DE-CROP: Data-efficient Certified Robustness for Pretrained Classifiers

TL;DR

DE-CROP introduces a data-efficient method to certify the robustness of pretrained classifiers against adversarial attacks using limited training samples, by generating diverse class-boundary and interpolated samples for effective denoiser training.

Contribution

The paper proposes a novel approach to certify robustness of pretrained models with few training samples, utilizing class-boundary and interpolated sample generation and distribution matching techniques.

Findings

Significant robustness certification improvements on benchmark datasets.

Effective in both white box and black box attack scenarios.

Outperforms existing methods with limited training data.

Abstract

Certified defense using randomized smoothing is a popular technique to provide robustness guarantees for deep neural networks against l2 adversarial attacks. Existing works use this technique to provably secure a pretrained non-robust model by training a custom denoiser network on entire training data. However, access to the training set may be restricted to a handful of data samples due to constraints such as high transmission cost and the proprietary nature of the data. Thus, we formulate a novel problem of "how to certify the robustness of pretrained models using only a few training samples". We observe that training the custom denoiser directly using the existing techniques on limited samples yields poor certification. To overcome this, our proposed approach (DE-CROP) generates class-boundary and interpolated samples corresponding to each training sample, ensuring high diversity in the feature space of the pretrained classifier. We train the denoiser by maximizing the similarity between the denoised output of the generated sample and the original training sample in the classifier's logit space. We also perform distribution level matching using domain discriminator and maximum mean discrepancy that yields further benefit. In white box setup, we obtain significant improvements over the baseline on multiple benchmark datasets and also report similar performance under the challenging black box setup.