Certified Adversarial Robustness via Partition-based Randomized Smoothing
This work addresses adversarial robustness for deep neural network classifiers in computer vision, offering an incremental improvement over existing randomized smoothing methods.
The paper tackles the problem of small certified robustness radii in high-dimensional image datasets under Gaussian smoothing by proposing Pixel Partitioning-based Randomized Smoothing (PPRS), which improves certified accuracy and stability against adversarial perturbations.
A reliable application of deep neural network classifiers requires robustness certificates against adversarial perturbations. Gaussian smoothing is a widely analyzed approach to certifying robustness against norm-bounded perturbations, where the certified prediction radius depends on the variance of the Gaussian noise and the confidence level of the neural net's prediction under the additive Gaussian noise. However, in application to high-dimensional image datasets, the certified radius of the plain Gaussian smoothing could be relatively small, since Gaussian noise with high variances can significantly harm the visibility of an image. In this work, we propose the Pixel Partitioning-based Randomized Smoothing (PPRS) methodology to boost the neural net's confidence score and thus the robustness radius of the certified prediction. We demonstrate that the proposed PPRS algorithm improves the visibility of the images under additive Gaussian noise. We discuss the numerical results of applying PPRS to standard computer vision datasets and neural network architectures. Our empirical findings indicate a considerable improvement in the certified accuracy and stability of the prediction model to the additive Gaussian noise in randomized smoothing.