Robust and Accurate -- Compositional Architectures for Randomized Smoothing

TL;DR

This paper introduces ACES, a compositional architecture that balances high standard accuracy and provable robustness in randomized smoothing models, especially on challenging datasets like ImageNet.

Contribution

The paper proposes ACES, a novel compositional architecture that adaptively chooses between a robust smoothed model and an accurate standard model per sample.

Findings

Achieves 80.0% natural accuracy on ImageNet.

Provides 28.2% certifiable accuracy against ℓ2 perturbations with r=1.0.

Enables high accuracy and robustness simultaneously.

Abstract

Randomized Smoothing (RS) is considered the state-of-the-art approach to obtain certifiably robust models for challenging tasks. However, current RS approaches drastically decrease standard accuracy on unperturbed data, severely limiting their real-world utility. To address this limitation, we propose a compositional architecture, ACES, which certifiably decides on a per-sample basis whether to use a smoothed model yielding predictions with guarantees or a more accurate standard model without guarantees. This, in contrast to prior approaches, enables both high standard accuracies and significant provable robustness. On challenging tasks such as ImageNet, we obtain, e.g., $80.0\%$ natural accuracy and $28.2\%$ certifiable accuracy against $\ell_2$ perturbations with $r=1.0$. We release our code and models at https://github.com/eth-sri/aces.