[Re] Double Sampling Randomized Smoothing

TL;DR

This paper introduces Double Sampling Randomized Smoothing (DSRS), a novel method that enhances neural network robustness certification against adversarial attacks by using an additional smoothing distribution, validated on MNIST and CIFAR-10.

Contribution

The paper proposes DSRS, a new randomized smoothing framework that improves robustness certification by employing an extra smoothing distribution, with efficient implementation for Gaussian smoothing.

Findings

DSRS certifies larger robust radii than existing methods.

Experimental results on MNIST and CIFAR-10 validate DSRS's effectiveness.

Ablation studies analyze hyperparameters and adversarial training effects.

Abstract

This paper is a contribution to the reproducibility challenge in the field of machine learning, specifically addressing the issue of certifying the robustness of neural networks (NNs) against adversarial perturbations. The proposed Double Sampling Randomized Smoothing (DSRS) framework overcomes the limitations of existing methods by using an additional smoothing distribution to improve the robustness certification. The paper provides a clear manifestation of DSRS for a generalized family of Gaussian smoothing and a computationally efficient method for implementation. The experiments on MNIST and CIFAR-10 demonstrate the effectiveness of DSRS, consistently certifying larger robust radii compared to other methods. Also various ablations studies are conducted to further analyze the hyperparameters and effect of adversarial training methods on the certified radius by the proposed framework.