On the Role of Randomization in Adversarially Robust Classification

• URL: http://arxiv.org/abs/2302.07221v3
• Date: Tue, 28 Nov 2023 09:23:51 GMT
• Title: On the Role of Randomization in Adversarially Robust Classification
• Authors: Lucas Gnecco-Heredia, Yann Chevaleyre, Benjamin Negrevergne, Laurent Meunier, Muni Sreenivas Pydi
• Abstract summary: We show that a randomized ensemble outperforms the hypothesis set in adversarial risk. We also give an explicit description of the deterministic hypothesis set that contains such a deterministic classifier.
• Score: 13.39932522722395
• License: http://creativecommons.org/licenses/by-nc-sa/4.0/
• Abstract: Deep neural networks are known to be vulnerable to small adversarial perturbations in test data. To defend against adversarial attacks, probabilistic classifiers have been proposed as an alternative to deterministic ones. However, literature has conflicting findings on the effectiveness of probabilistic classifiers in comparison to deterministic ones. In this paper, we clarify the role of randomization in building adversarially robust classifiers. Given a base hypothesis set of deterministic classifiers, we show the conditions under which a randomized ensemble outperforms the hypothesis set in adversarial risk, extending previous results. Additionally, we show that for any probabilistic binary classifier (including randomized ensembles), there exists a deterministic classifier that outperforms it. Finally, we give an explicit description of the deterministic hypothesis set that contains such a deterministic classifier for many types of commonly used probabilistic classifiers, i.e. randomized ensembles and parametric/input noise injection.

Related papers

• Conformal Predictions for Probabilistically Robust Scalable Machine Learning Classification [1.757077789361314]
  Conformal predictions make it possible to define reliable and robust learning algorithms. They are essentially a method for evaluating whether an algorithm is good enough to be used in practice. This paper defines a reliable learning framework for classification from the very beginning of its design.
  arXiv  Detail & Related papers  (2024-03-15T14:59:24Z)
• Shortcomings of Top-Down Randomization-Based Sanity Checks for Evaluations of Deep Neural Network Explanations [67.40641255908443]
  We identify limitations of model-randomization-based sanity checks for the purpose of evaluating explanations. Top-down model randomization preserves scales of forward pass activations with high probability.
  arXiv  Detail & Related papers  (2022-11-22T18:52:38Z)
• Bounding Counterfactuals under Selection Bias [60.55840896782637]
  We propose a first algorithm to address both identifiable and unidentifiable queries. We prove that, in spite of the missingness induced by the selection bias, the likelihood of the available data is unimodal.
  arXiv  Detail & Related papers  (2022-07-26T10:33:10Z)
• On the Calibration of Probabilistic Classifier Sets [6.759124697337311]
  We extend the notion of calibration to evaluate the validity of an aleatoric uncertainty representation. We show that ensembles of deep neural networks are often not well calibrated.
  arXiv  Detail & Related papers  (2022-05-20T10:57:46Z)
• Self-Certifying Classification by Linearized Deep Assignment [65.0100925582087]
  We propose a novel class of deep predictors for classifying metric data on graphs within PAC-Bayes risk certification paradigm. Building on the recent PAC-Bayes literature and data-dependent priors, this approach enables learning posterior distributions on the hypothesis space.
  arXiv  Detail & Related papers  (2022-01-26T19:59:14Z)
• Optimal strategies for reject option classifiers [0.0]
  In classification with a reject option, the classifier is allowed in uncertain cases to abstain from prediction. We coin a symmetric definition, the bounded-coverage model, which seeks for a classifier with minimal selective risk and guaranteed coverage. We propose two algorithms to learn the proper uncertainty score from examples for an arbitrary black-box classifier.
  arXiv  Detail & Related papers  (2021-01-29T11:09:32Z)
• Learning to Separate Clusters of Adversarial Representations for Robust Adversarial Detection [50.03939695025513]
  We propose a new probabilistic adversarial detector motivated by a recently introduced non-robust feature. In this paper, we consider the non-robust features as a common property of adversarial examples, and we deduce it is possible to find a cluster in representation space corresponding to the property. This idea leads us to probability estimate distribution of adversarial representations in a separate cluster, and leverage the distribution for a likelihood based adversarial detector.
  arXiv  Detail & Related papers  (2020-12-07T07:21:18Z)
• Cautious Active Clustering [79.23797234241471]
  We consider the problem of classification of points sampled from an unknown probability measure on a Euclidean space. Our approach is to consider the unknown probability measure as a convex combination of the conditional probabilities for each class.
  arXiv  Detail & Related papers  (2020-08-03T23:47:31Z)
• Quantifying the Uncertainty of Precision Estimates for Rule based Text Classifiers [0.0]
  Rule based classifiers that use the presence and absence of key sub-strings to make classification decisions have a natural mechanism for quantifying the uncertainty of their precision. For a binary classifier, the key insight is to treat partitions of the sub-string set induced by the documents as Bernoulli random variables. The utility of this approach is demonstrated with a benchmark problem.
  arXiv  Detail & Related papers  (2020-05-19T03:51:47Z)
• Robustness Verification for Classifier Ensembles [3.5884936187733394]
  robustness-checking problem consists of assessing, given a set of classifiers and a labelled data set, whether there exists a randomized attack. We show the NP-hardness of the problem and provide an upper bound on the number of attacks that is sufficient to form an optimal randomized attack. Our prototype implementation verifies multiple neural-network ensembles trained for image-classification tasks.
  arXiv  Detail & Related papers  (2020-05-12T07:38:43Z)
• Certified Robustness to Label-Flipping Attacks via Randomized Smoothing [105.91827623768724]
  Machine learning algorithms are susceptible to data poisoning attacks. We present a unifying view of randomized smoothing over arbitrary functions. We propose a new strategy for building classifiers that are pointwise-certifiably robust to general data poisoning attacks.
  arXiv  Detail & Related papers  (2020-02-07T21:28:30Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.