1 Introduction
In the regime of scarce data or when new classes emerge constantly, such as in face recognition,
fewshot learningis required. Modern computer vision methods of learning from a few images are based on deep neural networks. These neural networks are intriguingly vulnerable to adversarial perturbations
(Szegedy et al., 2013; Goodfellow et al., 2014) – accurately crafted small modifications of the input that may significantly alter the model’s prediction. For safetycritical scenarios, these perturbations present a serious threat. Hence, it is important to investigate ways to protect neural networks from undesired scenarios.Several works studied this phenomena in different applications of neural networks – image classification (Carlini & Wagner, 2017; MoosaviDezfooli et al., 2016, 2017; Su et al., 2019), object detection (Kaziakhmedov et al., 2019; Li et al., 2021a; Wu et al., 2020; Xie et al., 2017b), face recognition (Komkov & Petiushko, 2021; Dong et al., 2019; Zhong & Deng, 2020), semantic segmentation (Fischer et al., 2017; Hendrik Metzen et al., 2017; Xie et al., 2017b). This shows how easy for adversaries to maliciously force a model to behave in the desired way. As a result, defenses, both empirical (Dhillon et al., 2018; Zhou et al., 2020; Jang et al., 2019) and provable (Yang et al., 2020; Lecuyer et al., 2019; Cohen et al., 2019; Wong & Kolter, 2018; Zhang et al., 2020; Jia et al., 2019; Weng et al., 2019; Pautov et al., 2021), were proposed recently. Although empirical ones can be (and often are) broken by more powerful attacks, the provable ones are of a big interest since they make it possible to provide guarantees of the correctness of the work of a model under certain assumptions, and, thus, possibly broaden the scope of tasks which may be trusted to the neural networks.
Randomized smoothing (Lecuyer et al., 2019; Cohen et al., 2019; Li et al., 2018) is the stateoftheart approach used for constructing classification models provably robust against smallnorm additive adversarial perturbations. This approach is scalable to large datasets and can be applied to any classifier since it does not use any assumptions about model’s architecture. Generally, the idea is following. Suppose, we are given a base neural network classier that maps an input image to a fixed number of
class probabilities. Its smoothed version with the standard Gaussian distribution is:
(1) 
Interestingly, as shown in (Cohen et al., 2019), the new (smoothed) classifier is provably robust at to bounded perturbations if the base classifier is confident enough at . However, the proof of certification heavily exploits the fact that classifiers are restricted to map an input to a fixed number of class probabilities. Thus, directly applying randomized smoothing to classifiers in metric space, such as in fewshot learning, is a challenging task.
There are several works that aim at improving the robustness for fewshot classification (Kumar & Goldstein, 2021; Goldblum et al., 2020; Zhang et al., 2019; Liu et al., 2021). However, the focus in such works is either on the improvement of empirical robustness or probabilistic guarantees of certified robustness; none of them provide theoretical guarantees on the worstcase model behavior.
In this work, we fill this gap, by generalizing and theoretically justifying the idea of randomized smoothing to fewshot learning. In this scenario, provable certification needs to be obtained not in the space of output class probabilities, but in the space of descriptive embeddings. This work is the first, to our knowledge, where the theoretical robustness guarantees for fewshot scenario is provided.
Our contributions are summarized as follows:

We provide the first theoretical robustness guarantee for fewshot learning classification task.

Analysis of Lipschitz continuity of such models and providing the robustness certificates against bounded perturbations for fewshot learning scenarios.

