Constructing a provably adversarially-robust classifier from a high accuracy one

TL;DR

This paper presents a method to transform high-accuracy classifiers into ones that are provably robust against adversarial b5-bounded perturbations using randomized smoothing, with theoretical bounds on adversarial error.

Contribution

It introduces a novel framework combining randomized smoothing with techniques like random partitions to achieve provable adversarial robustness from black-box high-accuracy models.

Findings

Bound the adversarial error in terms of the optimal error

Framework applies to b5-bounded adversaries using randomized smoothing

Bounds are shown to be optimal in some cases

Abstract

Modern machine learning models with very high accuracy have been shown to be vulnerable to small, adversarially chosen perturbations of the input. Given black-box access to a high-accuracy classifier $f$, we show how to construct a new classifier $g$ that has high accuracy and is also robust to adversarial $\ell_2$-bounded perturbations. Our algorithm builds upon the framework of \textit{randomized smoothing} that has been recently shown to outperform all previous defenses against $\ell_2$-bounded adversaries. Using techniques like random partitions and doubling dimension, we are able to bound the adversarial error of $g$ in terms of the optimum error. In this paper we focus on our conceptual contribution, but we do present two examples to illustrate our framework. We will argue that, under some assumptions, our bounds are optimal for these cases.