Neural networks (NNs) are known to be vulnerable against adversarial perturbations, and thus there is a line of work aiming to provide robustness certification for NNs, such as randomized smoothing, which samples smoothing noises from a certain distribution to certify the robustness for a smoothed classifier. However, as shown by previous work, the certified robust radius in randomized smoothing suffers from scaling to large datasets ("curse of dimensionality"). To overcome this hurdle, we propose a Double Sampling Randomized Smoothing (DSRS) framework, which exploits the sampled probability from an additional smoothing distribution to tighten the robustness certification of the previous smoothed classifier. Theoretically, under mild assumptions, we prove that DSRS can certify $\Theta(\sqrt d)$ robust radius under $\ell_2$ norm where $d$ is the input dimension, implying that DSRS may be able to break the curse of dimensionality of randomized smoothing. We instantiate DSRS for a generalized family of Gaussian smoothing and propose an efficient and sound computing method based on customized dual optimization considering sampling error. Extensive experiments on MNIST, CIFAR-10, and ImageNet verify our theory and show that DSRS certifies larger robust radii than existing baselines consistently under different settings. Code is available at https://github.com/llylly/DSRS.

翻译：神经网络（NN）已知易受对抗扰动影响，因此已有大量研究致力于为神经网络提供鲁棒性认证，例如随机平滑技术——通过从特定分布中采样平滑噪声来为平滑分类器提供鲁棒性认证。然而，正如先前研究所示，随机平滑中的认证鲁棒半径在大规模数据集上存在尺度效应（即"维度灾难"）。为克服这一难题，我们提出双重采样随机平滑框架，该框架利用额外平滑分布中的采样概率来收紧原有平滑分类器的鲁棒性认证。理论上，在温和假设下，我们证明DSRS能在$\ell_2$范数下实现$\Theta(\sqrt d)$的鲁棒半径认证（其中$d$为输入维度），这意味着DSRS可能突破随机平滑的维度灾难。我们将DSRS实例化至广义高斯平滑族，并基于考虑采样误差的自定义对偶优化提出了一种高效且可靠的求解方法。在MNIST、CIFAR-10和ImageNet上的大量实验验证了我们的理论，并表明DSRS在不同设置下持续认证出比现有基线更大的鲁棒半径。代码已开源至https://github.com/llylly/DSRS。