Robust and Accurate -- Compositional Architectures for Randomized Smoothing
This addresses the limitation of real-world utility for certifiably robust models in machine learning, offering a solution that balances accuracy and robustness.
The paper tackles the problem of randomized smoothing approaches drastically decreasing standard accuracy on unperturbed data, proposing a compositional architecture (ACES) that achieves 80.0% natural accuracy and 28.2% certifiable accuracy against ℓ₂ perturbations on ImageNet.
Randomized Smoothing (RS) is considered the state-of-the-art approach to obtain certifiably robust models for challenging tasks. However, current RS approaches drastically decrease standard accuracy on unperturbed data, severely limiting their real-world utility. To address this limitation, we propose a compositional architecture, ACES, which certifiably decides on a per-sample basis whether to use a smoothed model yielding predictions with guarantees or a more accurate standard model without guarantees. This, in contrast to prior approaches, enables both high standard accuracies and significant provable robustness. On challenging tasks such as ImageNet, we obtain, e.g., $80.0\%$ natural accuracy and $28.2\%$ certifiable accuracy against $\ell_2$ perturbations with $r=1.0$. We release our code and models at https://github.com/eth-sri/aces.