Variational Randomized Smoothing for Sample-Wise Adversarial Robustness

TL;DR

This work introduces variational randomized smoothing to achieve sample-wise adversarial robustness by learning a per-input smoothing level $\sigma_s=h(x)$. The framework combines a noise level selector with a differentiable soft smoothing scheme, stochastic regularization toward a target noise, and conditional meta-learning to allow test-time control of robustness without retraining. It also defends the selector with median smoothing and clipping, and provides a certified robustness bound based on median smoothing, along with empirical results on CIFAR-10 showing improved robustness compared to fixed-noise smoothing. The approach delivers practical gains in empirical robustness and offers flexible tuning at test time, while maintaining competitive certification under small perturbations.

Abstract

Randomized smoothing is a defensive technique to achieve enhanced robustness against adversarial examples which are small input perturbations that degrade the performance of neural network models. Conventional randomized smoothing adds random noise with a fixed noise level for every input sample to smooth out adversarial perturbations. This paper proposes a new variational framework that uses a per-sample noise level suitable for each input by introducing a noise level selector. Our experimental results demonstrate enhancement of empirical robustness against adversarial attacks. We also provide and analyze the certified robustness for our sample-wise smoothing method.

Figures (15)

• Figure 1: Conventional and proposed approaches of smoothed classifier.
• Figure 2: Examples of certified accuracy and radius obtained by randomized smoothing.
• Figure 3: Model architecture of noise level selector $h$.
• Figure 4: Upper and lower bounds of $h_p(x'+\varepsilon)$.
• Figure 5: Certified accuracy and radius with proposed method $g_v^*$ and baseline $g$.