Integrating uncertainty quantification into randomized smoothing based robustness guarantees

TL;DR

This paper combines randomized smoothing with uncertainty-based rejection to provide enhanced robustness guarantees for neural networks, allowing for better detection of adversarial attacks and out-of-distribution inputs.

Contribution

It introduces a novel framework integrating uncertainty quantification into certified robustness, deriving new guarantees and improving robustness metrics.

Findings

Up to 20.93% larger robustness radius on CIFAR10 with uncertainty rejection.

Enhanced robustness guarantees for uncertainty-aware classifiers.

Improved out-of-distribution detection using uncertainty measures.

Abstract

Deep neural networks have proven to be extremely powerful, however, they are also vulnerable to adversarial attacks which can cause hazardous incorrect predictions in safety-critical applications. Certified robustness via randomized smoothing gives a probabilistic guarantee that the smoothed classifier's predictions will not change within an $\ell_2$-ball around a given input. On the other hand (uncertainty) score-based rejection is a technique often applied in practice to defend models against adversarial attacks. In this work, we fuse these two approaches by integrating a classifier that abstains from predicting when uncertainty is high into the certified robustness framework. This allows us to derive two novel robustness guarantees for uncertainty aware classifiers, namely (i) the radius of an $\ell_2$-ball around the input in which the same label is predicted and uncertainty remains low and (ii) the $\ell_2$-radius of a ball in which the predictions will either not change or be uncertain. While the former provides robustness guarantees with respect to attacks aiming at increased uncertainty, the latter informs about the amount of input perturbation necessary to lead the uncertainty aware model into a wrong prediction. Notably, this is on CIFAR10 up to 20.93% larger than for models not allowing for uncertainty based rejection. We demonstrate, that the novel framework allows for a systematic robustness evaluation of different network architectures and uncertainty measures and to identify desired properties of uncertainty quantification techniques. Moreover, we show that leveraging uncertainty in a smoothed classifier helps out-of-distribution detection.