Tight Certificates of Adversarial Robustness for Randomly Smoothed Classifiers

TL;DR

This paper extends theoretical robustness guarantees for randomized classifiers to broader distribution classes, including discrete cases and decision trees, with empirical validation on image and molecule datasets.

Contribution

It introduces new robustness guarantees and algorithms for $ ext{l}_0$ bounded adversaries and decision trees, expanding prior work on Gaussian noise ensembles.

Findings

Robustness guarantees for $ ext{l}_2$ and $ ext{l}_0$ adversaries.

Algorithms for certifying robustness in discrete settings.

Empirical validation on image and molecule datasets.

Abstract

Strong theoretical guarantees of robustness can be given for ensembles of classifiers generated by input randomization. Specifically, an $\ell_2$ bounded adversary cannot alter the ensemble prediction generated by an additive isotropic Gaussian noise, where the radius for the adversary depends on both the variance of the distribution as well as the ensemble margin at the point of interest. We build on and considerably expand this work across broad classes of distributions. In particular, we offer adversarial robustness guarantees and associated algorithms for the discrete case where the adversary is $\ell_0$ bounded. Moreover, we exemplify how the guarantees can be tightened with specific assumptions about the function class of the classifier such as a decision tree. We empirically illustrate these results with and without functional restrictions across image and molecule datasets.