Certified Adversarial Robustness with Additive Noise

TL;DR

This paper introduces a scalable framework that certifies robustness against adversarial attacks by leveraging additive noise, improving bounds, and demonstrating effectiveness on large datasets and complex models.

Contribution

It presents a novel scalable approach connecting adversarial robustness with additive noise, offering certified bounds and improved robustness guarantees.

Findings

Effective on MNIST, CIFAR-10, and ImageNet datasets.

Provides competitive robustness compared to state-of-the-art methods.

Scalable to large models and datasets.

Abstract

The existence of adversarial data examples has drawn significant attention in the deep-learning community; such data are seemingly minimally perturbed relative to the original data, but lead to very different outputs from a deep-learning algorithm. Although a significant body of work on developing defensive models has been considered, most such models are heuristic and are often vulnerable to adaptive attacks. Defensive methods that provide theoretical robustness guarantees have been studied intensively, yet most fail to obtain non-trivial robustness when a large-scale model and data are present. To address these limitations, we introduce a framework that is scalable and provides certified bounds on the norm of the input manipulation for constructing adversarial examples. We establish a connection between robustness against adversarial perturbation and additive random noise, and propose a training strategy that can significantly improve the certified bounds. Our evaluation on MNIST, CIFAR-10 and ImageNet suggests that the proposed method is scalable to complicated models and large data sets, while providing competitive robustness to state-of-the-art provable defense methods.