Adaptive Diffusion Denoised Smoothing : Certified Robustness via Randomized Smoothing with Differentially Private Guided Denoising Diffusion

TL;DR

This paper introduces Adaptive Diffusion Denoised Smoothing, a novel certification method for vision models against adversarial attacks, leveraging guided denoising diffusion as a sequence of adaptive Gaussian Differentially Private mechanisms to improve robustness and accuracy.

Contribution

It reinterprets guided denoising diffusion as adaptive GDP mechanisms and develops a compositional analysis for certifying model robustness, enhancing certified and standard accuracy.

Findings

Improved certified accuracy on ImageNet under $ ext{l}_2$ threat model.

Enhanced standard accuracy with adaptive denoising strategy.

Provable robustness guarantees through GDP-based composition analysis.

Abstract

We propose Adaptive Diffusion Denoised Smoothing, a method for certifying the predictions of a vision model against adversarial examples, while adapting to the input. Our key insight is to reinterpret a guided denoising diffusion model as a long sequence of adaptive Gaussian Differentially Private (GDP) mechanisms refining a pure noise sample into an image. We show that these adaptive mechanisms can be composed through a GDP privacy filter to analyze the end-to-end robustness of the guided denoising process, yielding a provable certification that extends the adaptive randomized smoothing analysis. We demonstrate that our design, under a specific guiding strategy, can improve both certified accuracy and standard accuracy on ImageNet for an $\ell_2$ threat model.