Higher-Order Certification for Randomized Smoothing

by   Jeet Mohapatra, et al.

Randomized smoothing is a recently proposed defense against adversarial attacks that has achieved SOTA provable robustness against ℓ_2 perturbations. A number of publications have extended the guarantees to other metrics, such as ℓ_1 or ℓ_∞, by using different smoothing measures. Although the current framework has been shown to yield near-optimal ℓ_p radii, the total safety region certified by the current framework can be arbitrarily small compared to the optimal. In this work, we propose a framework to improve the certified safety region for these smoothed classifiers without changing the underlying smoothing scheme. The theoretical contributions are as follows: 1) We generalize the certification for randomized smoothing by reformulating certified radius calculation as a nested optimization problem over a class of functions. 2) We provide a method to calculate the certified safety region using 0^th-order and 1^st-order information for Gaussian-smoothed classifiers. We also provide a framework that generalizes the calculation for certification using higher-order information. 3) We design efficient, high-confidence estimators for the relevant statistics of the first-order information. Combining the theoretical contribution 2) and 3) allows us to certify safety region that are significantly larger than the ones provided by the current methods. On CIFAR10 and Imagenet datasets, the new regions certified by our approach achieve significant improvements on general ℓ_1 certified radii and on the ℓ_2 certified radii for color-space attacks (ℓ_2 restricted to 1 channel) while also achieving smaller improvements on the general ℓ_2 certified radii. Our framework can also provide a way to circumvent the current impossibility results on achieving higher magnitude of certified radii without requiring the use of data-dependent smoothing techniques.


page 1

page 2

page 3

page 4


Randomized Smoothing of All Shapes and Sizes

Randomized smoothing is a recently proposed defense against adversarial ...

Black-Box Certification with Randomized Smoothing: A Functional Optimization Based Framework

Randomized classifiers have been shown to provide a promising approach f...

Certifying Confidence via Randomized Smoothing

Randomized smoothing has been shown to provide good certified-robustness...

QCRS: Improve Randomized Smoothing using Quasi-Concave Optimization

Randomized smoothing is currently the state-of-the-art method that provi...

Tight Second-Order Certificates for Randomized Smoothing

Randomized smoothing is a popular way of providing robustness guarantees...

ANCER: Anisotropic Certification via Sample-wise Volume Maximization

Randomized smoothing has recently emerged as an effective tool that enab...

Certified Defense via Latent Space Randomized Smoothing with Orthogonal Encoders

Randomized Smoothing (RS), being one of few provable defenses, has been ...

Please sign up or login with your details

Forgot password? Click here to reset