Poster

Does a Hybrid Space-Aware Randomized Defense Improve Empirical and Certified Adversarial Robustness?

Joy Dhar ⋅ Manish Pandey ⋅ Behzad Bozorgtabar ⋅ Nayyar Zaidi ⋅ Wenyu Zhang ⋅ Wei-Hong Li ⋅ Tingting Mu ⋅ Dwarikanath Mahapatra ⋅ Mahsa Baktashmotlagh ⋅ Trung Le ⋅ Chen Chen ⋅ Sajib Mistry ⋅ Camila Gonzalez ⋅ Samira Ebrahimi Kahou ⋅ Lina Yao ⋅ Piotr Koniusz ⋅ Robert Fisher ⋅ Dinh Phung ⋅ Bohyung Han ⋅ Nuno Vasconcelos ⋅ Pietro Lió

Abstract

We introduce Hybrid Space-aware Stochastic Convolution Attention Noise (HySCAN), a hybrid randomized defense that helps close the long-standing gap between provable robustness under ℓ2 certificates and empirical robustness against strong ℓ∞ attacks, while maintaining strong generalization across diverse imaging benchmarks. HySCAN jointly explores complementary sources of stochasticity at both training and inference: (i) implicit weight-space randomness via stochastic-aware Random Weights, and (ii) explicit feature-space randomness via Stochastic Attention Noise Injection modules. By incorporating randomness at both the parameter and representation levels, HySCAN enables meaningful certified guarantees while improving empirical robustness in practice. Comprehensive experiments on diverse imaging datasets, e.g., CelebA, CIFAR-10, and CIFAR-100, ImageNet-1k, HAM10000, and NIH Chest X-ray, demonstrate that HySCAN outperforms existing certified and empirical defenses, improving certified robustness by up to ≈ 9.6% and empirical robustness by up to ≈ 5% without reducing clean accuracy.