Certified Adversarial Robustness via Randomized Smoothing

TL;DR

This paper introduces a method called randomized smoothing that transforms classifiers into ones with provable robustness against adversarial attacks under the  norm, achieving high certified accuracy on ImageNet.

Contribution

It provides a tight  norm robustness guarantee for Gaussian noise smoothing, improving upon previous loose bounds and demonstrating strong empirical results on large datasets.

Findings

Achieved 49% certified top-1 accuracy on ImageNet under  norm perturbations

Provided the first feasible certified defense on ImageNet using smoothing

Outperformed other certified  robustness methods on smaller datasets

Abstract

We show how to turn any classifier that classifies well under Gaussian noise into a new classifier that is certifiably robust to adversarial perturbations under the $\ell_2$ norm. This "randomized smoothing" technique has been proposed recently in the literature, but existing guarantees are loose. We prove a tight robustness guarantee in $\ell_2$ norm for smoothing with Gaussian noise. We use randomized smoothing to obtain an ImageNet classifier with e.g. a certified top-1 accuracy of 49% under adversarial perturbations with $\ell_2$ norm less than 0.5 (=127/255). No certified defense has been shown feasible on ImageNet except for smoothing. On smaller-scale datasets where competing approaches to certified $\ell_2$ robustness are viable, smoothing delivers higher certified accuracies. Our strong empirical results suggest that randomized smoothing is a promising direction for future research into adversarially robust classification. Code and models are available at http://github.com/locuslab/smoothing.