DRF: Improving Certified Robustness via Distributional Robustness Framework

Randomized smoothing (RS) has provided state-of-the-art (SOTA) certified robustness against adversarial perturbations for large neural networks. Among studies in this field, methods based on adversarial training (AT) achieve remarkably robust performance by applying adversarial examples to construct the smoothed classifier. These AT-based RS methods typically seek a pointwise adversary that generates the worst-case adversarial examples by perturbing each input independently. However, there are unexplored benefits to considering such adversarial robustness across the entire data distribution. To this end, we provide a novel framework called DRF, which connects AT-based RS methods with distributional robustness (DR), and show that these methods are special cases of their counterparts in our framework. Due to the advantages conferred by DR, our framework can control the trade-off between the clean accuracy and certified robustness of smoothed classifiers to a significant extent. Our experiments demonstrate that DRF can substantially improve the certified robustness of AT-based RS.

Authors

• Zekai Wang School of Computer Science, Wuhan University
• Zhengyu Zhou School of Computer Science, Wuhan University
• Weiwei Liu Wuhan University

Keywords

• APP: Security
• CV: Adversarial Attacks & Robustness
• ML: Adversarial Learning & Robustness