Treatment of Statistical Estimation Problems in Randomized Smoothing for Adversarial Robustness

TL;DR

This paper investigates the statistical estimation challenges in randomized smoothing for adversarial robustness, proposing efficient procedures with optimal sample complexity and stronger certificates to reduce computational costs.

Contribution

It introduces confidence sequence-based estimation methods with optimal sample complexity and a randomized Clopper-Pearson interval for improved robustness certification.

Findings

Confidence sequences achieve the same guarantees with fewer samples.

Proposed methods demonstrate empirical efficiency and accuracy.

Stronger certificates are obtained through randomized intervals.

Abstract

Randomized smoothing is a popular certified defense against adversarial attacks. In its essence, we need to solve a problem of statistical estimation which is usually very time-consuming since we need to perform numerous (usually $10^5$) forward passes of the classifier for every point to be certified. In this paper, we review the statistical estimation problems for randomized smoothing to find out if the computational burden is necessary. In particular, we consider the (standard) task of adversarial robustness where we need to decide if a point is robust at a certain radius or not using as few samples as possible while maintaining statistical guarantees. We present estimation procedures employing confidence sequences enjoying the same statistical guarantees as the standard methods, with the optimal sample complexities for the estimation task and empirically demonstrate their good performance. Additionally, we provide a randomized version of Clopper-Pearson confidence intervals resulting in strictly stronger certificates.