Certified Distributional Robustness on Smoothed Classifiers

TL;DR

This paper introduces a new robustness certification for smoothed classifiers against adversarial attacks, providing tighter bounds and improved robustness through a novel training procedure, validated by extensive experiments.

Contribution

It proposes a distributional robustness certificate for smoothed classifiers and a training method that yields tighter bounds and enhanced robustness.

Findings

Outperforms state-of-the-art certified methods in robustness.

Provides a computationally efficient upper bound for robustness certification.

Demonstrates improved empirical robustness across multiple datasets.

Abstract

The robustness of deep neural networks (DNNs) against adversarial example attacks has raised wide attention. For smoothed classifiers, we propose the worst-case adversarial loss over input distributions as a robustness certificate. Compared with previous certificates, our certificate better describes the empirical performance of the smoothed classifiers. By exploiting duality and the smoothness property, we provide an easy-to-compute upper bound as a surrogate for the certificate. We adopt a noisy adversarial learning procedure to minimize the surrogate loss to improve model robustness. We show that our training method provides a theoretically tighter bound over the distributional robust base classifiers. Experiments on a variety of datasets further demonstrate superior robustness performance of our method over the state-of-the-art certified or heuristic methods.