Real-life applications of deep neural networks are hindered by their unsteady predictions when faced with noisy inputs and adversarial attacks. The certified radius is in this context a crucial indicator of the robustness of models. However how to design an efficient classifier with a sufficient certified radius? Randomized smoothing provides a promising framework by relying on noise injection in inputs to obtain a smoothed and more robust classifier. In this paper, we first show that the variance introduced by randomized smoothing closely interacts with two other important properties of the classifier, \textit{i.e.} its Lipschitz constant and margin. More precisely, our work emphasizes the dual impact of the Lipschitz constant of the base classifier, on both the smoothed classifier and the empirical variance. Moreover, to increase the certified robust radius, we introduce a different simplex projection technique for the base classifier to leverage the variance-margin trade-off thanks to Bernstein's concentration inequality, along with an enhanced Lipschitz bound. Experimental results show a significant improvement in certified accuracy compared to current state-of-the-art methods. Our novel certification procedure allows us to use pre-trained models that are used with randomized smoothing, effectively improving the current certification radius in a zero-shot manner.

翻译：深度神经网络在实际应用中因面对噪声输入和对抗攻击时预测不稳定而受限。在此背景下，认证半径是衡量模型鲁棒性的关键指标。然而，如何设计一个具有足够认证半径的高效分类器？随机平滑通过在输入中注入噪声以获得更平滑、更鲁棒的分类器，提供了一个有前景的框架。本文首先表明，随机平滑引入的方差与分类器的另外两个重要属性（即其Lipschitz常数和间隔）紧密相互作用。更准确地说，我们的工作强调了基础分类器Lipschitz常数对平滑分类器和经验方差的双重影响。此外，为了增大认证鲁棒半径，我们为基础分类器引入了一种不同的单纯形投影技术，利用Bernstein集中不等式和增强的Lipschitz界限来权衡方差与间隔。实验结果表明，与当前最先进方法相比，认证准确率显著提升。我们的新型认证流程能够使用经随机平滑处理的预训练模型，以零样本方式有效提升当前认证半径。