Certifying Adapters: Enabling and Enhancing the Certification of Classifier Adversarial Robustness

TL;DR

This paper introduces Certifying Adapters Framework (CAF), a versatile method that enhances and broadens the certification of classifier adversarial robustness, compatible with various architectures and pre-trained models, improving certified accuracy across datasets.

Contribution

The paper presents CAF, a novel framework that enables certification of adversarial robustness in pre-trained models without extensive retraining, applicable to diverse architectures and smoothing methods.

Findings

CAF improves certified accuracy on CIFAR-10 and ImageNet.

CAF is effective with different feature extractors and smoothing algorithms.

Ensemble adapters defend against multiple noise scales.

Abstract

Randomized smoothing has become a leading method for achieving certified robustness in deep classifiers against l_{p}-norm adversarial perturbations. Current approaches for achieving certified robustness, such as data augmentation with Gaussian noise and adversarial training, require expensive training procedures that tune large models for different Gaussian noise levels and thus cannot leverage high-performance pre-trained neural networks. In this work, we introduce a novel certifying adapters framework (CAF) that enables and enhances the certification of classifier adversarial robustness. Our approach makes few assumptions about the underlying training algorithm or feature extractor and is thus broadly applicable to different feature extractor architectures (e.g., convolutional neural networks or vision transformers) and smoothing algorithms. We show that CAF (a) enables certification in uncertified models pre-trained on clean datasets and (b) substantially improves the performance of certified classifiers via randomized smoothing and SmoothAdv at multiple radii in CIFAR-10 and ImageNet. We demonstrate that CAF achieves improved certified accuracies when compared to methods based on random or denoised smoothing, and that CAF is insensitive to certifying adapter hyperparameters. Finally, we show that an ensemble of adapters enables a single pre-trained feature extractor to defend against a range of noise perturbation scales.