Certified Adversarial Robustness via Partition-based Randomized Smoothing

TL;DR

This paper introduces Pixel Partitioning-based Randomized Smoothing (PPRS), a novel method that enhances the robustness certificates of neural networks against adversarial noise by improving image visibility under Gaussian noise.

Contribution

The paper proposes PPRS, a new partition-based smoothing technique that significantly increases the certified robustness radius for neural networks on image datasets.

Findings

PPRS improves the certified accuracy of neural networks.

PPRS enhances image visibility under Gaussian noise.

Empirical results show increased robustness in standard datasets.

Abstract

A reliable application of deep neural network classifiers requires robustness certificates against adversarial perturbations. Gaussian smoothing is a widely analyzed approach to certifying robustness against norm-bounded perturbations, where the certified prediction radius depends on the variance of the Gaussian noise and the confidence level of the neural net's prediction under the additive Gaussian noise. However, in application to high-dimensional image datasets, the certified radius of the plain Gaussian smoothing could be relatively small, since Gaussian noise with high variances can significantly harm the visibility of an image. In this work, we propose the Pixel Partitioning-based Randomized Smoothing (PPRS) methodology to boost the neural net's confidence score and thus the robustness radius of the certified prediction. We demonstrate that the proposed PPRS algorithm improves the visibility of the images under additive Gaussian noise. We discuss the numerical results of applying PPRS to standard computer vision datasets and neural network architectures. Our empirical findings indicate a considerable improvement in the certified accuracy and stability of the prediction model to the additive Gaussian noise in randomized smoothing.