Understanding Noise-Augmented Training for Randomized Smoothing

TL;DR

This paper provides a theoretical analysis of noise-augmented training in randomized smoothing, clarifying when it improves robustness and when it does not, supported by experiments on standard datasets.

Contribution

It offers the first theoretical characterization of the effects of noise-augmented training for randomized smoothing, identifying conditions for its benefits.

Findings

No benefit from noise-augmented training under general distributional assumptions.

Certain distributions allow for improved robustness with noise-augmented training.

Experimental validation on CIFAR-10, MNIST, and synthetic datasets supports theoretical insights.

Abstract

Randomized smoothing is a technique for providing provable robustness guarantees against adversarial attacks while making minimal assumptions about a classifier. This method relies on taking a majority vote of any base classifier over multiple noise-perturbed inputs to obtain a smoothed classifier, and it remains the tool of choice to certify deep and complex neural network models. Nonetheless, non-trivial performance of such smoothed classifier crucially depends on the base model being trained on noise-augmented data, i.e., on a smoothed input distribution. While widely adopted in practice, it is still unclear how this noisy training of the base classifier precisely affects the risk of the robust smoothed classifier, leading to heuristics and tricks that are poorly understood. In this work we analyze these trade-offs theoretically in a binary classification setting, proving that these common observations are not universal. We show that, without making stronger distributional assumptions, no benefit can be expected from predictors trained with noise-augmentation, and we further characterize distributions where such benefit is obtained. Our analysis has direct implications to the practical deployment of randomized smoothing, and we illustrate some of these via experiments on CIFAR-10 and MNIST, as well as on synthetic datasets.