Robustifying Diffusion-Denoised Smoothing Against Covariate Shift
This addresses a robustness problem for users of randomized smoothing in adversarial machine learning, offering an incremental improvement over existing methods.
The paper tackled the performance degradation in Diffusion Denoised Smoothing due to covariate shift from noise misestimation, and proposed an adversarial objective function that significantly improved certified accuracy, achieving new state-of-the-art results on MNIST, CIFAR-10, and ImageNet benchmarks.
Randomized smoothing is a well-established method for achieving certified robustness against l2-adversarial perturbations. By incorporating a denoiser before the base classifier, pretrained classifiers can be seamlessly integrated into randomized smoothing without significant performance degradation. Among existing methods, Diffusion Denoised Smoothing - where a pretrained denoising diffusion model serves as the denoiser - has produced state-of-the-art results. However, we show that employing a denoising diffusion model introduces a covariate shift via misestimation of the added noise, ultimately degrading the smoothed classifier's performance. To address this issue, we propose a novel adversarial objective function focused on the added noise of the denoising diffusion model. This approach is inspired by our understanding of the origin of the covariate shift. Our goal is to train the base classifier to ensure it is robust against the covariate shift introduced by the denoiser. Our method significantly improves certified accuracy across three standard classification benchmarks - MNIST, CIFAR-10, and ImageNet - achieving new state-of-the-art performance in l2-adversarial perturbations. Our implementation is publicly available at https://github.com/ahedayat/Robustifying-DDS-Against-Covariate-Shift