Certified Adversarial Robustness via Randomized Smoothing
About
We show how to turn any classifier that classifies well under Gaussian noise into a new classifier that is certifiably robust to adversarial perturbations under the $\ell_2$ norm. This "randomized smoothing" technique has been proposed recently in the literature, but existing guarantees are loose. We prove a tight robustness guarantee in $\ell_2$ norm for smoothing with Gaussian noise. We use randomized smoothing to obtain an ImageNet classifier with e.g. a certified top-1 accuracy of 49% under adversarial perturbations with $\ell_2$ norm less than 0.5 (=127/255). No certified defense has been shown feasible on ImageNet except for smoothing. On smaller-scale datasets where competing approaches to certified $\ell_2$ robustness are viable, smoothing delivers higher certified accuracies. Our strong empirical results suggest that randomized smoothing is a promising direction for future research into adversarially robust classification. Code and models are available at http://github.com/locuslab/smoothing.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Image Classification | MNIST | -- | 398 | |
| SAR Image Classification | MSTAR publicly released | Accuracy99.45 | 91 | |
| Image Classification | CIFAR-10 corrupted (test) | Acc88.3 | 30 | |
| Certified Image Classification | MNIST (test) | Certified Accuracy (r=0.00)99.25 | 27 | |
| Image Classification Certified Robustness | MNIST (test) | Overall ACR1.62 | 27 | |
| Certified Robustness | CIFAR-10 (test) | Accuracy (Standard)92.7 | 26 | |
| Certified Robustness | CIFAR10 | Certified Accuracy (R=0.00)76 | 18 | |
| Certified Robustness | MNIST | Certified Accuracy (R=0.00)97 | 18 | |
| Certified Robustness | ImageNet | Inference Time (s)123.5 | 18 | |
| Image Classification | CIFAR-10.1 1.0 (test) | Accuracy76.7 | 14 |