We propose to estimate confidence intervals not for distances between the approximation of smoothed embedding and class prototype but for the dot product of vectors which has expectation equal to the distance between actual smoothed embedding and class prototype.
2 Problem statement
2.1 Notation
We consider a fewshot classification problem where we are given a set of labeled objects where and are corresponding labels. We follow the notation from (Snell et al., 2017) and denote as the set of objects of class
2.2 Fewshot learning classification
Suppose we have a function that maps input objects to the space of normalized embeddings. Then, dimensional prototypes of classes are computed as follows (expression is given for the prototype of class ):
(2) 
In order to classify a sample, one should compute the distances between its embedding and class prototypes – a sample is assigned to the class with the closest prototype. Namely, given a distance function , the class of the sample is computed as below:
(3) 
Given an embedding function , our goal is to construct a classifier provably robust to additive perturbations of a small norm. In other words, we want to find a norm threshold such that equality
(4) 
will be satisfied for all
In this paper, the solution of a problem of constructing a classifier that satisfies the condition in Equation 4 is approached by extending the analysis of the robustness of smoothed classifiers described in Equation 1 to the case of vector functions. The choice of the distance metric in Equation 4 is motivated by an analysis of Lipschitzcontinuity given in the next section.
3 Randomized smoothing
3.1 Background
In the original literature (Lecuyer et al., 2019; Cohen et al., 2019) the randomized smoothing is described as a technique of convolving a base classifier with an isotropic Gaussian noise such that the new classifier returns the most probable prediction of
of a random variable
, where the choice of Gaussian distribution is motivated by the restriction on to be robust against additive perturbations of bounded norm. In this case, given a classifier and smoothing distribution , the classifier looks as follows:(5) 
One can show by Stein’s Lemma that given the fact that the function in Equation 5 is bounded (namely, ), then the function is Lipschitz:
(6) 
with , what immediately produce theoretical robustness guarantee on
Although this approach is simple and effective, it has a serious drawback: in practice, it is impossible to compute the expectation in Equation 5 exactly and, thus, impossible to compute the prediction of the smoothed function at any point. Instead the integral is computed with the use of MonteCarlo approximation with samples to obtain the prediction with an arbitrary level of confidence. Notably, to achieve an appropriate accuracy of the MonteCarlo approximation, the number of samples should be large enough that may dramatically affect inference time.
In this work, we generalize the analysis of Lipschitzcontinuity to the case of vector functions and provide robustness guarantees for classification performed in the space of embeddings. The certification pipeline is illustrated in Figure 1.
3.2 Randomized smoothing for vector functions
Lipschitzcontinuity of vector function.
In the work of (Salman et al., 2019), the robustness guarantee from (Cohen et al., 2019) is proved by estimating the Lipschitz constant of a smoothed classifier. Unfortunately, a straightforward generalization of this approach to the case of vector functions leads to the estimation of the expectation of the norm of a multivariate Gaussian which is known to depend on the number of dimensions of the space. Instead, we show that a simple adjustment to this technique may be done such that the estimate of the Lipschitz constant is the same as for the function in Equation 5. Our results are formulated in the theorems below proofs of which are moved to the Appendix in order not to distract the reader.
Theorem 3.1.
(Lipschitzcontinuity of smoothed vector function) Suppose that is a deterministic function and is continuously differentiable for all . If for all , , then is Lipschitz in norm with
Remark 3.2.
We perform the analysis of Lipschitzcontinuity in Theorem 3.1 in norm, so the distance metric in Equation 4 is distance. We do not consider other norms in this paper.
Robust classification in the space of embeddings.
To provide certification for a classification in the space of embeddings, one should estimate the maximum deviation of the classified embedding that does not change the closest class prototype. In the theorem 3.3, we show how this deviation is connected with the mutual arrangement of embedding and class prototype.
Theorem 3.3.
(Adversarial embedding risk) Given an input image and the embedding the closest point on to decision boundary in the embedding space (see Figure 2) is located at a distance (defined as adversarial embedding risk):
(7) 
where and are the two closest prototypes. The value of is the distance between classifying embedding and the decision boundary between classes represented by and Note that this is the minimum distortion in the embedding space required to change the prediction of
Two previous results combined give a robustness guarantee for fewshot classification that is formulated as follows:
Theorem 3.4.
(Robustness guarantee) robustness guarantee for an input image in the dimensional input metric space under classification by a classifier from Theorem 3.1 is:
(8) 
where is the Lipschitz constant from Theorem 3.1 and is the adversarial risk from Theorem 3.3. The value of is the certified radius of at , or, in other words, minimum distortion in the input space required to change the prediction of The proof of this fact straightforwardly follows from the definition Equation 6 and results from Theorems 3.3 and 3.1.
4 Certification protocol
In this section, we describe the numerical implementation of our approach and estimate the fail probability of numerical procedures used.
4.1 Estimation of prediction of smoothed classifier
As mentioned in the previous sections, in the fewshot setting, the procedure of classification is performed by assigning an object to the closest class prototype. Unfortunately, given the smoothed function in the form from Theorem 3.1 and class prototype from Equation 2, it is impossible to compute the value explicitly as well as to determine the closest prototype, since it is in general unknown how does look like. In our work, we propose both

