Theoretical evidence for adversarial robustness through randomization

TL;DR

This paper provides a theoretical foundation for the effectiveness of randomization techniques in enhancing neural network robustness against adversarial attacks, explaining their success and offering new bounds.

Contribution

It introduces a theoretical analysis linking randomization rate to robustness and proposes a new upper bound on adversarial generalization gap for randomized networks.

Findings

Randomization rate correlates with increased robustness.

Theoretical bounds explain the effectiveness of noise injection.

Experimental results support the theoretical claims.

Abstract

This paper investigates the theory of robustness against adversarial attacks. It focuses on the family of randomization techniques that consist in injecting noise in the network at inference time. These techniques have proven effective in many contexts, but lack theoretical arguments. We close this gap by presenting a theoretical analysis of these approaches, hence explaining why they perform well in practice. More precisely, we make two new contributions. The first one relates the randomization rate to robustness to adversarial attacks. This result applies for the general family of exponential distributions, and thus extends and unifies the previous approaches. The second contribution consists in devising a new upper bound on the adversarial generalization gap of randomized neural networks. We support our theoretical claims with a set of experiments.