We show how to turn any classifier that classifies well under Gaussian noise into a new classifier that is certifiably robust to adversarial perturbations under the L2 norm. While this "randomized smoothing" technique has been proposed before in the literature, we are the first to provide a tight analysis, which establishes a close connection between L2 robustness and Gaussian noise. We use the technique to train an ImageNet classifier with e.g. a certified top-1 accuracy of 49% under adversarial perturbations with L2 norm less than 0.5 (=127/255). Smoothing is the only approach to certifiably robust classification which has been shown feasible on full-resolution ImageNet. On smaller-scale datasets where competing approaches to certified L2 robustness are viable, smoothing delivers higher certified accuracies. The empirical success of the approach suggests that provable methods based on randomization at prediction time are a promising direction for future research into adversarially robust classification.
Author Information
Jeremy Cohen (Carnegie Mellon University)
Elan Rosenfeld (Carnegie Mellon University)
Zico Kolter (Carnegie Mellon University / Bosch Center for AI)
Related Events (a corresponding poster, oral, or spotlight)
-
2019 Oral: Certified Adversarial Robustness via Randomized Smoothing »
Wed Jun 12th 11:30 -- 11:35 AM Room Grand Ballroom
More from the Same Authors
-
2019 Poster: Wasserstein Adversarial Examples via Projected Sinkhorn Iterations »
Eric Wong · Frank Schmidt · Zico Kolter -
2019 Oral: Wasserstein Adversarial Examples via Projected Sinkhorn Iterations »
Eric Wong · Frank Schmidt · Zico Kolter -
2019 Poster: SATNet: Bridging deep learning and logical reasoning using a differentiable satisfiability solver »
Po-Wei Wang · Priya Donti · Bryan Wilder · Zico Kolter -
2019 Poster: Adversarial camera stickers: A physical camera-based attack on deep learning systems »
Juncheng Li · Frank Schmidt · Zico Kolter -
2019 Oral: SATNet: Bridging deep learning and logical reasoning using a differentiable satisfiability solver »
Po-Wei Wang · Priya Donti · Bryan Wilder · Zico Kolter -
2019 Oral: Adversarial camera stickers: A physical camera-based attack on deep learning systems »
Juncheng Li · Frank Schmidt · Zico Kolter -
2018 Poster: Provable Defenses against Adversarial Examples via the Convex Outer Adversarial Polytope »
Eric Wong · Zico Kolter -
2018 Oral: Provable Defenses against Adversarial Examples via the Convex Outer Adversarial Polytope »
Eric Wong · Zico Kolter -
2017 Poster: Input Convex Neural Networks »
Brandon Amos · Lei Xu · Zico Kolter -
2017 Poster: OptNet: Differentiable Optimization as a Layer in Neural Networks »
Brandon Amos · Zico Kolter -
2017 Poster: A Semismooth Newton Method for Fast, Generic Convex Programming »
Alnur Ali · Eric Wong · Zico Kolter -
2017 Talk: OptNet: Differentiable Optimization as a Layer in Neural Networks »
Brandon Amos · Zico Kolter -
2017 Talk: Input Convex Neural Networks »
Brandon Amos · Lei Xu · Zico Kolter -
2017 Talk: A Semismooth Newton Method for Fast, Generic Convex Programming »
Alnur Ali · Eric Wong · Zico Kolter
