Confidence-aware Training of Smoothed Classifiers for Certified
Robustness
- URL: http://arxiv.org/abs/2212.09000v2
- Date: Tue, 20 Dec 2022 06:52:07 GMT
- Title: Confidence-aware Training of Smoothed Classifiers for Certified
Robustness
- Authors: Jongheon Jeong, Seojin Kim, Jinwoo Shin
- Abstract summary: We use "accuracy under Gaussian noise" as an easy-to-compute proxy of adversarial robustness for an input.
Our experiments show that the proposed method consistently exhibits improved certified robustness upon state-of-the-art training methods.
- Score: 75.95332266383417
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Any classifier can be "smoothed out" under Gaussian noise to build a new
classifier that is provably robust to $\ell_2$-adversarial perturbations, viz.,
by averaging its predictions over the noise via randomized smoothing. Under the
smoothed classifiers, the fundamental trade-off between accuracy and
(adversarial) robustness has been well evidenced in the literature: i.e.,
increasing the robustness of a classifier for an input can be at the expense of
decreased accuracy for some other inputs. In this paper, we propose a simple
training method leveraging this trade-off to obtain robust smoothed
classifiers, in particular, through a sample-wise control of robustness over
the training samples. We make this control feasible by using "accuracy under
Gaussian noise" as an easy-to-compute proxy of adversarial robustness for an
input. Specifically, we differentiate the training objective depending on this
proxy to filter out samples that are unlikely to benefit from the worst-case
(adversarial) objective. Our experiments show that the proposed method, despite
its simplicity, consistently exhibits improved certified robustness upon
state-of-the-art training methods. Somewhat surprisingly, we find these
improvements persist even for other notions of robustness, e.g., to various
types of common corruptions.
Related papers
- Multi-scale Diffusion Denoised Smoothing [79.95360025953931]
randomized smoothing has become one of a few tangible approaches that offers adversarial robustness to models at scale.
We present scalable methods to address the current trade-off between certified robustness and accuracy in denoised smoothing.
Our experiments show that the proposed multi-scale smoothing scheme combined with diffusion fine-tuning enables strong certified robustness available with high noise level.
arXiv Detail & Related papers (2023-10-25T17:11:21Z) - The Lipschitz-Variance-Margin Tradeoff for Enhanced Randomized Smoothing [85.85160896547698]
Real-life applications of deep neural networks are hindered by their unsteady predictions when faced with noisy inputs and adversarial attacks.
We show how to design an efficient classifier with a certified radius by relying on noise injection into the inputs.
Our novel certification procedure allows us to use pre-trained models with randomized smoothing, effectively improving the current certification radius in a zero-shot manner.
arXiv Detail & Related papers (2023-09-28T22:41:47Z) - Understanding Noise-Augmented Training for Randomized Smoothing [14.061680807550722]
Randomized smoothing is a technique for providing provable robustness guarantees against adversarial attacks.
We show that, without making stronger distributional assumptions, no benefit can be expected from predictors trained with noise-augmentation.
Our analysis has direct implications to the practical deployment of randomized smoothing.
arXiv Detail & Related papers (2023-05-08T14:46:34Z) - Improving the Accuracy-Robustness Trade-Off of Classifiers via Adaptive Smoothing [9.637143119088426]
We show that a robust base classifier's confidence difference for correct and incorrect examples is the key to this improvement.
We adapt an adversarial input detector into a mixing network that adaptively adjusts the mixture of the two base models.
The proposed flexible method, termed "adaptive smoothing", can work in conjunction with existing or even future methods that improve clean accuracy, robustness, or adversary detection.
arXiv Detail & Related papers (2023-01-29T22:05:28Z) - SmoothMix: Training Confidence-calibrated Smoothed Classifiers for
Certified Robustness [61.212486108346695]
We propose a training scheme, coined SmoothMix, to control the robustness of smoothed classifiers via self-mixup.
The proposed procedure effectively identifies over-confident, near off-class samples as a cause of limited robustness.
Our experimental results demonstrate that the proposed method can significantly improve the certified $ell$-robustness of smoothed classifiers.
arXiv Detail & Related papers (2021-11-17T18:20:59Z) - Consistency Regularization for Certified Robustness of Smoothed
Classifiers [89.72878906950208]
A recent technique of randomized smoothing has shown that the worst-case $ell$-robustness can be transformed into the average-case robustness.
We found that the trade-off between accuracy and certified robustness of smoothed classifiers can be greatly controlled by simply regularizing the prediction consistency over noise.
arXiv Detail & Related papers (2020-06-07T06:57:43Z) - Regularized Training and Tight Certification for Randomized Smoothed
Classifier with Provable Robustness [15.38718018477333]
We derive a new regularized risk, in which the regularizer can adaptively encourage the accuracy and robustness of the smoothed counterpart.
We also design a new certification algorithm, which can leverage the regularization effect to provide tighter robustness lower bound that holds with high probability.
arXiv Detail & Related papers (2020-02-17T20:54:34Z) - Certified Robustness to Label-Flipping Attacks via Randomized Smoothing [105.91827623768724]
Machine learning algorithms are susceptible to data poisoning attacks.
We present a unifying view of randomized smoothing over arbitrary functions.
We propose a new strategy for building classifiers that are pointwise-certifiably robust to general data poisoning attacks.
arXiv Detail & Related papers (2020-02-07T21:28:30Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.