Black-Box Certification with Randomized Smoothing: A Functional Optimization Based Framework
Abstract
Randomized classifiers have been shown to provide a promising approach for achieving certified robustness against adversarial attacks in deep learning. However, most existing methods only leverage Gaussian smoothing noise and only work for $\ell_2$ perturbation. We propose a general framework of adversarial certification with non-Gaussian noise and for more general types of attacks, from a unified \functional optimization perspective. Our new framework allows us to identify a key trade-off between accuracy and robustness via designing smoothing distributions, helping to design new families of non-Gaussian smoothing distributions that work more efficiently for different $\ell_p$ settings, including $\ell_1$, $\ell_2$ and $\ell_\infty$ attacks. Our proposed methods achieve better certification results than previous works and provide a new perspective on randomized smoothing certification.
Cite
Text
Zhang et al. "Black-Box Certification with Randomized Smoothing: A Functional Optimization Based Framework." Neural Information Processing Systems, 2020.Markdown
[Zhang et al. "Black-Box Certification with Randomized Smoothing: A Functional Optimization Based Framework." Neural Information Processing Systems, 2020.](https://mlanthology.org/neurips/2020/zhang2020neurips-blackbox/)BibTeX
@inproceedings{zhang2020neurips-blackbox,
title = {{Black-Box Certification with Randomized Smoothing: A Functional Optimization Based Framework}},
author = {Zhang, Dinghuai and Ye, Mao and Gong, Chengyue and Zhu, Zhanxing and Liu, Qiang},
booktitle = {Neural Information Processing Systems},
year = {2020},
url = {https://mlanthology.org/neurips/2020/zhang2020neurips-blackbox/}
}