Confidence-aware Denoised Fine-tuning of Off-the-shelf Models for Certified Robustness

Suhyeok Jang; Seojin Kim; Jinwoo Shin; Jongheon Jeong

Confidence-aware Denoised Fine-tuning of Off-the-shelf Models for Certified Robustness

Suhyeok Jang, Seojin Kim, Jinwoo Shin, Jongheon Jeong

Published: 12 Nov 2024, Last Modified: 12 Nov 2024Accepted by TMLREveryoneRevisionsBibTeXCC BY 4.0

Abstract: The remarkable advances in deep learning have led to the emergence of many off-the-shelf classifiers, e.g., large pre-trained models. However, since they are typically trained on clean data, they remain vulnerable to adversarial attacks. Despite this vulnerability, their superior performance and transferability make off-the-shelf classifiers still valuable in practice, demanding further work to provide adversarial robustness for them in a post-hoc manner. A recently proposed method, denoised smoothing, leverages a denoiser model in front of the classifier to obtain provable robustness without additional training. However, the denoiser often creates hallucination, i.e., images that have lost the semantics of their originally assigned class, leading to a drop in robustness. Furthermore, its noise-and-denoise procedure introduces a significant distribution shift from the original distribution, causing the denoised smoothing framework to achieve sub-optimal robustness. In this paper, we introduce Fine-Tuning with Confidence-Aware Denoised Image Selection (FT-CADIS), a novel fine-tuning scheme to enhance the certified robustness of off-the-shelf classifiers. FT-CADIS is inspired by the observation that the confidence of off-the-shelf classifiers can effectively identify hallucinated images during denoised smoothing. Based on this, we develop a confidence-aware training objective to handle such hallucinated images and improve the stability of fine-tuning from denoised images. In this way, the classifier can be fine-tuned using only images that are beneficial for adversarial robustness. We also find that such a fine-tuning can be done by merely updating a small fraction (i.e., 1%) of parameters of the classifier. Extensive experiments demonstrate that FT-CADIS has established the state-of-the-art certified robustness among denoised smoothing methods across all $l_2$-adversary radius in a variety of benchmarks, such as CIFAR-10 and ImageNet.

Submission Length: Regular submission (no more than 12 pages of main content)

Code: https://github.com/suhyeok24/FT-CADIS

Assigned Action Editor: ~Guillermo_Ortiz-Jimenez1

Submission Number: 3140

Loading