REaaS: Enabling Adversarially Robust Downstream Classifiers via Robust Encoder as a Service

TL;DR

This paper introduces REaaS, a cloud-based encoder service designed to help clients build and certify adversarially robust classifiers efficiently, by providing minimal APIs and using spectral-norm regularization during pre-training.

Contribution

It proposes a minimal API design for cloud encoder services that facilitates robustness certification and demonstrates that spectral-norm regularization improves downstream classifier robustness.

Findings

Two APIs suffice for robustness certification with minimal queries.

Spectral-norm regularization during pre-training enhances downstream robustness.

The approach enables secure and reliable classifier deployment in safety-critical applications.

Abstract

Encoder as a service is an emerging cloud service. Specifically, a service provider first pre-trains an encoder (i.e., a general-purpose feature extractor) via either supervised learning or self-supervised learning and then deploys it as a cloud service API. A client queries the cloud service API to obtain feature vectors for its training/testing inputs when training/testing its classifier (called downstream classifier). A downstream classifier is vulnerable to adversarial examples, which are testing inputs with carefully crafted perturbation that the downstream classifier misclassifies. Therefore, in safety and security critical applications, a client aims to build a robust downstream classifier and certify its robustness guarantees against adversarial examples. What APIs should the cloud service provide, such that a client can use any certification method to certify the robustness of its downstream classifier against adversarial examples while minimizing the number of queries to the APIs? How can a service provider pre-train an encoder such that clients can build more certifiably robust downstream classifiers? We aim to answer the two questions in this work. For the first question, we show that the cloud service only needs to provide two APIs, which we carefully design, to enable a client to certify the robustness of its downstream classifier with a minimal number of queries to the APIs. For the second question, we show that an encoder pre-trained using a spectral-norm regularization term enables clients to build more robust downstream classifiers.