Smooth-Reduce:Leveraging Patches for Improved Certified Robustness

Ameya Joshi1, Minh Pham1, Minsu Cho1, Leonid Boystov2, Filipe Condessa2, J. Zico Kolter2, Chinmay Hegde1
1New York University, 2Bosch Center for AI (BCAI)
Paper arXiv Code
We show a 1.2x, 1.3x, 2.3x improvement in average certified radii for Smooth-Reduce over Smooth-Adv and 1.6x, 2.3x, 3.9x over MACER for sigma=0.25, 0.5, 1.0

Abstract

Randomized smoothing (RS) has been shown to be a fast, scalable technique for certifying the robustness of deep neural network classifiers. However, methods based on RS require augmenting data with large amounts of noise, which leads to significant drops in accuracy.

We propose a training-free, modified smoothing approach, Smooth-Reduce, that leverages patching and aggregation to provide improved classifier certificates. Our algorithm classifies overlapping patches extracted from an input image, and aggregates the predicted logits to certify a larger radius around the input. We study two aggregation schemes --- max and mean --- and show that both approaches provide better certificates in terms of certified accuracy, average certified radii and abstention rates as compared to concurrent approaches. We also provide theoretical guarantees for such certificates, and empirically show significant improvements over other randomized smoothing methods that require expensive retraining. Further, we extend our approach to videos and provide meaningful certificates for video classifiers.

Algorithm: Patchify a resized image, create N noisy copies and do randomized smoothing with an aggregation step (max or mean).
Smooth-Reduce modifies the RS certification in two ways. First, an input set is created to simulate an ensemble. In this case, we use patches sampled from the resized image. Following the CERTIFY subroutine from Cohen et al., noise is added to every element in the set. Next, the counts of predicted classes are aggregated to estimate \(\underline{p_A}\), the probability of the most probable class, \(c_A\). The final step uses aggregation with \(\underline{p_A}\) to derive a certificate that holds with high probability.}

Results

Improved certificates for CIFAR-10

CIFAR-10

Improved certificates for ImageNet

Imagenet results

Improved certificates for video classifiers on UCF-101

Video Results

BibTeX

@article{joshi2022smoothreduce,
      author    = {Joshi, Ameya and Pham, Minh and Cho, Minsu and Boystov, Leo and Condessa, Filipe and Kolter, J. Zico and Hegde, Chinmay},
      title     = {Smooth-Reduce: Leveraging Patches for Improved Certified Robustness},
      journal   = {arXiV preprint },
      year      = {2022},
    }