Real-life applications of deep neural networks are hindered by their unsteady predictions when faced with noisy inputs and adversarial attacks. The certified radius is in this context a crucial indicator of the robustness of models. However how to design an efficient classifier with an associated certified radius? Randomized smoothing provides a promising framework by relying on noise injection into the inputs to obtain a smoothed and robust classifier. In this paper, we first show that the variance introduced by the Monte-Carlo sampling in the randomized smoothing procedure estimate closely interacts with two other important properties of the classifier, \textit{i.e.} its Lipschitz constant and margin. More precisely, our work emphasizes the dual impact of the Lipschitz constant of the base classifier, on both the smoothed classifier and the empirical variance. Moreover, to increase the certified robust radius, we introduce a different way to convert logits to probability vectors for the base classifier to leverage the variance-margin trade-off. We leverage the use of Bernstein's concentration inequality along with enhanced Lipschitz bounds for randomized smoothing. Experimental results show a significant improvement in certified accuracy compared to current state-of-the-art methods. Our novel certification procedure allows us to use pre-trained models that are used with randomized smoothing, effectively improving the current certification radius in a zero-shot manner.

翻译：深度神经网络在实际应用中面临噪声输入和对抗攻击时的不稳定预测问题，这严重制约了其应用范围。认证半径在此背景下成为衡量模型鲁棒性的关键指标。然而如何设计具有关联认证半径的高效分类器？随机平滑通过向输入注入噪声来获得平滑且鲁棒的分类器，为此提供了有前景的框架。本文首先证明，随机平滑过程中蒙特卡洛采样引入的方差与分类器的另外两个重要特性——即Lipschitz常数和分类边界——存在紧密交互作用。具体而言，我们的工作揭示了基础分类器的Lipschitz常数对平滑分类器和经验方差的双重影响。此外，为增大认证鲁棒半径，我们提出了一种将基础分类器的logits转换为概率向量的新方法，以利用方差-边界权衡。我们创新性地应用伯恩斯坦集中不等式，并结合增强的Lipschitz上界对随机平滑进行优化。实验结果表明，与当前最先进方法相比，认证准确率获得显著提升。我们提出的新型认证流程可预训练模型与随机平滑结合使用，以零样本方式有效改善当前认证半径。