Confidence-Aware Training of Smoothed Classifiers for Certified Robustness

Jongheon Jeong; Seojin Kim; Jinwoo Shin

doi:10.1609/aaai.v37i7.25968

Confidence-Aware Training of Smoothed Classifiers for Certified Robustness

Jongheon Jeong
, Seojin Kim
, Jinwoo Shin

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

6 Citations (Scopus)

Abstract

Any classifier can be “smoothed out” under Gaussian noise to build a new classifier that is provably robust to `2-adversarial perturbations, viz., by averaging its predictions over the noise via randomized smoothing. Under the smoothed classifiers, the fundamental trade-off between accuracy and (adversarial) robustness has been well evidenced in the literature: i.e., increasing the robustness of a classifier for an input can be at the expense of decreased accuracy for some other inputs. In this paper, we propose a simple training method leveraging this trade-off to obtain robust smoothed classifiers, in particular, through a sample-wise control of robustness over the training samples. We make this control feasible by using “accuracy under Gaussian noise” as an easy-to-compute proxy of adversarial robustness for an input. Specifically, we differentiate the training objective depending on this proxy to filter out samples that are unlikely to benefit from the worst-case (adversarial) objective. Our experiments show that the proposed method, despite its simplicity, consistently exhibits improved certified robustness upon state-of-the-art training methods. Somewhat surprisingly, we find these improvements persist even for other notions of robustness, e.g., to various types of common corruptions. Code is available at https://github.com/alinlab/smoothing-catrs.

Original language	English
Title of host publication	AAAI-23 Technical Tracks 7
Editors	Brian Williams, Yiling Chen, Jennifer Neville
Publisher	AAAI press
Pages	8005-8013
Number of pages	9
ISBN (Electronic)	9781577358800
DOIs	https://doi.org/10.1609/aaai.v37i7.25968
Publication status	Published - 2023 Jun 27
Externally published	Yes
Event	37th AAAI Conference on Artificial Intelligence, AAAI 2023 - Washington, United States Duration: 2023 Feb 7 → 2023 Feb 14

Publication series

Name	Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023
Volume	37

Conference

Conference	37th AAAI Conference on Artificial Intelligence, AAAI 2023
Country/Territory	United States
City	Washington
Period	23/2/7 → 23/2/14

Bibliographical note

Publisher Copyright:
Copyright © 2023, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved.

ASJC Scopus subject areas

Artificial Intelligence

Access to Document

10.1609/aaai.v37i7.25968

Cite this

Confidence-Aware Training of Smoothed Classifiers for Certified Robustness. / Jeong, Jongheon; Kim, Seojin; Shin, Jinwoo.
AAAI-23 Technical Tracks 7. ed. / Brian Williams; Yiling Chen; Jennifer Neville. AAAI press, 2023. p. 8005-8013 (Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023; Vol. 37).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Jeong, J, Kim, S & Shin, J 2023, Confidence-Aware Training of Smoothed Classifiers for Certified Robustness. in B Williams, Y Chen & J Neville (eds), AAAI-23 Technical Tracks 7. Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023, vol. 37, AAAI press, pp. 8005-8013, 37th AAAI Conference on Artificial Intelligence, AAAI 2023, Washington, United States, 23/2/7. https://doi.org/10.1609/aaai.v37i7.25968

@inproceedings{0b9daf62e2f2497ca7271cb28dd6107f,

title = "Confidence-Aware Training of Smoothed Classifiers for Certified Robustness",

abstract = "Any classifier can be “smoothed out” under Gaussian noise to build a new classifier that is provably robust to `2-adversarial perturbations, viz., by averaging its predictions over the noise via randomized smoothing. Under the smoothed classifiers, the fundamental trade-off between accuracy and (adversarial) robustness has been well evidenced in the literature: i.e., increasing the robustness of a classifier for an input can be at the expense of decreased accuracy for some other inputs. In this paper, we propose a simple training method leveraging this trade-off to obtain robust smoothed classifiers, in particular, through a sample-wise control of robustness over the training samples. We make this control feasible by using “accuracy under Gaussian noise” as an easy-to-compute proxy of adversarial robustness for an input. Specifically, we differentiate the training objective depending on this proxy to filter out samples that are unlikely to benefit from the worst-case (adversarial) objective. Our experiments show that the proposed method, despite its simplicity, consistently exhibits improved certified robustness upon state-of-the-art training methods. Somewhat surprisingly, we find these improvements persist even for other notions of robustness, e.g., to various types of common corruptions. Code is available at https://github.com/alinlab/smoothing-catrs.",