to estimate the closest prototype for classification and

to estimate the distance to the closest decision boundary from Theorem 3.3 as the largest classpreserving perturbation in the space of embeddings
by computing twosided confidence intervals for random variables
(9) 
where
(10) 
is the estimation of computed as empirical mean by samples of noise, and onesided confidence interval for from Theorem 3.3, respectively. Pseudocode for both procedures is presented in Algorithms 2 and 1.
The Algorithm 1 describes an inference procedure for the smoothed classifier from Theorem 3.1; the Algorithm 2 uses Algorithm 1 and, given input parameters, estimates an adversarial risk from Theorem 3.3 in the following way:

Firstly, Algorithm 1 determines the closest to smoothed embedding prototype among all prototypes and returns computed approximate smoothed embeddings used in computation of the closest prototype ;

Secondly, the second closest prototype and approximations are computed in a similar way;

Thirdly, given and set of approximate smoothed embeddings , the empirical adversarial risk from Theorem 3.3 is computed for all ;

Finally, given the observations from the previous step, lower confidence bound for the adversarial risk is computed.
Combined with analysis from Theorem 3.1, it provides the certified radius for a sample – the smallest value of norm of perturbation in the input space required to change the prediction of the smoothed classifier.
In the next subsection, we discuss in detail the procedure of computing confidence intervals in Algorithms 2 and 1.
4.2 Analysis of applicability of algorithms
The computations of smoothed function and distances to class prototypes and decision boundary in Algorithm 1 and Algorithm 2, respectively, are numerical and operate with estimations of a random variable, thus, it is necessary to analyze their applicability. In this section, we propose a way to compute confidence intervals for squares of the distances between estimates of embeddings in the form from Equation 10 and class prototypes.
Computation of confidence intervals for the squares of distances. Recall that one way to estimate the value of a parameter of a random variable is to compute a confidence interval for the corresponding statistic. In this work, we construct intervals by applying wellknown Hoeffding inequality (Hoeffding, 1994) in the form
(11) 
where and are sample mean and population mean of random variable , respectively, is the number of samples and numbers are such that .
However, a confidence interval for the distance with a certain confidence covers an expectation of distance , not the distance for expectation
To solve this problem, we propose to compute confidence intervals for the dot product of vectors. Namely, given a quantity
(12) 
we sample
its unbiased estimates with
samples of noise for each (here we have to mention that the number of samples from Algorithm 1 actually doubles since we need a pair of estimates of smoothed embeddings):(13)  
(14) 
and compute confidence interval
(15) 
such that given
(16) 
the population mean is most probably located within it:
(17) 
Note that the population mean is exactly , since
(18)  
(19)  
(20) 
since and are independent random variables for . Finally, note that the confidence interval for the quantity implies confidence interval
(21) 
for the quantity Thus, the procedures TwoSidedConfInt and LowerConfBound from algorithms return an interval from Equation 21 and its left bound for the random variable representing corresponding distance, respectively.






5 Experiments
5.1 Datasets
For the experimental evaluation of our approach we use several wellknown datasets for fewshot learning classification. Cub2002011 (Wah et al., 2011) is a dataset with images of bird species, where images of species are in the train subset and images of other
species are in the test subset. It is notable that a lot of species presented in dataset have degree of visual similarity, making classification of ones a challenging task even for humans.
miniImageNet (Vinyals et al., 2016) is a substet of images from ILSVRC 2015 (Russakovsky et al., 2015) dataset with images categories in train subset and categories in test subset with images of size in each category. CIFAR FS (Bertinetto et al., 2018) is a subset of CIFAR 100 (Krizhevsky et al., 2009) dataset which was generated in the same way as miniImageNet and contains images of categories in the train set and images of categories in the test set. Experimental setup for all the datasets is presented in the next section.5.2 Experimental settings and computation cost
Following (Cohen et al., 2019), we compute approximate certified test set accuracy to estimate the performance of the smoothed model prediction with Algorithm 1 and embedding risk computation with Algorithm 2. The baseline model we used for experiments is a prototypical network introduced in (Snell et al., 2017) with ConvNet4 backbone. Compared to the original architecture, an additional fullyconnected layer was added in the tail of the network to map embeddings to 512dimensional vector space. The model was trained to solve 1shot and 5shot classification tasks on each dataset, with 5way classification on each iteration.
Parameters of expeiments.
For data augmentation, we applied Gaussian noise with zero mean, unit variance and probability
of augmentation. Each dataset was certified on a subsample of 500 images with default parameters for Algorithm 1: number of samples , confidence level and variance , unless stated otherwise. For our settings, it may be shown from simple geometry that values from Equation 11 are such that so we use The number of computing of approximation of smoothed function in Algorithm 1 is set to beComputation cost. In the table below, we report the computation time of the certification procedure per image on Tesla V100 GPU for Cub2002011
dataset. Standard deviation in seconds appears to be significant because the number of main loop iterations required to separate the two leftmost confidence intervals varies from image to image in the test set.
n  1000  3000  5000 

