Towards Evading the Limits of Randomized Smoothing: A Theoretical Analysis

TL;DR

This paper challenges the perceived limitations of randomized smoothing for adversarial defenses, proposing methods to improve certification quality by leveraging more classifier information without sacrificing accuracy.

Contribution

It demonstrates that current certification methods overlook classifier details, and proposes a way to approximate optimal certificates by probing the decision boundary with multiple noise distributions.

Findings

Current certificates are blind to local curvature of decision boundaries.

Probing with multiple noise distributions can approximate optimal certificates.

Enhanced certification methods do not compromise natural accuracy.

Abstract

Randomized smoothing is the dominant standard for provable defenses against adversarial examples. Nevertheless, this method has recently been proven to suffer from important information theoretic limitations. In this paper, we argue that these limitations are not intrinsic, but merely a byproduct of current certification methods. We first show that these certificates use too little information about the classifier, and are in particular blind to the local curvature of the decision boundary. This leads to severely sub-optimal robustness guarantees as the dimension of the problem increases. We then show that it is theoretically possible to bypass this issue by collecting more information about the classifier. More precisely, we show that it is possible to approximate the optimal certificate with arbitrary precision, by probing the decision boundary with several noise distributions. Since this process is executed at certification time rather than at test time, it entails no loss in natural accuracy while enhancing the quality of the certificates. This result fosters further research on classifier-specific certification and demonstrates that randomized smoothing is still worth investigating. Although classifier-specific certification may induce more computational cost, we also provide some theoretical insight on how to mitigate it.