Boosting Randomized Smoothing with Variance Reduced Classifiers
Keywords: adversarial robustness, certified robustness, randomized smoothing
Abstract: Randomized Smoothing (RS) is a promising method for obtaining robustness certificates by evaluating a base model under noise. In this work, we: (i) theoretically motivate why ensembles are a particularly suitable choice as base models for RS, and (ii) empirically confirm this choice, obtaining state-of-the-art results in multiple settings. The key insight of our work is that the reduced variance of ensembles over the perturbations introduced in RS leads to significantly more consistent classifications for a given input. This, in turn, leads to substantially increased certifiable radii for samples close to the decision boundary. Additionally, we introduce key optimizations which enable an up to 55-fold decrease in sample complexity of RS for predetermined radii, thus drastically reducing its computational overhead. Experimentally, we show that ensembles of only 3 to 10 classifiers consistently improve on their strongest constituting model with respect to their average certified radius (ACR) by 5% to 21% on both CIFAR10 and ImageNet, achieving a new state-of-the-art ACR of 0.86 and 1.11, respectively. We release all code and models required to reproduce our results at https://github.com/eth-sri/smoothing-ensembles.
One-sentence Summary: We show -- theoretically and empirically -- that ensembles reduce variance under randomized smoothing, yielding higher certified accuracy, leading to a new state-of-the-art on CIFAR-10 and ImageNet.
Supplementary Material: zip
Community Implementations: [ 1 code implementation](https://www.catalyzex.com/paper/arxiv:2106.06946/code)
12 Replies
Loading