Projected Randomized Smoothing for Certified Adversarial Robustness
Authors: Samuel Pfrommer, Brendon G. Anderson, Somayeh Sojoudi
TMLR 2023 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We show experimentally on CIFAR-10 and SVHN that classifiers without the initial projection are vulnerable to perturbations that are normal to the data manifold and yet are captured by the certified regions of our method. We compare the volume of our certified regions against various baselines and show that our method improves on the state-of-the-art by many orders of magnitude. |
| Researcher Affiliation | Academia | Samuel Pfrommer EMAIL Department of Electrical Engineering and Computer Sciences University of California, Berkeley Brendon G. Anderson EMAIL Department of Mechanical Engineering University of California, Berkeley Somayeh Sojoudi EMAIL Department of Electrical Engineering and Computer Sciences Department of Mechanical Engineering University of California, Berkeley |
| Pseudocode | Yes | Algorithm 1 Prediction and certification def Predict, Certify as in Cohen et al. (2019) function Project Predict(fθ, U, σ, x, n, α) def P(x) = U x, P( x) = U x return Predict(fθ P, σ, P(x), n, α) function Project Certify(fθ, U, σ, x, n0, n, α) def P(x) = U x, P( x) = U x, (d, p) shape(U) ABSTAIN, ˆc A, R Certify(fθ P, σ, P(x), n0, n, α) if ABSTAIN then return ABSTAIN compute orthonormal basis v1, . . . , vd p for N(U ) solve the optimization t inf α Rd p assign R min{R, p(1 2t)/(2d)} compute the certified volume lower bound 2 + 1)Rp(1 2R 2t)d p return prediction ˆc A and volume bound V |
| Open Source Code | Yes | Source code for reproducing our results is available on Git Hub. |
| Open Datasets | Yes | Experiments on CIFAR-10 (Krizhevsky et al., 2009) and SVHN (Netzer et al., 2011) show that our method yields certified regions with order-of-magnitude larger volumes than prior smoothing schemes. |
| Dataset Splits | No | The paper mentions evaluating over "500 test images" and using "500 random test samples" but does not specify the complete training, validation, and test splits for the CIFAR-10 and SVHN datasets to reproduce the data partitioning. |
| Hardware Specification | Yes | All experiments were run on a Ubuntu 20.04 virtual machine with 6 VCPUs, 56 Gi B RAM, and a Tesla K80 GPU. |
| Software Dependencies | No | The paper mentions using the "torchattacks library" but does not provide specific version numbers for it or any other key software components like PyTorch or Python. |
| Experiment Setup | Yes | We instantiate g as the Wide Res Net considered in Yang et al. (2020) with the default hyperparameters and σ = 0.15 Gaussian noise augmentation during training. For networks composed with an initial projection, we finetune the network with a learning rate or 0.001, momentum of 0.9, and weight decay of 0.0005 for 20 epochs, decaying the learning rate by a multiplicative factor of 0.95 per epoch. For the PGD attack, we use the torchattacks library with 40 steps and step size α = 2/255 Kim (2020). We lowered this to 5 steps with α = ϵ/4 for Subspace PGD due to the solve time of the projection step. All experiments in the hyperparameter sweeps were performed with the smoothing hyperparameters of n0 = 100 samples to guess the smoothed class, n = 104 samples to lower-bound the smoothed class probability, and a confidence of α = 0.001. |