Boosting Randomized Smoothing with Variance Reduced Classifiers

TL;DR

This paper enhances randomized smoothing by using ensembles of classifiers to reduce variance, leading to larger certifiable radii and significant computational efficiency improvements, achieving state-of-the-art results on CIFAR10 and ImageNet.

Contribution

It provides a theoretical and empirical demonstration that ensembles improve randomized smoothing robustness, introduces optimizations for efficiency, and achieves new state-of-the-art results.

Findings

Ensembles significantly increase certifiable radii.

Up to 55-fold reduction in sample complexity.

Achieved state-of-the-art average certified radius on CIFAR10 and ImageNet.

Abstract

Randomized Smoothing (RS) is a promising method for obtaining robustness certificates by evaluating a base model under noise. In this work, we: (i) theoretically motivate why ensembles are a particularly suitable choice as base models for RS, and (ii) empirically confirm this choice, obtaining state-of-the-art results in multiple settings. The key insight of our work is that the reduced variance of ensembles over the perturbations introduced in RS leads to significantly more consistent classifications for a given input. This, in turn, leads to substantially increased certifiable radii for samples close to the decision boundary. Additionally, we introduce key optimizations which enable an up to 55-fold decrease in sample complexity of RS for predetermined radii, thus drastically reducing its computational overhead. Experimentally, we show that ensembles of only 3 to 10 classifiers consistently improve on their strongest constituting model with respect to their average certified radius (ACR) by 5% to 21% on both CIFAR10 and ImageNet, achieving a new state-of-the-art ACR of 0.86 and 1.11, respectively. We release all code and models required to reproduce our results at https://github.com/eth-sri/smoothing-ensembles.