t, sec  73.1 68.0  221.9 194.7  300.6 296.1 
5.3 Results of experiments
In this section, we report results of our experiments. In our evaluation protocol, we compute approximate certified test set accuracy, . Given a sample , a smoothed classifier from Theorem 3.1 with an assigned classification rule
(22) 
threshold value for norm of additive perturbation and the robustness guarantee from Theorem 3.4, we compute on test set as follows:
(23) 
In other words, we treat the model as certified at point under perturbation of norm if is correctly classified by (what means that the procedure of classification described in Algorithm 1 does not abstain from classification of ) and has the value of certified radius at bigger than
Visualization of results. The Figures 10 and 6 from below represent dependencies of certified accuracy on the value of norm of additive perturbation (attack radius) for different learning settings (1shot and 5shot learning). The value of attack radius corresponds to the threshold from Equation 23. For Cub2002011 dataset we provide a dependency of certified accuracy for different number of samples for Algorithm 1 (in Figure 11).
6 Limitations
In this section, we describe limitations of our approach. Namely, we provide failure probability of Algorithms 2 and 1 and discuss abstains from classification in Algorithm 1.
6.1 Estimation of errors of algorithms
Note that the value of from Equation 16 is the probability of the value of not to belong to the corresponding interval of the form from Equation 21.
Given a sample , the procedure in Algorithm 1 returns two closest prototypes to the Note that if two leftmost confidence intervals are determined, two closest to prototypes are established with probability at least for each one, thus, according to the independence of computing these two intervals, the error probability for Algorithm 1 is . This value corresponds to returning a pair of class prototypes at least one of which is not actually among the two closest to prototypes given the fact that Algorithm 1 does not abstain.
Similarly, the procedure in Algorithm 2 outputs the lower bound for the adversarial risk with coverage at least and depend on the output of Algorithm 1 inside, and, thus, has error probability that corresponds to returning an overestimated lower bound for the adversarial risk from Theorem 3.3.
6.2 Abstains from classification
It is crucial to note that the procedure in Algorithm 1 may require a lot of observations of approximation of smoothed embedding to distinguish two leftmost confidence intervals and sometimes does not finish before reaching threshold value of numbers of iterations. Hence, there may be samples for which the inference protocol of Algorithm 1 does not finish in a reasonable number of iterations, and, thus, associated smoothed classifier can be neither evaluated nor certified at these points. In this subsection, we report the numbers of objects in which Algorithm 1 abstains from determining the closest prototype. The fractions of abstained samples for different values of confidence level for both 1shot and 5shot scenarios are reported in the Tables 3 and 2 below.
Cub2002011  23.8%  28.0%  32.0% 
CIFARFS  26.0%  30.8%  34.2% 
miniImageNet  26.6%  32.0%  36.2% 
Cub2002011  26.2%  31.2%  35.8% 
CIFARFS  25.8%  31.0%  34.0% 
miniImageNet  26.0%  31.4%  34.6% 
7 Related work
Breaking neural networks with adversarial attacks and empirical defending from them have a long history of catandmouse game. Namely, for a particular proposed defense against existing adversarial perturbations, a new more aggressive attack is found. This motivated researchers to find defenses that are mathematically provable and certifiably robust to different kinds of input manipulations. Several works proposed exactly verified neural networks based on Satisfiability Modulo Theories solvers (Katz et al., 2017; Ehlers, 2017)
, or mixedinteger linear programming
(Lomuscio & Maganti, 2017; Fischetti & Jo, 2017). These methods are found to be computationally inefficient, although they guarantee to find adversarial examples, in the case if they exist. Another line of works use more relaxed certification (Wong & Kolter, 2018; Gowal et al., 2018; Raghunathan et al., 2018). Although these methods aim to guarantee that an adversary does not exist in a certain region around a given input, they suffer from scalability to big networks and large datasets. The only scalable to large datasets provable defense against adversarial perturbations is randomized smoothing. Initially, it was found as an empirical defense to mitigate adversarial effects in neural networks (Liu et al., 2018; Xie et al., 2017a). Later several works showed its mathematical proof of certified robustness (Lecuyer et al., 2019; Li et al., 2018; Cohen et al., 2019; Salman et al., 2019). Lecuyer et al (Lecuyer et al., 2019) first provided proof of certificates against adversarial examples using differential privacy. Then Li et al (Li et al., 2018) proposed tighter bounds of guarantees using Renyi divergence. Later, Cohen et al (Cohen et al., 2019) provided the tightest bound using NeymanPearson lemma. Interestingly, alternative proof using Lipschitz continuity was found (Salman et al., 2019). The scalability and simplicity of randomized smoothing attracted significant attention, and it was extended beyond perturbations (Lee et al., 2019; Teng et al., 2019; Li et al., 2021b; Levine & Feizi, 2020b, a; Kumar & Goldstein, 2021; Mohapatra et al., 2020; Yang et al., 2020). Perhaps, (Kumar & Goldstein, 2021) is the closest work to ours, where authors extend randomized smoothing to vectorvalued metric spaces with IoU/Jaccard distance in cases of object localization, perceptual distance for generative models, and totalvariation. However, their work does not consider descriptive embeddings for fewshot learning.8 Conclusion and future work
In this work, we extended randomized smoothing as a defense against additive normbounded adversarial attacks to the case of classification in the embedding space that is used in fewshot learning scenarios. We performed an analysis of Lipschitz continuity of smoothed normalized embeddings and derived a robustness certificate against attacks. Our theoretical findings are supported experimentally on several datasets. There are several directions for future work: our approach can possibly be extended to other types of attacks, such semantic transformations; also, it is important to reduce the computational complexity of the certification procedure.
References
 Bertinetto et al. (2018) Bertinetto, L., Henriques, J. F., Torr, P. H., and Vedaldi, A. Metalearning with differentiable closedform solvers. arXiv preprint arXiv:1805.08136, 2018.
 Carlini & Wagner (2017) Carlini, N. and Wagner, D. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), pp. 39–57. IEEE, 2017.
 Cohen et al. (2019) Cohen, J., Rosenfeld, E., and Kolter, Z. Certified adversarial robustness via randomized smoothing. In International Conference on Machine Learning, pp. 1310–1320. PMLR, 2019.
 Dhillon et al. (2018) Dhillon, G. S., Azizzadenesheli, K., Lipton, Z. C., Bernstein, J., Kossaifi, J., Khanna, A., and Anandkumar, A. Stochastic activation pruning for robust adversarial defense, 2018.

