• Corpus ID: 221761375

Certifying Confidence via Randomized Smoothing

@article{Kumar2020CertifyingCV,
title={Certifying Confidence via Randomized Smoothing},
author={Aounon Kumar and Alexander Levine and Soheil Feizi and Tom Goldstein},
journal={ArXiv},
year={2020},
volume={abs/2009.08061}
}
• Published 17 September 2020
• Computer Science
• ArXiv
Randomized smoothing has been shown to provide good certified-robustness guarantees for high-dimensional classification problems. It uses the probabilities of predicting the top two most-likely classes around an input point under a smoothing distribution to generate a certified radius for a classifier's prediction. However, most smoothing methods do not give us any information about the \emph{confidence} with which the underlying classifier (e.g., deep neural network) makes a prediction. In…
23 Citations

Figures from this paper

• Computer Science, Mathematics
ArXiv
• 2021
This work designs a smoothing procedure that can leverage the local, potentially low-dimensional, behaviour of the function around an input to obtain probabilistic robustness certificates and demonstrates the effectiveness of the method on multiple learning tasks involving vector-valued functions with a wide range of input and output dimensionalities.
• Computer Science
ICML
• 2021
This work presents the first study of certifiable robustness for DBU models, and proposes novel uncertainty attacks that fool models into assigning high confidence to OOD data and low confidence to ID data, respectively.
• Computer Science
2021 IEEE/CVF International Conference on Computer Vision (ICCV)
• 2021
This paper proposes average- and worst-case metrics to measure flatness in the robust loss landscape and shows a correlation between good robust generalization and flatness, i.e., whether robust loss changes significantly when perturbing weights.
• Computer Science, Mathematics
NeurIPS
• 2020
This work obtains the first model-agnostic, training-free, and certified defense for object detection against $\ell_2$-bounded attacks.
• Computer Science
ArXiv
• 2021
An adaptive version of the Neyman-Pearson Lemma – a key lemma for smoothing-based certiﬁcates – where the adversarial perturbation at a particular time can be a stochastic function of current and previous observations and states as well as previous actions is proved.
• Computer Science, Mathematics
ICML
• 2022
Theoretically, under mild assumptions, it is proved that DSRS can certify Θ( √ d ) robust radius under ℓ 2 norm where d is the input dimension, implying thatDSRS may be able to break the curse of dimensionality of randomized smoothing.
• Computer Science
• 2022
The lightweight Diversity Regularized Training (DRT) is proposed to train certiﬁably robust ensemble ML models and it is proved that an ensemble model can always achieve higher certi ﬁed robustness than a single base model under mild conditions.
• Computer Science
ICLR
• 2022
The lightweight Diversity Regularized Training (DRT) is proposed to train certiﬁed robust ensemble ML models and it is proved that an ensemble model can always achieve higher certification robustness than a single base model under mild conditions.
• Computer Science
ArXiv
• 2022
A simple training method leveraging the fundamental trade-off between accuracy and (adversar- ial) robustness to obtain robust smoothed classiﬁers, in particular, through a sample-wise control of robustness over the training samples.
• Computer Science
ArXiv
• 2022
A framework that uses the dense intrinsic constraints in natural images to robustify inference to shift the burden of robustness from training to the inference algorithm, thereby allowing the model to adjust dynamically to each individual image’s unique and potentially novel characteristics at inference time.

References

SHOWING 1-10 OF 50 REFERENCES

• Computer Science
ICML
• 2019
Strong empirical results suggest that randomized smoothing is a promising direction for future research into adversarially robust classification on smaller-scale datasets where competing approaches to certified $\ell_2$ robustness are viable, smoothing delivers higher certified accuracies.
• Computer Science, Mathematics
J. Mach. Learn. Res.
• 2020
Any noise distribution D over R that provides `p robustness for all base classifiers with p > 2 must satisfy E η i = Ω(d1−2/p (1− δ)/δ) for 99% of the features of vector η ∼ D, where is the robust radius and δ is the score gap between the highest-scored class and the runner-up.
• Computer Science, Mathematics
ICML
• 2020
It is shown that extending the smoothing technique to defend against other attack models can be challenging, especially in the high-dimensional regime, and it is established that Gaussian smoothing provides the best possible results, up to a constant factor, when p \geq 2.
• Computer Science, Mathematics
NeurIPS
• 2019
This work offers adversarial robustness guarantees and associated algorithms for the discrete case where the adversary is $\ell_0$ bounded and exemplifies how the guarantees can be tightened with specific assumptions about the function class of the classifier such as a decision tree.
• Computer Science
AAAI
• 2020
This paper proposes an efficient and certifiably robust defense against sparse adversarial attacks by randomly ablating input features, rather than using additive noise, and empirically demonstrates that the classifier is highly robust to modern sparse adversarian attacks on MNIST.
• Computer Science
ArXiv
• 2019
This paper proposes attack-agnostic robustness certificates for a multi-label classification problem using a deep ReLU network that has a closed-form, is differentiable and is an order of magnitude faster to compute than the existing methods even for deep networks.
• Computer Science
ArXiv
• 2018
This work shows how a simple bounding technique, interval bound propagation (IBP), can be exploited to train large provably robust neural networks that beat the state-of-the-art in verified accuracy and allows the largest model to be verified beyond vacuous bounds on a downscaled version of ImageNet.
• Computer Science, Mathematics
ICML
• 2020
It is shown that with only label statistics under random input perturbations, randomized smoothing cannot achieve nontrivial certified accuracy against perturbation of $\ell_p$-norm $\Omega(\min(1, d^{\frac{1}{p} - 1}{2}}))$, when the input dimension $d$ is large.
• Computer Science
ICML
• 2020
This paper shows that if the eigenvalues of the Hessian of the network are bounded, the authors can compute a robustness certificate in the $l_2$ norm efficiently using convex optimization and derives a computationally-efficient differentiable upper bound on the curvature of a deep network.
• Computer Science
ArXiv
• 2018
Experiments show that the predictor-verifier architecture able to train networks to achieve state of the art verified robustness to adversarial examples with much shorter training times can be scaled to produce the first known verifiably robust networks for CIFAR-10.