SmoothMix: Training Confidence-calibrated Smoothed Classifiers for Certified Robustness

Jongheon Jeong; Sejun Park; Minkyu Kim; Heung Chang Lee; Doguk Kim; Jinwoo Shin

SmoothMix: Training Confidence-calibrated Smoothed Classifiers for Certified Robustness

Jongheon Jeong
, Sejun Park
, Minkyu Kim
, Heung Chang Lee
, Doguk Kim
, Jinwoo Shin

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Randomized smoothing is currently a state-of-the-art method to construct a certifiably robust classifier from neural networks against ℓ₂-adversarial perturbations. Under the paradigm, the robustness of a classifier is aligned with the prediction confidence, i.e., the higher confidence from a smoothed classifier implies the better robustness. This motivates us to rethink the fundamental trade-off between accuracy and robustness in terms of calibrating confidences of a smoothed classifier. In this paper, we propose a simple training scheme, coined SmoothMix, to control the robustness of smoothed classifiers via self-mixup: it trains on convex combinations of samples along the direction of adversarial perturbation for each input. The proposed procedure effectively identifies over-confident, near off-class samples as a cause of limited robustness in case of smoothed classifiers, and offers an intuitive way to adaptively set a new decision boundary between these samples for better robustness. Our experimental results demonstrate that the proposed method can significantly improve the certified ℓ₂-robustness of smoothed classifiers compared to existing state-of-the-art robust training methods.³

Original language	English
Title of host publication	Advances in Neural Information Processing Systems 34 - 35th Conference on Neural Information Processing Systems, NeurIPS 2021
Editors	Marc'Aurelio Ranzato, Alina Beygelzimer, Yann Dauphin, Percy S. Liang, Jenn Wortman Vaughan
Publisher	Neural information processing systems foundation
Pages	30153-30168
Number of pages	16
ISBN (Electronic)	9781713845393
Publication status	Published - 2021
Externally published	Yes
Event	35th Conference on Neural Information Processing Systems, NeurIPS 2021 - Virtual, Online Duration: 2021 Dec 6 → 2021 Dec 14

Publication series

Name	Advances in Neural Information Processing Systems
Volume	36
ISSN (Print)	1049-5258

Conference

Conference	35th Conference on Neural Information Processing Systems, NeurIPS 2021
City	Virtual, Online
Period	21/12/6 → 21/12/14

Bibliographical note

Publisher Copyright:
© 2021 Neural information processing systems foundation. All rights reserved.

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems
Signal Processing

Cite this

Jeong, J., Park, S., Kim, M., Lee, H. C., Kim, D., & Shin, J. (2021). SmoothMix: Training Confidence-calibrated Smoothed Classifiers for Certified Robustness. In MA. Ranzato, A. Beygelzimer, Y. Dauphin, P. S. Liang, & J. Wortman Vaughan (Eds.), Advances in Neural Information Processing Systems 34 - 35th Conference on Neural Information Processing Systems, NeurIPS 2021 (pp. 30153-30168). (Advances in Neural Information Processing Systems; Vol. 36). Neural information processing systems foundation.

SmoothMix: Training Confidence-calibrated Smoothed Classifiers for Certified Robustness. / Jeong, Jongheon; Park, Sejun; Kim, Minkyu et al.
Advances in Neural Information Processing Systems 34 - 35th Conference on Neural Information Processing Systems, NeurIPS 2021. ed. / Marc'Aurelio Ranzato; Alina Beygelzimer; Yann Dauphin; Percy S. Liang; Jenn Wortman Vaughan. Neural information processing systems foundation, 2021. p. 30153-30168 (Advances in Neural Information Processing Systems; Vol. 36).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Jeong, J, Park, S, Kim, M, Lee, HC, Kim, D & Shin, J 2021, SmoothMix: Training Confidence-calibrated Smoothed Classifiers for Certified Robustness. in MA Ranzato, A Beygelzimer, Y Dauphin, PS Liang & J Wortman Vaughan (eds), Advances in Neural Information Processing Systems 34 - 35th Conference on Neural Information Processing Systems, NeurIPS 2021. Advances in Neural Information Processing Systems, vol. 36, Neural information processing systems foundation, pp. 30153-30168, 35th Conference on Neural Information Processing Systems, NeurIPS 2021, Virtual, Online, 21/12/6.

Jeong J, Park S, Kim M, Lee HC, Kim D, Shin J. SmoothMix: Training Confidence-calibrated Smoothed Classifiers for Certified Robustness. In Ranzato MA, Beygelzimer A, Dauphin Y, Liang PS, Wortman Vaughan J, editors, Advances in Neural Information Processing Systems 34 - 35th Conference on Neural Information Processing Systems, NeurIPS 2021. Neural information processing systems foundation. 2021. p. 30153-30168. (Advances in Neural Information Processing Systems).

Jeong, Jongheon ; Park, Sejun ; Kim, Minkyu et al. / SmoothMix : Training Confidence-calibrated Smoothed Classifiers for Certified Robustness. Advances in Neural Information Processing Systems 34 - 35th Conference on Neural Information Processing Systems, NeurIPS 2021. editor / Marc'Aurelio Ranzato ; Alina Beygelzimer ; Yann Dauphin ; Percy S. Liang ; Jenn Wortman Vaughan. Neural information processing systems foundation, 2021. pp. 30153-30168 (Advances in Neural Information Processing Systems).

