Corpus ID: 236318431

On the Certified Robustness for Ensemble Models and Beyond

  title={On the Certified Robustness for Ensemble Models and Beyond},
  author={Zhuolin Yang and Linyi Li and Xiaojun Xu and Bhavya Kailkhura and Tao Xie and Bo Li},
Recent studies show that deep neural networks (DNN) are vulnerable to adversarial examples, which aim to mislead DNNs by adding perturbations with small magnitude. To defend against such attacks, both empirical and theoretical defense approaches have been extensively studied for a single ML model. In this work, we aim to analyze and provide the certified robustness for ensemble ML models, together with the sufficient and necessary conditions of robustness for different ensemble protocols… Expand


SoK: Certified Robustness for Deep Neural Networks
This paper provides a taxonomy for the robustness verification and training approaches, and provides an open-sourced unified platform to evaluate 20+ representative verification and corresponding robust training approaches on a wide range of DNNs. Expand
Improving Adversarial Robustness via Promoting Ensemble Diversity
A new notion of ensemble diversity in the adversarial setting is defined as the diversity among non-maximal predictions of individual members, and an adaptive diversity promoting (ADP) regularizer is presented to encourage the diversity, which leads to globally better robustness for the ensemble by making adversarial examples difficult to transfer among individual members. Expand
TRS: Transferability Reduced Ensemble via Encouraging Gradient Diversity and Model Smoothness
This work theoretically analyzes and proposes a practical algorithm to reduce transferability between base models within an ensemble to improve its robustness, and provides a lower bound of adversarial transferability based on model gradient similarity, as well as an upper bound for low risk classifiers based on gradient orthogonality and model smoothness. Expand
DVERGE: Diversifying Vulnerabilities for Enhanced Robust Generation of Ensembles
DVERGE is proposed, which isolates the adversarial vulnerability in each sub-model by distilling non-robust features, and diversifies the adversarian vulnerability to induce diverse outputs against a transfer attack, and enables the improved robustness when more sub-models are added to the ensemble. Expand
Enhancing Certifiable Robustness via a Deep Model Ensemble
The proposed ensemble framework with certified robustness, RobBoost, formulates the optimal model selection and weighting task as an optimization problem on a lower bound of classification margin, which can be efficiently solved using coordinate descent. Expand
Enhancing Certified Robustness of Smoothed Classifiers via Weighted Model Ensembling
A Smoothed WEighted ENsembling (SWEEN) scheme to improve the performance of randomized smoothed classifiers and theoretically analyze the expressive power of the SWEEN function class and show that SWEen can be trained to achieve near-optimal risk in the randomized smoothing regime. Expand
A Framework for robustness Certification of Smoothed Classifiers using F-Divergences
This paper extends randomized smoothing procedures to handle arbitrary smoothing measures and prove robustness of the smoothed classifier by using $f-divergences and achieves state-of-the-art certified robustness on MNIST, CIFAR-10 and ImageNet and also audio classification task, Librispeech, with respect to several classes of adversarial perturbations. Expand
Scalable Verified Training for Provably Robust Image Classification
This work shows how a simple bounding technique, interval bound propagation (IBP), can be exploited to train large provably robust neural networks that beat the state-of-the-art in verified accuracy and allows the largest model to be verified beyond vacuous bounds on a downscaled version of IMAGENET. Expand
Improving Adversarial Robustness of Ensembles with Diversity Training
Diversity Training, a novel method to train an ensemble of models with uncorrelated loss functions, significantly improves the adversarial robustness of ensembles and can be combined with existing methods to create a stronger defense against transfer-based attacks. Expand
Mixture of Robust Experts (MoRE): A Flexible Defense Against Multiple Perturbations
This work assembles a set of expert networks to achieve superior accuracy performance under various perturbation types through a well designed gating mechanism and shows that the Mixture of Robust Experts (MoRE) approach enables a flexible and expandable integration of a broad range of robust experts with superior performance. Expand