Certified Robustness for Top-k Predictions against Adversarial Perturbations via Randomized Smoothing

TL;DR

This paper extends randomized smoothing techniques to provide certified robustness guarantees for top-k predictions in neural classifiers against adversarial perturbations, addressing a key limitation of existing methods focused on top-1 accuracy.

Contribution

It introduces a novel method to derive tight $\,ell_2$ robustness bounds for top-$k$ predictions using randomized smoothing, applicable to large-scale neural networks.

Findings

Achieves 62.8 ext{%} certified top-5 accuracy on ImageNet at $\, ext{l}_2$ perturbation norm 0.5

Extends certified robustness guarantees from top-1 to top-$k$ predictions

Demonstrates scalability and effectiveness on CIFAR10 and ImageNet datasets.

Abstract

It is well-known that classifiers are vulnerable to adversarial perturbations. To defend against adversarial perturbations, various certified robustness results have been derived. However, existing certified robustnesses are limited to top-1 predictions. In many real-world applications, top-$k$ predictions are more relevant. In this work, we aim to derive certified robustness for top-$k$ predictions. In particular, our certified robustness is based on randomized smoothing, which turns any classifier to a new classifier via adding noise to an input example. We adopt randomized smoothing because it is scalable to large-scale neural networks and applicable to any classifier. We derive a tight robustness in $\ell_2$ norm for top-$k$ predictions when using randomized smoothing with Gaussian noise. We find that generalizing the certified robustness from top-1 to top-$k$ predictions faces significant technical challenges. We also empirically evaluate our method on CIFAR10 and ImageNet. For example, our method can obtain an ImageNet classifier with a certified top-5 accuracy of 62.8\% when the $\ell_2$-norms of the adversarial perturbations are less than 0.5 (=127/255). Our code is publicly available at: \url{https://github.com/jjy1994/Certify_Topk}.