Adaptive Randomized Smoothing: Certified Adversarial Robustness for Multi-Step Defences

TL;DR

Adaptive Randomized Smoothing (ARS) introduces a novel certification method for adversarial robustness in deep models, leveraging adaptive composition and $f$-Differential Privacy to improve certified accuracy against bounded $L_{inity}$ adversaries.

Contribution

ARS extends randomized smoothing with adaptive composition analysis, enabling certification of complex, high-dimensional, adaptive models against adversarial attacks.

Findings

ARS improves certified accuracy on CIFAR-10 and CelebA by 1-15% points.

On ImageNet, ARS outperforms standard randomized smoothing with up to 1.6% points.

ARS provides a flexible framework for adaptive defenses in high-dimensional settings.

Abstract

We propose Adaptive Randomized Smoothing (ARS) to certify the predictions of our test-time adaptive models against adversarial examples. ARS extends the analysis of randomized smoothing using $f$-Differential Privacy to certify the adaptive composition of multiple steps. For the first time, our theory covers the sound adaptive composition of general and high-dimensional functions of noisy inputs. We instantiate ARS on deep image classification to certify predictions against adversarial examples of bounded $L_{\infty}$ norm. In the $L_{\infty}$ threat model, ARS enables flexible adaptation through high-dimensional input-dependent masking. We design adaptivity benchmarks, based on CIFAR-10 and CelebA, and show that ARS improves standard test accuracy by $1$ to $15\%$ points. On ImageNet, ARS improves certified test accuracy by up to $1.6\%$ points over standard RS without adaptivity. Our code is available at https://github.com/ubc-systopia/adaptive-randomized-smoothing .