Log In Sign Up

Randomized Smoothing of All Shapes and Sizes

by   Greg Yang, et al.

Randomized smoothing is a recently proposed defense against adversarial attacks that has achieved state-of-the-art provable robustness against ℓ_2 perturbations. Soon after, a number of works devised new randomized smoothing schemes for other metrics, such as ℓ_1 or ℓ_∞; however, for each geometry, substantial effort was needed to derive new robustness guarantees. This begs the question: can we find a general theory for randomized smoothing? In this work we propose a novel framework for devising and analyzing randomized smoothing schemes, and validate its effectiveness in practice. Our theoretical contributions are as follows: (1) We show that for an appropriate notion of "optimal", the optimal smoothing distributions for any "nice" norm have level sets given by the *Wulff Crystal* of that norm. (2) We propose two novel and complementary methods for deriving provably robust radii for any smoothing distribution. Finally, (3) we show fundamental limits to current randomized smoothing techniques via the theory of *Banach space cotypes*. By combining (1) and (2), we significantly improve the state-of-the-art certified accuracy in ℓ_1 on standard datasets. On the other hand, using (3), we show that, without more information than label statistics under random input perturbations, randomized smoothing cannot achieve nontrivial certified accuracy against perturbations of ℓ_∞-norm Ω(1/√(d)), when the input dimension d is large. We provide code in


page 1

page 2

page 3

page 4


Higher-Order Certification for Randomized Smoothing

Randomized smoothing is a recently proposed defense against adversarial ...

Robust and Accurate – Compositional Architectures for Randomized Smoothing

Randomized Smoothing (RS) is considered the state-of-the-art approach to...

Smoothed Embeddings for Certified Few-Shot Learning

Randomized smoothing is considered to be the state-of-the-art provable d...

Certification of Semantic Perturbations via Randomized Smoothing

We introduce a novel certification method for parametrized perturbations...

Certified Defense via Latent Space Randomized Smoothing with Orthogonal Encoders

Randomized Smoothing (RS), being one of few provable defenses, has been ...

Towards Assessment of Randomized Mechanisms for Certifying Adversarial Robustness

As a certified defensive technique, randomized smoothing has received co...

Certified Neural Network Watermarks with Randomized Smoothing

Watermarking is a commonly used strategy to protect creators' rights to ...