REaaS: Enabling Adversarially Robust Downstream Classifiers via Robust Encoder as a Service

Abstract--Encoder as a service is an emerging cloud service. A larger certified radius indicates better certified robustness against adversarial examples. In general, there are two categories of complementary methods to build a certifiably robust classifier and derive In an encoder as a service, a service provider (e.g., OpenAI, its certified radius for a testing input, i.e., base classifier Google, and Amazon) pre-trains a general-purpose feature (BC) based certification [7], [8], [9], [10] and smoothed extractor (called encoder) and deploys it as a cloud service; classifier (SC) based certification (also known as randomized and a client queries the cloud service APIs for the feature smoothing) [11], [12], [13]. BC based certification aims to vectors of its training/testing inputs when training/testing a directly derive the certified radius of a given classifier (called downstream classifier. For instance, the encoder could be pretrained base classifier) for a testing input. BC based certification using supervised learning on a large amount of labeled requires white-box access to the base classifier as it often data or self-supervised learning [1], [2] on a large amount of requires propagating the perturbation from the input layer to unlabeled data. A client could be a smartphone, IoT device, the output layer of the base classifier layer by layer. SC based self-driving car, or edge device in the era of edge computing. In the Standard Encoder as a Service (SEaaS), the smoothed classifier for the testing input. To increase the testing service provides a single API (called Feature-API) for clients inputs' certified radii, SC based certification often requires Wenjie Qu performed this research when he was an intern in Gong's group. Our input-space certified radius R guarantees the certification. However, the client does not have white-box client's base or smoothed downstream classifier predicts the access to the encoder deployed on the cloud server, making same label for the testing input if the l The second challenge perturbation added to the testing input is less than R. is that, although a client can use SC based certification by treating the composition of the encoder and its downstream The key challenge of implementing our F2IPerturb-API is classifier as a base classifier, it incurs a large communication how to find the largest input-space certified radius R for a cost for the client and a large computation cost for the cloud given testing input and its feature-space certified radius R Therefore, the client requires e queries to the Feature-API per training input, problem is challenging to solve due to the highly non-linear where e is the number of epochs used to train the downstream constraint.