Dong et al. (2019)
Dong, Y., Su, H., Wu, B., Li, Z., Liu, W., Zhang, T., and Zhu, J.
Efficient decisionbased blackbox adversarial attacks on face
recognition.
In
Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition
, pp. 7714–7722, 2019. 
Ehlers (2017)
Ehlers, R.
Formal verification of piecewise linear feedforward neural networks.
In International Symposium on Automated Technology for Verification and Analysis, pp. 269–286. Springer, 2017.  Fischer et al. (2017) Fischer, V., Kumar, M. C., Metzen, J. H., and Brox, T. Adversarial examples for semantic image segmentation. arXiv preprint arXiv:1703.01101, 2017.
 Fischetti & Jo (2017) Fischetti, M. and Jo, J. Deep neural networks as 01 mixed integer linear programs: A feasibility study. arXiv preprint arXiv:1712.06174, 2017.
 Goldblum et al. (2020) Goldblum, M., Fowl, L., and Goldstein, T. Adversarially robust fewshot learning: A metalearning approach. Advances in Neural Information Processing Systems, 33, 2020.
 Goodfellow et al. (2014) Goodfellow, I. J., Shlens, J., and Szegedy, C. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
 Gowal et al. (2018) Gowal, S., Dvijotham, K., Stanforth, R., Bunel, R., Qin, C., Uesato, J., Arandjelovic, R., Mann, T., and Kohli, P. On the effectiveness of interval bound propagation for training verifiably robust models. arXiv preprint arXiv:1810.12715, 2018.
 Hendrik Metzen et al. (2017) Hendrik Metzen, J., Chaithanya Kumar, M., Brox, T., and Fischer, V. Universal adversarial perturbations against semantic image segmentation. In Proceedings of the IEEE international conference on computer vision, pp. 2755–2764, 2017.
 Hoeffding (1994) Hoeffding, W. Probability inequalities for sums of bounded random variables. In The collected works of Wassily Hoeffding, pp. 409–426. Springer, 1994.
 Jang et al. (2019) Jang, Y., Zhao, T., Hong, S., and Lee, H. Adversarial defense via learning to generate diverse attacks. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 2740–2749, 2019.
 Jia et al. (2019) Jia, J., Cao, X., Wang, B., and Gong, N. Z. Certified robustness for topk predictions against adversarial perturbations via randomized smoothing. arXiv preprint arXiv:1912.09899, 2019.
 Katz et al. (2017) Katz, G., Barrett, C., Dill, D. L., Julian, K., and Kochenderfer, M. J. Reluplex: An efficient smt solver for verifying deep neural networks. In International Conference on Computer Aided Verification, pp. 97–117. Springer, 2017.
 Kaziakhmedov et al. (2019) Kaziakhmedov, E., Kireev, K., Melnikov, G., Pautov, M., and Petiushko, A. Realworld attack on mtcnn face detection system. In 2019 International MultiConference on Engineering, Computer and Information Sciences (SIBIRCON), pp. 0422–0427. IEEE, 2019.
 Komkov & Petiushko (2021) Komkov, S. and Petiushko, A. Advhat: Realworld adversarial attack on arcface face id system. In 2020 25th International Conference on Pattern Recognition (ICPR), pp. 819–826. IEEE, 2021.
 Krizhevsky et al. (2009) Krizhevsky, A., Hinton, G., et al. Learning multiple layers of features from tiny images. 2009.
 Kumar & Goldstein (2021) Kumar, A. and Goldstein, T. Center smoothing for certifiably robust vectorvalued functions. arXiv preprint arXiv:2102.09701, 2021.
 Lecuyer et al. (2019) Lecuyer, M., Atlidakis, V., Geambasu, R., Hsu, D., and Jana, S. Certified robustness to adversarial examples with differential privacy. In 2019 IEEE Symposium on Security and Privacy (SP), pp. 656–672. IEEE, 2019.
 Lee et al. (2019) Lee, G.H., Yuan, Y., Chang, S., and Jaakkola, T. S. Tight certificates of adversarial robustness for randomly smoothed classifiers. arXiv preprint arXiv:1906.04948, 2019.

