Almost Tight L0-norm Certified Robustness of Top-k Predictions against Adversarial Perturbations

TL;DR

This paper introduces a nearly optimal method using randomized smoothing to certify the robustness of top-k predictions against $ ext{l}_0$-norm adversarial attacks, addressing a gap in existing robustness guarantees.

Contribution

It provides the first almost tight $ ext{l}_0$-norm certified robustness guarantee for top-$k$ predictions, extending robustness certification beyond top-1 and $ ext{l}_2$-norm scenarios.

Findings

Achieves 69.2% certified top-3 accuracy on ImageNet with 5-pixel perturbations.

Provides a theoretical guarantee that is nearly tight for $ ext{l}_0$-norm robustness.

Empirically validates effectiveness on CIFAR10 and ImageNet datasets.

Abstract

Top-k predictions are used in many real-world applications such as machine learning as a service, recommender systems, and web searches. $\ell_0$-norm adversarial perturbation characterizes an attack that arbitrarily modifies some features of an input such that a classifier makes an incorrect prediction for the perturbed input. $\ell_0$-norm adversarial perturbation is easy to interpret and can be implemented in the physical world. Therefore, certifying robustness of top-$k$ predictions against $\ell_0$-norm adversarial perturbation is important. However, existing studies either focused on certifying $\ell_0$-norm robustness of top-$1$ predictions or $\ell_2$-norm robustness of top-$k$ predictions. In this work, we aim to bridge the gap. Our approach is based on randomized smoothing, which builds a provably robust classifier from an arbitrary classifier via randomizing an input. Our major theoretical contribution is an almost tight $\ell_0$-norm certified robustness guarantee for top-$k$ predictions. We empirically evaluate our method on CIFAR10 and ImageNet. For instance, our method can build a classifier that achieves a certified top-3 accuracy of 69.2\% on ImageNet when an attacker can arbitrarily perturb 5 pixels of a testing image.