Recent works have shown the effectiveness of randomized smoothing as a scalable technique for building neural network-based classifiers that are provably robust to $\ell_2$-norm adversarial perturbations. In this paper, we employ adversarial training to improve the performance of randomized smoothing. We design an adapted attack for smoothed classifiers, and we show how this attack can be used in an adversarial training setting to boost the provable robustness of smoothed classifiers. We demonstrate through extensive experimentation that our method consistently outperforms all existing provably $\ell_2$-robust classifiers by a significant margin on ImageNet and CIFAR-10, establishing the state-of-the-art for provable $\ell_2$-defenses. Moreover, we find that pre-training and semi-supervised learning boost adversarially trained smoothed classifiers even further.

Overall, I believe the paper makes a meaningful empirical contribution to scalable training methods of robust classifiers. By finding adversarial examples for smoothed classifiers and modifying the training procedure, the authors significantly improve the accuracy of smoothed classifiers. Smoothed classifiers are of interest since they are scalable and come with a certificate of robustness. The paper is clearly written. However, the contribution seems incremental.

This work shows how to improve the previous state of the art for L2 robustness using smoothed classifiers (introduced by Cohen et al.) The empirical results are very strong in a very competitive area where many research groups are competing. The theoretical work, the presentation and the various technical details involved in using smoothness in PGD are all great contributions. This is an important paper in the space of adversarial ML.

Recent works have shown the effectiveness of randomized smoothing as a scalable technique for building neural network-based classifiers that are provably robust to \ell_2 -norm adversarial perturbations. In this paper, we employ adversarial training to improve the performance of randomized smoothing. We design an adapted attack for smoothed classifiers, and we show how this attack can be used in an adversarial training setting to boost the provable robustness of smoothed classifiers. We demonstrate through extensive experimentation that our method consistently outperforms all existing provably \ell_2 -robust classifiers by a significant margin on ImageNet and CIFAR-10, establishing the state-of-the-art for provable \ell_2 -defenses. Moreover, we find that pre-training and semi-supervised learning boost adversarially trained smoothed classifiers even further.

Recent works have shown the effectiveness of randomized smoothing as a scalable technique for building neural network-based classifiers that are provably robust to $\ell_2$-norm adversarial perturbations. In this paper, we employ adversarial training to improve the performance of randomized smoothing. We design an adapted attack for smoothed classifiers, and we show how this attack can be used in an adversarial training setting to boost the provable robustness of smoothed classifiers. We demonstrate through extensive experimentation that our method consistently outperforms all existing provably $\ell_2$-robust classifiers by a significant margin on ImageNet and CIFAR-10, establishing the state-of-the-art for provable $\ell_2$-defenses. Moreover, we find that pre-training and semi-supervised learning boost adversarially trained smoothed classifiers even further.