Intriguing Properties of Input-dependent Randomized Smoothing
This work addresses flaws in state-of-the-art robust classification methods, offering a more formally justified approach, though it is incremental with strict restrictions.
The paper tackles the lack of formal guarantees in input-dependent randomized smoothing for certifiably robust classifiers, showing it suffers from the curse of dimensionality, and provides a theoretical and practical framework with a concrete design tested on CIFAR10 and MNIST to mitigate some problems of classical smoothing.
Randomized smoothing is currently considered the state-of-the-art method to obtain certifiably robust classifiers. Despite its remarkable performance, the method is associated with various serious problems such as "certified accuracy waterfalls", certification vs.\ accuracy trade-off, or even fairness issues. Input-dependent smoothing approaches have been proposed with intention of overcoming these flaws. However, we demonstrate that these methods lack formal guarantees and so the resulting certificates are not justified. We show that in general, the input-dependent smoothing suffers from the curse of dimensionality, forcing the variance function to have low semi-elasticity. On the other hand, we provide a theoretical and practical framework that enables the usage of input-dependent smoothing even in the presence of the curse of dimensionality, under strict restrictions. We present one concrete design of the smoothing variance function and test it on CIFAR10 and MNIST. Our design mitigates some of the problems of classical smoothing and is formally underlined, yet further improvement of the design is still necessary.