@inproceedings{cc30ada93b7448f7a1bdf139973dfda8,

title = "SmoothMix: Training Confidence-calibrated Smoothed Classifiers for Certified Robustness",

abstract = "Randomized smoothing is currently a state-of-the-art method to construct a certifiably robust classifier from neural networks against ℓ2-adversarial perturbations. Under the paradigm, the robustness of a classifier is aligned with the prediction confidence, i.e., the higher confidence from a smoothed classifier implies the better robustness. This motivates us to rethink the fundamental trade-off between accuracy and robustness in terms of calibrating confidences of a smoothed classifier. In this paper, we propose a simple training scheme, coined SmoothMix, to control the robustness of smoothed classifiers via self-mixup: it trains on convex combinations of samples along the direction of adversarial perturbation for each input. The proposed procedure effectively identifies over-confident, near off-class samples as a cause of limited robustness in case of smoothed classifiers, and offers an intuitive way to adaptively set a new decision boundary between these samples for better robustness. Our experimental results demonstrate that the proposed method can significantly improve the certified ℓ2-robustness of smoothed classifiers compared to existing state-of-the-art robust training methods.3",

author = "Jongheon Jeong and Sejun Park and Minkyu Kim and Lee, \{Heung Chang\} and Doguk Kim and Jinwoo Shin",

note = "Publisher Copyright: {\textcopyright} 2021 Neural information processing systems foundation. All rights reserved.; 35th Conference on Neural Information Processing Systems, NeurIPS 2021 ; Conference date: 06-12-2021 Through 14-12-2021",

year = "2021",

language = "English",

series = "Advances in Neural Information Processing Systems",

publisher = "Neural information processing systems foundation",

pages = "30153--30168",

editor = "Marc'Aurelio Ranzato and Alina Beygelzimer and Yann Dauphin and Liang, \{Percy S.\} and \{Wortman Vaughan\}, Jenn",

booktitle = "Advances in Neural Information Processing Systems 34 - 35th Conference on Neural Information Processing Systems, NeurIPS 2021",

}

TY - GEN

T1 - SmoothMix

T2 - 35th Conference on Neural Information Processing Systems, NeurIPS 2021

AU - Jeong, Jongheon

AU - Park, Sejun

AU - Kim, Minkyu

AU - Lee, Heung Chang

AU - Kim, Doguk

AU - Shin, Jinwoo

PY - 2021

Y1 - 2021

N2 - Randomized smoothing is currently a state-of-the-art method to construct a certifiably robust classifier from neural networks against ℓ2-adversarial perturbations. Under the paradigm, the robustness of a classifier is aligned with the prediction confidence, i.e., the higher confidence from a smoothed classifier implies the better robustness. This motivates us to rethink the fundamental trade-off between accuracy and robustness in terms of calibrating confidences of a smoothed classifier. In this paper, we propose a simple training scheme, coined SmoothMix, to control the robustness of smoothed classifiers via self-mixup: it trains on convex combinations of samples along the direction of adversarial perturbation for each input. The proposed procedure effectively identifies over-confident, near off-class samples as a cause of limited robustness in case of smoothed classifiers, and offers an intuitive way to adaptively set a new decision boundary between these samples for better robustness. Our experimental results demonstrate that the proposed method can significantly improve the certified ℓ2-robustness of smoothed classifiers compared to existing state-of-the-art robust training methods.3

AB - Randomized smoothing is currently a state-of-the-art method to construct a certifiably robust classifier from neural networks against ℓ2-adversarial perturbations. Under the paradigm, the robustness of a classifier is aligned with the prediction confidence, i.e., the higher confidence from a smoothed classifier implies the better robustness. This motivates us to rethink the fundamental trade-off between accuracy and robustness in terms of calibrating confidences of a smoothed classifier. In this paper, we propose a simple training scheme, coined SmoothMix, to control the robustness of smoothed classifiers via self-mixup: it trains on convex combinations of samples along the direction of adversarial perturbation for each input. The proposed procedure effectively identifies over-confident, near off-class samples as a cause of limited robustness in case of smoothed classifiers, and offers an intuitive way to adaptively set a new decision boundary between these samples for better robustness. Our experimental results demonstrate that the proposed method can significantly improve the certified ℓ2-robustness of smoothed classifiers compared to existing state-of-the-art robust training methods.3

UR - https://www.scopus.com/pages/publications/85126570385

M3 - Conference contribution

AN - SCOPUS:85126570385

T3 - Advances in Neural Information Processing Systems

SP - 30153

EP - 30168

BT - Advances in Neural Information Processing Systems 34 - 35th Conference on Neural Information Processing Systems, NeurIPS 2021

A2 - Ranzato, Marc'Aurelio

A2 - Beygelzimer, Alina

A2 - Dauphin, Yann

A2 - Liang, Percy S.

A2 - Wortman Vaughan, Jenn

PB - Neural information processing systems foundation

Y2 - 6 December 2021 through 14 December 2021

ER -

SmoothMix: Training Confidence-calibrated Smoothed Classifiers for Certified Robustness

Abstract

Publication series

Conference

Bibliographical note

ASJC Scopus subject areas

Other files and links

Fingerprint

Cite this