Randomized smoothing is currently the state-of-the-art method that provides certified robustness for deep neural networks. However, it often cannot achieve an adequate certified region on real-world datasets. One way to obtain a larger certified region is to use an input-specific algorithm instead of using a fixed Gaussian filter for all data points. Several methods based on this idea have been proposed, but they either suffer from high computational costs or gain marginal improvement in certified radius. In this work, we show that by exploiting the quasiconvex problem structure, we can find the optimal certified radii for most data points with slight computational overhead. This observation leads to an efficient and effective input-specific randomized smoothing algorithm. We conduct extensive experiments and empirical analysis on Cifar10 and ImageNet. The results show that the proposed method significantly enhances the certified radii with low computational overhead.

翻译：随机平滑是目前为深度神经网络提供认证鲁棒性的最先进方法。然而，该方法在真实数据集上往往无法获得足够的认证区域。一种获得更大认证区域的方法是使用输入特定算法，而非对所有数据点采用固定高斯滤波器。基于这一思想已有多种方法被提出，但它们在认证半径上要么计算成本过高，要么仅获得边际提升。本研究表明，通过利用拟凸问题结构，我们能在极小的计算开销下为大多数数据点找到最优认证半径。这一发现催生了一种高效且有效的输入特定随机平滑算法。我们在Cifar10和ImageNet上进行了大量实验和实证分析，结果表明所提方法在保持低计算开销的同时显著提升了认证半径。