MACER: Attack-free and Scalable Robust Training via Maximizing Certified Radius
This addresses the need for scalable and efficient robust training in machine learning, offering a novel approach that avoids adversarial attacks, though it builds on existing randomized smoothing techniques.
The paper tackles the problem of adversarial training being attack-dependent and computationally expensive by proposing MACER, an attack-free algorithm that trains provably robust smoothed classifiers via maximizing certified radius, achieving larger average certified radius and faster training times than state-of-the-art adversarial training methods on datasets like Cifar-10 and ImageNet.
Adversarial training is one of the most popular ways to learn robust models but is usually attack-dependent and time costly. In this paper, we propose the MACER algorithm, which learns robust models without using adversarial training but performs better than all existing provable l2-defenses. Recent work shows that randomized smoothing can be used to provide a certified l2 radius to smoothed classifiers, and our algorithm trains provably robust smoothed classifiers via MAximizing the CErtified Radius (MACER). The attack-free characteristic makes MACER faster to train and easier to optimize. In our experiments, we show that our method can be applied to modern deep neural networks on a wide range of datasets, including Cifar-10, ImageNet, MNIST, and SVHN. For all tasks, MACER spends less training time than state-of-the-art adversarial training algorithms, and the learned models achieve larger average certified radius.