Levine & Feizi (2020a)
Levine, A. and Feizi, S.
Robustness certificates for sparse adversarial attacks by randomized
ablation.
In
Proceedings of the AAAI Conference on Artificial Intelligence
, volume 34, pp. 4585–4593, 2020a.  Levine & Feizi (2020b) Levine, A. and Feizi, S. Wasserstein smoothing: Certified robustness against wasserstein adversarial attacks. In International Conference on Artificial Intelligence and Statistics, pp. 3938–3947. PMLR, 2020b.
 Li et al. (2018) Li, B., Chen, C., Wang, W., and Carin, L. Certified adversarial robustness with additive noise. arXiv preprint arXiv:1809.03113, 2018.
 Li et al. (2021a) Li, D., Zhang, J., and Huang, K. Universal adversarial perturbations against object detection. Pattern Recognition, 110:107584, 2021a.
 Li et al. (2021b) Li, L., Weber, M., Xu, X., Rimanic, L., Kailkhura, B., Xie, T., Zhang, C., and Li, B. Tss: Transformationspecific smoothing for robustness certification, 2021b.
 Liu et al. (2021) Liu, F., Zhao, S., Dai, X., and Xiao, B. Longterm cross adversarial training: A robust metalearning method for fewshot classification tasks. arXiv preprint arXiv:2106.12900, 2021.
 Liu et al. (2018) Liu, X., Cheng, M., Zhang, H., and Hsieh, C.J. Towards robust neural networks via random selfensemble. In Proceedings of the European Conference on Computer Vision (ECCV), pp. 369–385, 2018.
 Lomuscio & Maganti (2017) Lomuscio, A. and Maganti, L. An approach to reachability analysis for feedforward relu neural networks. arXiv preprint arXiv:1706.07351, 2017.
 Mohapatra et al. (2020) Mohapatra, J., Ko, C.Y., Weng, T.W., Chen, P.Y., Liu, S., and Daniel, L. Higherorder certification for randomized smoothing. arXiv preprint arXiv:2010.06651, 2020.
 MoosaviDezfooli et al. (2016) MoosaviDezfooli, S.M., Fawzi, A., and Frossard, P. Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 2574–2582, 2016.
 MoosaviDezfooli et al. (2017) MoosaviDezfooli, S.M., Fawzi, A., Fawzi, O., and Frossard, P. Universal adversarial perturbations. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 1765–1773, 2017.
 Pautov et al. (2021) Pautov, M., Tursynbek, N., Munkhoeva, M., Muravev, N., Petiushko, A., and Oseledets, I. CCCert: A probabilistic approach to certify general robustness of neural networks. arXiv preprint arXiv:2109.10696, 2021.
 Raghunathan et al. (2018) Raghunathan, A., Steinhardt, J., and Liang, P. Certified defenses against adversarial examples. arXiv preprint arXiv:1801.09344, 2018.
 Russakovsky et al. (2015) Russakovsky, O., Deng, J., Su, H., Krause, J., Satheesh, S., Ma, S., Huang, Z., Karpathy, A., Khosla, A., Bernstein, M., et al. Imagenet large scale visual recognition challenge. International journal of computer vision, 115(3):211–252, 2015.
 Salman et al. (2019) Salman, H., Yang, G., Li, J., Zhang, P., Zhang, H., Razenshteyn, I., and Bubeck, S. Provably robust deep learning via adversarially trained smoothed classifiers. arXiv preprint arXiv:1906.04584, 2019.
 Snell et al. (2017) Snell, J., Swersky, K., and Zemel, R. S. Prototypical networks for fewshot learning. arXiv preprint arXiv:1703.05175, 2017.

