Extensions and limitations of randomized smoothing for robustness guarantees

TL;DR

This paper investigates the strengths and limitations of randomized smoothing for robustness certification, exploring how divergence choices affect guarantees and demonstrating its limitations in high-dimensional settings.

Contribution

It extends randomized smoothing to certify robustness against any p adversarial perturbation and analyzes its limitations related to the curse of dimensionality.

Findings

Certification against any p perturbation is possible.

Randomized smoothing's effectiveness diminishes as the dimension increases.

The curse of dimensionality limits the radius of certifiable robustness.

Abstract

Randomized smoothing, a method to certify a classifier's decision on an input is invariant under adversarial noise, offers attractive advantages over other certification methods. It operates in a black-box and so certification is not constrained by the size of the classifier's architecture. Here, we extend the work of Li et al. \cite{li2018second}, studying how the choice of divergence between smoothing measures affects the final robustness guarantee, and how the choice of smoothing measure itself can lead to guarantees in differing threat models. To this end, we develop a method to certify robustness against any $\ell_p$ ($p\in\mathbb{N}_{>0}$) minimized adversarial perturbation. We then demonstrate a negative result, that randomized smoothing suffers from the curse of dimensionality; as $p$ increases, the effective radius around an input one can certify vanishes.