Towards Certified Probabilistic Robustness with High Accuracy

Download PDF

Ruihan Zhang, Peixin Zhang, Jun Sun

21 Sept 2023 (modified: 25 Mar 2024)ICLR 2024 Conference Withdrawn SubmissionEveryoneRevisionsBibTeX
Keywords: robustness, adversarial training, probabilistic Robustness
TL;DR: an adversarial and certified method while maintaining high accuaracy
Abstract: Adversarial examples pose a security threat to many critical systems built on neural networks (such as face recognition systems and self-driving cars). While many methods have been proposed to build robust models, how to build certifiably robust yet accurate neural network models remains an open problem. For example, adversarial training improves empirical robustness, but they do not provide certification of the model's robustness. Conversely, certified training provides certified robustness but at the cost of a significant accuracy drop. In this work, we propose a novel approach that aims to achieve both high accuracy and certified probabilistic robustness. Our method has two parts which together achieve our goal, \emph{i.e.}, a probabilistic robust training method with an additional goal of minimizing variance in divergence in a given vicinity and a runtime inference method for certified probabilistic robustness of the predictions. Compared to alternative methods such as randomized smoothing and certified training, our approach avoids introducing strong noise during training, is effective against a variety of perturbations, and most importantly, achieves certified probabilistic robustness without sacrificing accuracy. Our experiments on multiple models trained on different datasets demonstrate that our approach significantly outperforms existing approaches in terms of both certification rate and accuracy.
Primary Area: societal considerations including fairness, safety, privacy
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 3666