densities
- URL: http://arxiv.org/abs/2005.04504v1
- Date: Sat, 9 May 2020 19:52:32 GMT
- Title: Provable Robust Classification via Learned Smoothed Densities
- Authors: Saeed Saremi, Rupesh Srivastava
- Abstract summary: We formulate the problem of robust classification in terms of $widehatx(Y)$, the $textitBayes estimator$ of $X$ given the noisy measurements.
We show that with a learned smoothed energy function and a linear classifier we can achieve provable $ell$ robust accuracies that are competitive with empirical defenses.
- Score: 1.599072005190786
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Smoothing classifiers and probability density functions with Gaussian kernels
appear unrelated, but in this work, they are unified for the problem of robust
classification. The key building block is approximating the $\textit{energy
function}$ of the random variable $Y=X+N(0,\sigma^2 I_d)$ with a neural network
which we use to formulate the problem of robust classification in terms of
$\widehat{x}(Y)$, the $\textit{Bayes estimator}$ of $X$ given the noisy
measurements $Y$. We introduce $\textit{empirical Bayes smoothed classifiers}$
within the framework of $\textit{randomized smoothing}$ and study it
theoretically for the two-class linear classifier, where we show one can
improve their robustness above $\textit{the margin}$. We test the theory on
MNIST and we show that with a learned smoothed energy function and a linear
classifier we can achieve provable $\ell_2$ robust accuracies that are
competitive with empirical defenses. This setup can be significantly improved
by $\textit{learning}$ empirical Bayes smoothed classifiers with adversarial
training and on MNIST we show that we can achieve provable robust accuracies
higher than the state-of-the-art empirical defenses in a range of radii. We
discuss some fundamental challenges of randomized smoothing based on a
geometric interpretation due to concentration of Gaussians in high dimensions,
and we finish the paper with a proposal for using walk-jump sampling, itself
based on learned smoothed densities, for robust classification.
Related papers
- Log-Concave Coupling for Sampling Neural Net Posteriors [0.4604003661048266]
We present a sampling algorithm for single hidden layer neural networks.
The algorithm is based on a coupling of the posterior density for $w$ with an auxiliary random variable $xi$.
The score of the marginal density of the auxiliary random variable $xi$ is determined by an expectation over $w|xi$.
arXiv Detail & Related papers (2024-07-26T15:05:41Z) - SPLITZ: Certifiable Robustness via Split Lipschitz Randomized Smoothing [8.471466670802817]
There are two approaches to provide certifiable robustness to adversarial examples.
We propose textitSPLITZ, a practical and novel approach.
We show that textitSPLITZ consistently improves upon existing state-of-the-art approaches.
arXiv Detail & Related papers (2024-07-03T05:13:28Z) - Approximate Function Evaluation via Multi-Armed Bandits [51.146684847667125]
We study the problem of estimating the value of a known smooth function $f$ at an unknown point $boldsymbolmu in mathbbRn$, where each component $mu_i$ can be sampled via a noisy oracle.
We design an instance-adaptive algorithm that learns to sample according to the importance of each coordinate, and with probability at least $1-delta$ returns an $epsilon$ accurate estimate of $f(boldsymbolmu)$.
arXiv Detail & Related papers (2022-03-18T18:50:52Z) - Multimeasurement Generative Models [7.502947376736449]
We map the problem of sampling from an unknown distribution with density $p_X$ in $mathbbRd$ to the problem of learning and sampling $p_mathbfY$ in $mathbbRMd$ obtained by convolving $p_X$ with a fixed factorial kernel.
arXiv Detail & Related papers (2021-12-18T02:11:36Z) - Optimal Robust Linear Regression in Nearly Linear Time [97.11565882347772]
We study the problem of high-dimensional robust linear regression where a learner is given access to $n$ samples from the generative model $Y = langle X,w* rangle + epsilon$
We propose estimators for this problem under two settings: (i) $X$ is L4-L2 hypercontractive, $mathbbE [XXtop]$ has bounded condition number and $epsilon$ has bounded variance and (ii) $X$ is sub-Gaussian with identity second moment and $epsilon$ is
arXiv Detail & Related papers (2020-07-16T06:44:44Z) - Sharp Statistical Guarantees for Adversarially Robust Gaussian
Classification [54.22421582955454]
We provide the first result of the optimal minimax guarantees for the excess risk for adversarially robust classification.
Results are stated in terms of the Adversarial Signal-to-Noise Ratio (AdvSNR), which generalizes a similar notion for standard linear classification to the adversarial setting.
arXiv Detail & Related papers (2020-06-29T21:06:52Z) - Consistency Regularization for Certified Robustness of Smoothed
Classifiers [89.72878906950208]
A recent technique of randomized smoothing has shown that the worst-case $ell$-robustness can be transformed into the average-case robustness.
We found that the trade-off between accuracy and certified robustness of smoothed classifiers can be greatly controlled by simply regularizing the prediction consistency over noise.
arXiv Detail & Related papers (2020-06-07T06:57:43Z) - Robustly Learning any Clusterable Mixture of Gaussians [55.41573600814391]
We study the efficient learnability of high-dimensional Gaussian mixtures in the adversarial-robust setting.
We provide an algorithm that learns the components of an $epsilon$-corrupted $k$-mixture within information theoretically near-optimal error proofs of $tildeO(epsilon)$.
Our main technical contribution is a new robust identifiability proof clusters from a Gaussian mixture, which can be captured by the constant-degree Sum of Squares proof system.
arXiv Detail & Related papers (2020-05-13T16:44:12Z) - Towards Deep Learning Models Resistant to Large Perturbations [0.0]
Adversarial robustness has proven to be a required property of machine learning algorithms.
We show that the well-established algorithm called "adversarial training" fails to train a deep neural network given a large, but reasonable, perturbation magnitude.
arXiv Detail & Related papers (2020-03-30T12:03:09Z) - Randomized Smoothing of All Shapes and Sizes [29.40896576138737]
We show that for an appropriate notion of "optimal", the optimal smoothing for any "nice" norms have level sets given by the norm's *Wulff Crystal*
We show fundamental limits to current randomized smoothing techniques via the theory of *Banach space cotypes*.
arXiv Detail & Related papers (2020-02-19T11:41:09Z) - Curse of Dimensionality on Randomized Smoothing for Certifiable
Robustness [151.67113334248464]
We show that extending the smoothing technique to defend against other attack models can be challenging.
We present experimental results on CIFAR to validate our theory.
arXiv Detail & Related papers (2020-02-08T22:02:14Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.