Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Certified Adversarial Robustness via Partition-based Randomized Smoothing

Hossein Goli, Farzan Farnia

TL;DR

The Pixel Partitioning-based Randomized Smoothing (PPRS) methodology to boost the neural net's confidence score and thus the robustness radius of the certified prediction and it is demonstrated that the proposed PPRS algorithm improves the visibility of the images under additive Gaussian noise.

Abstract

A reliable application of deep neural network classifiers requires robustness certificates against adversarial perturbations. Gaussian smoothing is a widely analyzed approach to certifying robustness against norm-bounded perturbations, where the certified prediction radius depends on the variance of the Gaussian noise and the confidence level of the neural net's prediction under the additive Gaussian noise. However, in application to high-dimensional image datasets, the certified radius of the plain Gaussian smoothing could be relatively small, since Gaussian noise with high variances can significantly harm the visibility of an image. In this work, we propose the Pixel Partitioning-based Randomized Smoothing (PPRS) methodology to boost the neural net's confidence score and thus the robustness radius of the certified prediction. We demonstrate that the proposed PPRS algorithm improves the visibility of the images under additive Gaussian noise. We discuss the numerical results of applying PPRS to standard computer vision datasets and neural network architectures. Our empirical findings indicate a considerable improvement in the certified accuracy and stability of the prediction model to the additive Gaussian noise in randomized smoothing.

Certified Adversarial Robustness via Partition-based Randomized Smoothing

TL;DR

The Pixel Partitioning-based Randomized Smoothing (PPRS) methodology to boost the neural net's confidence score and thus the robustness radius of the certified prediction and it is demonstrated that the proposed PPRS algorithm improves the visibility of the images under additive Gaussian noise.

Abstract

A reliable application of deep neural network classifiers requires robustness certificates against adversarial perturbations. Gaussian smoothing is a widely analyzed approach to certifying robustness against norm-bounded perturbations, where the certified prediction radius depends on the variance of the Gaussian noise and the confidence level of the neural net's prediction under the additive Gaussian noise. However, in application to high-dimensional image datasets, the certified radius of the plain Gaussian smoothing could be relatively small, since Gaussian noise with high variances can significantly harm the visibility of an image. In this work, we propose the Pixel Partitioning-based Randomized Smoothing (PPRS) methodology to boost the neural net's confidence score and thus the robustness radius of the certified prediction. We demonstrate that the proposed PPRS algorithm improves the visibility of the images under additive Gaussian noise. We discuss the numerical results of applying PPRS to standard computer vision datasets and neural network architectures. Our empirical findings indicate a considerable improvement in the certified accuracy and stability of the prediction model to the additive Gaussian noise in randomized smoothing.
Paper Structure (16 sections, 4 theorems, 11 equations, 14 figures, 1 table)

This paper contains 16 sections, 4 theorems, 11 equations, 14 figures, 1 table.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminaries
  4. Classification and Adversarial Attacks
  5. Certified Robustness via Randomized Smoothing
  6. Partition-based Randomized Smoothing
  7. Numerical Results
  8. Numerical Comparison of PPRS vs. Baseline Randomized Smoothing Methods
  9. Ablation Studies
  10. Super-pixel Schemes.
  11. Super-pixel Size.
  12. PPRS noise hyper-parameters.
  13. Conclusion
  14. Appendix
  15. Proof of Theorem 2
  16. ...and 1 more sections

Key Result

Theorem 1

Consider a prediction rule $f:\mathcal{X}\rightarrow\mathcal{Y}$. For sample $\mathbf{x}\in\mathcal{X}$ classified as $f^{\mathrm{GS}(\sigma)}(\mathbf{x}) = c_A$, we define the prediction confidence score as $C(\mathbf{x})=\frac{1}{2}\bigl(\Phi^{-1}(p_A(\mathbf{x})) - \Phi^{-1}(p_B(\mathbf{x}))\bigr Then, $f^{\mathrm{GS}(\sigma)}(\mathbf{x}+\boldsymbol{\delta})=c_A$ for every $L_2$-norm-bounded pe

Figures (14)

  • Figure 1: Comparison of the randomized smoothing (RS) and the proposed PPRS under Gaussian noise with $\sigma=0.5$.
  • Figure 2: The two top and bottom rows demonstrate pictures found after adding Gaussian Noise with $\sigma=0.75$ and $\sigma=0.5$ and applying SLIC SuperPixel with 1000 partitions.
  • Figure 3: PPRS and RS Certified Accuracy vs. $L_2$-Perturbation-Radius for Gaussian noise $\mathcal{N}(\mathbf{0},\sigma^2 I)$
  • Figure 4: PPRS and RS Certified Accuracy vs. $L_2$-Perturbation-Radius for Gaussian noise $\mathcal{N}(\mathbf{0},\sigma^2 I)$ with different $\sigma$'s.
  • Figure 5: Numerical comparison of certifiably robust classification methods. The certified accuracy of the trained models is plotted vs. the certified prediction radius.
  • ...and 9 more figures

Theorems & Definitions (6)

  • Theorem 1: Theorem 1 from cohen2019certified
  • Corollary 1
  • Theorem 2
  • proof
  • Lemma 1
  • proof