Related papers: Randomized Smoothing under Attack: How Good is it in Pratice?

Randomized Smoothing under Attack: How Good is it in Pratice?

URL: http://arxiv.org/abs/2204.14187v1
Date: Thu, 28 Apr 2022 11:37:40 GMT
Title: Randomized Smoothing under Attack: How Good is it in Pratice?
Authors: Thibault Maho, Teddy Furon, Erwan Le Merrer
Abstract summary: We first highlight the mismatch between a theoretical certification and the practice of attacks on classifiers. We then perform attacks on randomized smoothing as a defense. Our main observation is that there is a major mismatch in the settings of the RS for obtaining high certified robustness or when defeating black box attacks.
Score: 17.323638042215013
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: Randomized smoothing is a recent and celebrated solution to certify the robustness of any classifier. While it indeed provides a theoretical robustness against adversarial attacks, the dimensionality of current classifiers necessarily imposes Monte Carlo approaches for its application in practice. This paper questions the effectiveness of randomized smoothing as a defense, against state of the art black-box attacks. This is a novel perspective, as previous research works considered the certification as an unquestionable guarantee. We first formally highlight the mismatch between a theoretical certification and the practice of attacks on classifiers. We then perform attacks on randomized smoothing as a defense. Our main observation is that there is a major mismatch in the settings of the RS for obtaining high certified robustness or when defeating black box attacks while preserving the classifier accuracy.

Related papers

FCert: Certifiably Robust Few-Shot Classification in the Era of Foundation Models [38.019489232264796]
We propose FCert, the first certified defense against data poisoning attacks to few-shot classification. Our experimental results show our FCert: 1) maintains classification accuracy without attacks, 2) outperforms existing certified defenses for data poisoning attacks, and 3) is efficient and general.
arXiv Detail & Related papers (2024-04-12T17:50:40Z)
The Lipschitz-Variance-Margin Tradeoff for Enhanced Randomized Smoothing [85.85160896547698]
Real-life applications of deep neural networks are hindered by their unsteady predictions when faced with noisy inputs and adversarial attacks. We show how to design an efficient classifier with a certified radius by relying on noise injection into the inputs. Our novel certification procedure allows us to use pre-trained models with randomized smoothing, effectively improving the current certification radius in a zero-shot manner.
arXiv Detail & Related papers (2023-09-28T22:41:47Z)
Adversarial attacks for mixtures of classifiers [7.612259653177203]
We discuss the problem of attacking a mixture in a principled way. We introduce two desirable properties of attacks based on a geometrical analysis of the problem. We then show that existing attacks do not meet both of these properties.
arXiv Detail & Related papers (2023-07-20T11:38:55Z)
Towards Fair Classification against Poisoning Attacks [52.57443558122475]
We study the poisoning scenario where the attacker can insert a small fraction of samples into training data. We propose a general and theoretically guaranteed framework which accommodates traditional defense methods to fair classification against poisoning attacks.
arXiv Detail & Related papers (2022-10-18T00:49:58Z)
Detection as Regression: Certified Object Detection by Median Smoothing [50.89591634725045]
This work is motivated by recent progress on certified classification by randomized smoothing. We obtain the first model-agnostic, training-free, and certified defense for object detection against $ell$-bounded attacks.
arXiv Detail & Related papers (2020-07-07T18:40:19Z)
Robustness Verification for Classifier Ensembles [3.5884936187733394]
robustness-checking problem consists of assessing, given a set of classifiers and a labelled data set, whether there exists a randomized attack. We show the NP-hardness of the problem and provide an upper bound on the number of attacks that is sufficient to form an optimal randomized attack. Our prototype implementation verifies multiple neural-network ensembles trained for image-classification tasks.
arXiv Detail & Related papers (2020-05-12T07:38:43Z)
Denoised Smoothing: A Provable Defense for Pretrained Classifiers [101.67773468882903]
We present a method for provably defending any pretrained image classifier against $ell_p$ adversarial attacks. This method allows public vision API providers and users to seamlessly convert pretrained non-robust classification services into provably robust ones.
arXiv Detail & Related papers (2020-03-04T06:15:55Z)
Randomization matters. How to defend against strong adversarial attacks [17.438104235331085]
We show that adversarial attacks and defenses form an infinite zero-sum game where classical results do not apply. We show that our defense method considerably outperforms Adversarial Training against state-of-the-art attacks.
arXiv Detail & Related papers (2020-02-26T15:31:31Z)
(De)Randomized Smoothing for Certifiable Defense against Patch Attacks [136.79415677706612]
We introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size. Our method is related to the broad class of randomized smoothing robustness schemes. Our results effectively establish a new state-of-the-art of certifiable defense against patch attacks on CIFAR-10 and ImageNet.
arXiv Detail & Related papers (2020-02-25T08:39:46Z)
Certified Robustness to Label-Flipping Attacks via Randomized Smoothing [105.91827623768724]
Machine learning algorithms are susceptible to data poisoning attacks. We present a unifying view of randomized smoothing over arbitrary functions. We propose a new strategy for building classifiers that are pointwise-certifiably robust to general data poisoning attacks.
arXiv Detail & Related papers (2020-02-07T21:28:30Z)

This list is automatically generated from the titles and abstracts of the papers in this site.