author = "Jongheon Jeong and Seojin Kim and Jinwoo Shin",

note = "Publisher Copyright: Copyright {\textcopyright} 2023, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved.; 37th AAAI Conference on Artificial Intelligence, AAAI 2023 ; Conference date: 07-02-2023 Through 14-02-2023",

year = "2023",

month = jun,

day = "27",

doi = "10.1609/aaai.v37i7.25968",

language = "English",

series = "Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023",

publisher = "AAAI press",

pages = "8005--8013",

editor = "Brian Williams and Yiling Chen and Jennifer Neville",

booktitle = "AAAI-23 Technical Tracks 7",

}

TY - GEN

T1 - Confidence-Aware Training of Smoothed Classifiers for Certified Robustness

AU - Jeong, Jongheon

AU - Kim, Seojin

AU - Shin, Jinwoo

PY - 2023/6/27

Y1 - 2023/6/27

N2 - Any classifier can be “smoothed out” under Gaussian noise to build a new classifier that is provably robust to `2-adversarial perturbations, viz., by averaging its predictions over the noise via randomized smoothing. Under the smoothed classifiers, the fundamental trade-off between accuracy and (adversarial) robustness has been well evidenced in the literature: i.e., increasing the robustness of a classifier for an input can be at the expense of decreased accuracy for some other inputs. In this paper, we propose a simple training method leveraging this trade-off to obtain robust smoothed classifiers, in particular, through a sample-wise control of robustness over the training samples. We make this control feasible by using “accuracy under Gaussian noise” as an easy-to-compute proxy of adversarial robustness for an input. Specifically, we differentiate the training objective depending on this proxy to filter out samples that are unlikely to benefit from the worst-case (adversarial) objective. Our experiments show that the proposed method, despite its simplicity, consistently exhibits improved certified robustness upon state-of-the-art training methods. Somewhat surprisingly, we find these improvements persist even for other notions of robustness, e.g., to various types of common corruptions. Code is available at https://github.com/alinlab/smoothing-catrs.

AB - Any classifier can be “smoothed out” under Gaussian noise to build a new classifier that is provably robust to `2-adversarial perturbations, viz., by averaging its predictions over the noise via randomized smoothing. Under the smoothed classifiers, the fundamental trade-off between accuracy and (adversarial) robustness has been well evidenced in the literature: i.e., increasing the robustness of a classifier for an input can be at the expense of decreased accuracy for some other inputs. In this paper, we propose a simple training method leveraging this trade-off to obtain robust smoothed classifiers, in particular, through a sample-wise control of robustness over the training samples. We make this control feasible by using “accuracy under Gaussian noise” as an easy-to-compute proxy of adversarial robustness for an input. Specifically, we differentiate the training objective depending on this proxy to filter out samples that are unlikely to benefit from the worst-case (adversarial) objective. Our experiments show that the proposed method, despite its simplicity, consistently exhibits improved certified robustness upon state-of-the-art training methods. Somewhat surprisingly, we find these improvements persist even for other notions of robustness, e.g., to various types of common corruptions. Code is available at https://github.com/alinlab/smoothing-catrs.

UR - https://www.scopus.com/pages/publications/85168242425

U2 - 10.1609/aaai.v37i7.25968

DO - 10.1609/aaai.v37i7.25968

M3 - Conference contribution

AN - SCOPUS:85168242425

T3 - Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023

SP - 8005

EP - 8013

BT - AAAI-23 Technical Tracks 7

A2 - Williams, Brian

A2 - Chen, Yiling

A2 - Neville, Jennifer

PB - AAAI press

T2 - 37th AAAI Conference on Artificial Intelligence, AAAI 2023

Y2 - 7 February 2023 through 14 February 2023

ER -

Confidence-Aware Training of Smoothed Classifiers for Certified Robustness

Abstract

Publication series

Conference

Bibliographical note

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this