Su et al. (2019)
Su, J., Vargas, D. V., and Sakurai, K.
One pixel attack for fooling deep neural networks.
IEEE Transactions on Evolutionary Computation
, 23(5):828–841, 2019.  Szegedy et al. (2013) Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
 Teng et al. (2019) Teng, J., Lee, G.H., and Yuan, Y. adversarial robustness certificates: a randomized smoothing approach. 2019.
 Vinyals et al. (2016) Vinyals, O., Blundell, C., Lillicrap, T., Wierstra, D., et al. Matching networks for one shot learning. Advances in neural information processing systems, 29:3630–3638, 2016.
 Wah et al. (2011) Wah, C., Branson, S., Welinder, P., Perona, P., and Belongie, S. The caltechucsd birds2002011 dataset. 2011.
 Weng et al. (2019) Weng, L., Chen, P.Y., Nguyen, L., Squillante, M., Boopathy, A., Oseledets, I., and Daniel, L. Proven: Verifying robustness of neural networks with a probabilistic approach. In International Conference on Machine Learning, pp. 6727–6736. PMLR, 2019.
 Wong & Kolter (2018) Wong, E. and Kolter, Z. Provable defenses against adversarial examples via the convex outer adversarial polytope. In International Conference on Machine Learning, pp. 5286–5295. PMLR, 2018.
 Wu et al. (2020) Wu, Z., Lim, S.N., Davis, L. S., and Goldstein, T. Making an invisibility cloak: Real world adversarial attacks on object detectors. In European Conference on Computer Vision, pp. 1–17. Springer, 2020.
 Xie et al. (2017a) Xie, C., Wang, J., Zhang, Z., Ren, Z., and Yuille, A. Mitigating adversarial effects through randomization. arXiv preprint arXiv:1711.01991, 2017a.
 Xie et al. (2017b) Xie, C., Wang, J., Zhang, Z., Zhou, Y., Xie, L., and Yuille, A. Adversarial examples for semantic segmentation and object detection. In Proceedings of the IEEE International Conference on Computer Vision, pp. 1369–1378, 2017b.
 Yang et al. (2020) Yang, G., Duan, T., Hu, J. E., Salman, H., Razenshteyn, I., and Li, J. Randomized smoothing of all shapes and sizes. In International Conference on Machine Learning, pp. 10693–10705. PMLR, 2020.
 Zhang et al. (2020) Zhang, D., Ye, M., Gong, C., Zhu, Z., and Liu, Q. Blackbox certification with randomized smoothing: A functional optimization based framework. arXiv preprint arXiv:2002.09169, 2020.
 Zhang et al. (2019) Zhang, H., Yu, Y., Jiao, J., Xing, E., El Ghaoui, L., and Jordan, M. Theoretically principled tradeoff between robustness and accuracy. In International Conference on Machine Learning, pp. 7472–7482. PMLR, 2019.
 Zhong & Deng (2020) Zhong, Y. and Deng, W. Towards transferable adversarial attack against deep face recognition. IEEE Transactions on Information Forensics and Security, 16:1452–1466, 2020.
 Zhou et al. (2020) Zhou, J., Liang, C., and Chen, J. Manifold projection for adversarial defense on face recognition. In European Conference on Computer Vision, pp. 288–305. Springer, 2020.
Appendix A Proofs.
In this section, we provide proofs of the main results stated in our work.
Theorem A.1.
Suppose that is a deterministic function with corresponding continuously differentiable smoothed function . Then if for all , , then is Lipschitz in norm with
Proof.
It is known that everywhere differentiable function with Jacobian matrix is Lipschitz in norm with where is the spectral norm of
Taking into account the fact that
(24) 
we may derive its Jacobian matrix:
(25)  
(26) 
where In order to estimate the spectral norm of , one can estimate the norm of dot product with normalized vector :
(27) 
Here, we apply a trick: it is possible to rotate vectors in dot product in such a way that one of the resulting vectors will have one nonzero component after rotation (without loss of generality, assume that this is the first component, ). Namely, given a rotation matrix that is unitary (), the expression from Eq. 27 becomes
(28) 
Now, since the rotation does not affect the norm, and thus and . More than that, under the change of the variables the following holds:

