Raising the Bar for Certified Adversarial Robustness with Diffusion Models

TL;DR

This paper enhances deterministic certified adversarial robustness using diffusion-generated data, achieving state-of-the-art results on CIFAR datasets by leveraging insights into model generalization gaps.

Contribution

It demonstrates that diffusion model-generated data can significantly improve certified defenses, providing practical recommendations and insights into robustness scaling.

Findings

Achieves state-of-the-art certified robustness on CIFAR-10.

Outperforms previous results by +3.95% and +1.39%.

Generalization gap predicts robustness improvements.

Abstract

Certified defenses against adversarial attacks offer formal guarantees on the robustness of a model, making them more reliable than empirical methods such as adversarial training, whose effectiveness is often later reduced by unseen attacks. Still, the limited certified robustness that is currently achievable has been a bottleneck for their practical adoption. Gowal et al. and Wang et al. have shown that generating additional training data using state-of-the-art diffusion models can considerably improve the robustness of adversarial training. In this work, we demonstrate that a similar approach can substantially improve deterministic certified defenses. In addition, we provide a list of recommendations to scale the robustness of certified training approaches. One of our main insights is that the generalization gap, i.e., the difference between the training and test accuracy of the original model, is a good predictor of the magnitude of the robustness improvement when using additional generated data. Our approach achieves state-of-the-art deterministic robustness certificates on CIFAR-10 for the $\ell_2$ ($\epsilon = 36/255$) and $\ell_\infty$ ($\epsilon = 8/255$) threat models, outperforming the previous best results by $+3.95\%$ and $+1.39\%$, respectively. Furthermore, we report similar improvements for CIFAR-100.