Universally Amplifying Randomized Smoothing for Certified Robustness with Anisotropic Noise

Download PDF

Hanbin Hong, Ali Payani, Ashish Kundu, Binghui Wang, Yuan Hong

23 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX
Primary Area: societal considerations including fairness, safety, privacy
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Keywords: adversarial robustness, certified robustness, randomized smoothing
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
TL;DR: A universal framework that boosts randomized smoothing methods with anisotropic noise.
Abstract: Randomized smoothing has achieved great success for certified adversarial robustness. However, existing methods (especially the theory for certification guarantee) rely on a fixed i.i.d. noise distribution for all dimensions of the data (e.g., all the pixels in an image), and may result in limited performance of certified robustness. To address this limitation, we propose UCAN: a novel technique that $\underline{U}$niversally amplifies randomized smoothing for $\underline{C}$ertified robustness with $\underline{A}$nisotropic $\underline{N}$oise. It can theoretically transform any randomized smoothing method with isotropic noise to ensure certified robustness based on different variants of anisotropic noise. The theories universally work for using different noise distributions against different $\ell_p$ perturbations. Furthermore, we also design a novel framework with three example noise parameter generators (NPGs) for customizing the anisotropic noise. Finally, experimental results demonstrate that UCAN significantly outperforms the state-of-the-art (SOTA) methods, e.g., the certified accuracy can be improved by up to $182.6$\% at large certified radii on MNIST, CIFAR10, and ImageNet datasets.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
Supplementary Material: zip
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 6877