since rotation is norm preserving operation;

;

for the diffentials, leading to
Thus, expression from Eq. 28 becomes
(29) 
Now, we bound the norm from Eq. 29 using Cauchy–Schwarz inequality:
(30)  
(31) 
since and , and . Here is the first component of .
The expectation from Eq. 30 is known to be equal to and, thus
(32) 
Taking a supremum over all unit vectors , we immediately get what finalizes the proof.
∎
Theorem A.2.
(Adversarial embedding risk) Given an input image and the embedding the closest point on to decision boundary in the embedding space (see Figure 2) is located at a distance (defined as adversarial embedding risk):
(33) 
where and are the two closest prototypes. The value of is the distance between classifying embedding and the decision boundary between classes represented by and Note that this is the minimum distortion in the embedding space required to change the prediction of
Proof.
In the Figure 12, is the origin, , , , , , .
We need to solve following problem:
(34)  
(35) 
It is obvious that to satisfy minimality requirement we shoul consider . Thus we have is perpendicular to the ray . Therefore, to minimize , we need to find distance from to the ray .
The closest distance is perpendicular to .
(36) 
(37) 
(38) 
(39) 
Solving equation implies
(40) 
(41) 
(42) 
(43) 
(44) 
Using the fact that we find that
(45) 
∎
Appendix B Additional experiments.
In this section, we provide results of additional experiments.
b.1 Dependency of certification accuracy on the level of confidence .
It is desirable to understand how the certified accuracy from Equation 23 depends on the confidence level and, hence, on the probabilities of failure of Algorithms 2 and 1 discussed in Section 6.1. In the Figures 20 and 16, we report the difference in certification accuracy given several values of In the Table 4, the correspondence between these values of and error probabilities and is reported.






0.0199  0.001999  0.00019999  
0.029701  0.002997  0.00029997 
It is notable that the drop in certified accuracy does not exceed when the probability of failure of both Algorithms 2 and 1 is decreased by the factor of