Higher-Order Certification for Randomized Smoothing
- URL: http://arxiv.org/abs/2010.06651v1
- Date: Tue, 13 Oct 2020 19:35:48 GMT
- Title: Higher-Order Certification for Randomized Smoothing
- Authors: Jeet Mohapatra, Ching-Yun Ko, Tsui-Wei Weng, Pin-Yu Chen, Sijia Liu,
Luca Daniel
- Abstract summary: We propose a framework to improve the certified safety region for smoothed classifiers.
We provide a method to calculate the certified safety region using $0th$-order and $1st$-order information.
We also provide a framework that generalizes the calculation for certification using higher-order information.
- Score: 78.00394805536317
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Randomized smoothing is a recently proposed defense against adversarial
attacks that has achieved SOTA provable robustness against $\ell_2$
perturbations. A number of publications have extended the guarantees to other
metrics, such as $\ell_1$ or $\ell_\infty$, by using different smoothing
measures. Although the current framework has been shown to yield near-optimal
$\ell_p$ radii, the total safety region certified by the current framework can
be arbitrarily small compared to the optimal. In this work, we propose a
framework to improve the certified safety region for these smoothed classifiers
without changing the underlying smoothing scheme. The theoretical contributions
are as follows: 1) We generalize the certification for randomized smoothing by
reformulating certified radius calculation as a nested optimization problem
over a class of functions. 2) We provide a method to calculate the certified
safety region using $0^{th}$-order and $1^{st}$-order information for
Gaussian-smoothed classifiers. We also provide a framework that generalizes the
calculation for certification using higher-order information. 3) We design
efficient, high-confidence estimators for the relevant statistics of the
first-order information. Combining the theoretical contribution 2) and 3)
allows us to certify safety region that are significantly larger than the ones
provided by the current methods. On CIFAR10 and Imagenet datasets, the new
regions certified by our approach achieve significant improvements on general
$\ell_1$ certified radii and on the $\ell_2$ certified radii for color-space
attacks ($\ell_2$ restricted to 1 channel) while also achieving smaller
improvements on the general $\ell_2$ certified radii. Our framework can also
provide a way to circumvent the current impossibility results on achieving
higher magnitude of certified radii without requiring the use of data-dependent
smoothing techniques.
Related papers
- Adaptive Hierarchical Certification for Segmentation using Randomized Smoothing [87.48628403354351]
certification for machine learning is proving that no adversarial sample can evade a model within a range under certain conditions.
Common certification methods for segmentation use a flat set of fine-grained classes, leading to high abstain rates due to model uncertainty.
We propose a novel, more practical setting, which certifies pixels within a multi-level hierarchy, and adaptively relaxes the certification to a coarser level for unstable components.
arXiv Detail & Related papers (2024-02-13T11:59:43Z) - Towards Large Certified Radius in Randomized Smoothing using
Quasiconcave Optimization [3.5133481941064164]
In this work, we show that by exploiting a quasi fixed problem structure, we can find the optimal certified radii for most data points with slight computational overhead.
This leads to an efficient and effective input-specific randomized smoothing algorithm.
arXiv Detail & Related papers (2023-02-01T03:25:43Z) - Smooth-Reduce: Leveraging Patches for Improved Certified Robustness [100.28947222215463]
We propose a training-free, modified smoothing approach, Smooth-Reduce.
Our algorithm classifies overlapping patches extracted from an input image, and aggregates the predicted logits to certify a larger radius around the input.
We provide theoretical guarantees for such certificates, and empirically show significant improvements over other randomized smoothing methods.
arXiv Detail & Related papers (2022-05-12T15:26:20Z) - ANCER: Anisotropic Certification via Sample-wise Volume Maximization [134.7866967491167]
We introduce ANCER, a framework for obtaining anisotropic certificates for a given test set sample via volume.
Results demonstrate that ANCER introduces accuracy on both CIFAR-10 and ImageNet at multiple radii, while certifying substantially larger regions in terms of volume.
arXiv Detail & Related papers (2021-07-09T17:42:38Z) - Certifying Confidence via Randomized Smoothing [151.67113334248464]
Randomized smoothing has been shown to provide good certified-robustness guarantees for high-dimensional classification problems.
Most smoothing methods do not give us any information about the confidence with which the underlying classifier makes a prediction.
We propose a method to generate certified radii for the prediction confidence of the smoothed classifier.
arXiv Detail & Related papers (2020-09-17T04:37:26Z) - Adversarial robustness via robust low rank representations [44.41534627858075]
In this work we highlight the benefits of natural low rank representations that often exist for real data such as images.
We exploit low rank data representations to provide improved guarantees over state-of-the-art randomized smoothing-based approaches.
Our second contribution is for the more challenging setting of certified robustness to perturbations measured in $ell_infty$ norm.
arXiv Detail & Related papers (2020-07-13T17:57:00Z) - Black-Box Certification with Randomized Smoothing: A Functional
Optimization Based Framework [60.981406394238434]
We propose a general framework of adversarial certification with non-Gaussian noise and for more general types of attacks.
Our proposed methods achieve better certification results than previous works and provide a new perspective on randomized smoothing certification.
arXiv Detail & Related papers (2020-02-21T07:52:47Z) - Randomized Smoothing of All Shapes and Sizes [29.40896576138737]
We show that for an appropriate notion of "optimal", the optimal smoothing for any "nice" norms have level sets given by the norm's *Wulff Crystal*
We show fundamental limits to current randomized smoothing techniques via the theory of *Banach space cotypes*.
arXiv Detail & Related papers (2020-02-19T11:41:09Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.