General Lipschitz: Certified Robustness Against Resolvable Semantic Transformations via Transformation-Dependent Randomized Smoothing
This addresses the need for provable robustness in image classifiers against semantic adversarial attacks, though it appears incremental as it builds on existing randomized smoothing approaches.
The paper tackled the problem of certifying neural networks against composable semantic transformations like blurring and translation, proposing the General Lipschitz framework and achieving performance comparable to state-of-the-art methods on ImageNet.
Randomized smoothing is the state-of-the-art approach to construct image classifiers that are provably robust against additive adversarial perturbations of bounded magnitude. However, it is more complicated to construct reasonable certificates against semantic transformation (e.g., image blurring, translation, gamma correction) and their compositions. In this work, we propose \emph{General Lipschitz (GL),} a new framework to certify neural networks against composable resolvable semantic perturbations. Within the framework, we analyze transformation-dependent Lipschitz-continuity of smoothed classifiers w.r.t. transformation parameters and derive corresponding robustness certificates. Our method performs comparably to state-of-the-art approaches on the ImageNet dataset.