Certification of Semantic Perturbations via Randomized Smoothing

Deep neural networks are vulnerable to adversarial examples (Szegedy et al., 2014) - semantical preserving changes such as l p -noise, geometrical perturbations (e.g., rotations and translation) (Engstrom et al., 2017), and Wasserstein perturbations (Wong et al., 2019) which can affect the output of the network in undesirable ways. This is especially problematic when these models are used in safety critical tasks such as medical diagnosis (Amato et al., 2013) or autonomous driving (Bojarski et al., 2016). As a result, recent work (e.g., Gehr et al. (2018); Weng et al. (2018)) started investigating robustness certification methods which guarantee the absence of adversarial examples. However, even with training methods tailored to produce networks amenable to l -certification (Wong & Kolter, 2018; Mirman et al., 2018), current verification techniques still cannot scale to realistic models and datasets. Recently, a promising approach called randomized smoothing was proposed by (Cohen et al., 2019) - it works by constructing a probabilistic classifier with probabilistic certificates and produces state-of-the-art results for l 2 -norm bounded noise on ImageNet.