Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

General Lipschitz: Certified Robustness Against Resolvable Semantic Transformations via Transformation-Dependent Randomized Smoothing

Dmitrii Korzh, Mikhail Pautov, Olga Tsymboi, Ivan Oseledets

TL;DR

General Lipschitz (GL) introduces transformation-dependent randomized smoothing to certify robustness of image classifiers against composable semantic perturbations that are resolvable via a reducing function. The framework constructs a smoothed classifier $h$ by averaging over semantic transformations and Gaussian noise, then derives a local Lipschitz-based certificate along transformation paths using functions $\xi$ and $\hat{g}$; a practical numerical scheme estimates these functions to certify robustness when $h_c(x)>\tfrac{1}{2}$. Empirical results on ImageNet and CIFAR demonstrate competitive certified robust accuracy (CRA) across several perturbations, validating the approach at scale while highlighting the probabilistic nature of the guarantees and the focus on resolvable transformations. The work suggests strong practical implications for semantic robustness and points to future directions including extending to non-resolvable perturbations and applying the approach to detection or segmentation tasks.

Abstract

Randomized smoothing is the state-of-the-art approach to construct image classifiers that are provably robust against additive adversarial perturbations of bounded magnitude. However, it is more complicated to construct reasonable certificates against semantic transformation (e.g., image blurring, translation, gamma correction) and their compositions. In this work, we propose \emph{General Lipschitz (GL),} a new framework to certify neural networks against composable resolvable semantic perturbations. Within the framework, we analyze transformation-dependent Lipschitz-continuity of smoothed classifiers w.r.t. transformation parameters and derive corresponding robustness certificates. Our method performs comparably to state-of-the-art approaches on the ImageNet dataset.

General Lipschitz: Certified Robustness Against Resolvable Semantic Transformations via Transformation-Dependent Randomized Smoothing

TL;DR

General Lipschitz (GL) introduces transformation-dependent randomized smoothing to certify robustness of image classifiers against composable semantic perturbations that are resolvable via a reducing function. The framework constructs a smoothed classifier by averaging over semantic transformations and Gaussian noise, then derives a local Lipschitz-based certificate along transformation paths using functions and ; a practical numerical scheme estimates these functions to certify robustness when . Empirical results on ImageNet and CIFAR demonstrate competitive certified robust accuracy (CRA) across several perturbations, validating the approach at scale while highlighting the probabilistic nature of the guarantees and the focus on resolvable transformations. The work suggests strong practical implications for semantic robustness and points to future directions including extending to non-resolvable perturbations and applying the approach to detection or segmentation tasks.

Abstract

Randomized smoothing is the state-of-the-art approach to construct image classifiers that are provably robust against additive adversarial perturbations of bounded magnitude. However, it is more complicated to construct reasonable certificates against semantic transformation (e.g., image blurring, translation, gamma correction) and their compositions. In this work, we propose \emph{General Lipschitz (GL),} a new framework to certify neural networks against composable resolvable semantic perturbations. Within the framework, we analyze transformation-dependent Lipschitz-continuity of smoothed classifiers w.r.t. transformation parameters and derive corresponding robustness certificates. Our method performs comparably to state-of-the-art approaches on the ImageNet dataset.
Paper Structure (22 sections, 6 theorems, 73 equations, 7 figures, 3 tables, 2 algorithms)

This paper contains 22 sections, 6 theorems, 73 equations, 7 figures, 3 tables, 2 algorithms.

Table of Contents

  1. Preliminaries
  2. Proposed method
  3. Randomized smoothing for semantic transformations
  4. Robustness guarantee
  5. Numerical evaluation
  6. Bounding the directional derivative
  7. Density Estimation
  8. Experiments
  9. Limitations
  10. Non-resolvable transformations
  11. Probabilistic certification
  12. Error Analysis
  13. Related Work
  14. Adversarial attacks and empirical defenses
  15. Approaches for provable certification
  16. ...and 7 more sections

Key Result

Theorem 1

Certification condition. Let $\beta(t): [0,1] \to \Theta$ be a smooth curve such that $\beta(0) = \beta_0$ and $\beta(1) = \beta$. Then there exist mappings $\xi: \left[0, 1\right] \to \mathbb{R}$ and $\hat{g}(\beta): \Theta \to \mathbb{R}$ such that if $\hat{g}(\beta) < - \xi(1 - h_c(x)) + \xi(1/2)

Figures (7)

  • Figure 1: Visualization of certified robust accuracy for the subset of parameter space for different transformations, ImageNet dataset. By design of our approach, if the classifier is certified at the input point $x$ for the parameter value $\beta$, it is certified for all parameters $\beta^{*} \in [\beta_0, \beta].$ The values of CRA are presented in the corresponding color bars. Remark: the certified robust accuracy against the given transform in Table \ref{['tab:main_table']} is the infimum of CRAs on the corresponding plot.
  • Figure 2: $\xi(h)$ v.s. $N_s$ for the Contrast-Brightness transform
  • Figure 3: $\hat{g}(\beta, 0)$ v.s. $d_b$ for the Contrast-Brightness transform
  • Figure 4: $\xi(h)$ vs $N_s$ for the Contrast-Brightness transform
  • Figure 5: $\hat{g}(\beta, 0)$ vs $N_s$ for the Contrast-Brightness transform
  • ...and 2 more figures

Theorems & Definitions (12)

  • Theorem 1
  • proof
  • Remark 2
  • Lemma 1
  • Lemma 2: Gradient of log-density for resolvable transformations
  • Remark 3
  • Theorem 4
  • proof
  • Lemma 3
  • proof
  • ...and 2 more