Randomized smoothing is a leading approach for constructing classifiers that are certifiably robust against adversarial examples. Existing work on randomized smoothing has focused on classifiers with continuous inputs, such as images, where $\ell_p$-norm bounded adversaries are commonly studied. However, there has been limited work for classifiers with discrete or variable-size inputs, such as for source code, which require different threat models and smoothing mechanisms. In this work, we adapt randomized smoothing for discrete sequence classifiers to provide certified robustness against edit distance-bounded adversaries. Our proposed smoothing mechanism randomized deletion (RS-Del) applies random deletion edits, which are (perhaps surprisingly) sufficient to confer robustness against adversarial deletion, insertion and substitution edits. Our proof of certification deviates from the established Neyman-Pearson approach, which is intractable in our setting, and is instead organized around longest common subsequences. We present a case study on malware detection--a binary classification problem on byte sequences where classifier evasion is a well-established threat model. When applied to the popular MalConv malware detection model, our smoothing mechanism RS-Del achieves a certified accuracy of 91% at an edit distance radius of 128 bytes.

翻译：随机平滑是一种构建分类器以使其对对抗性示例具有可证明鲁棒性的主流方法。现有关于随机平滑的工作主要聚焦于连续输入的分类器（如图像），其中常研究受$\ell_p$范数约束的对抗性攻击。然而，针对离散或可变大小输入（如源代码）的分类器，相关工作较为有限，这类场景需要不同的威胁模型和平滑机制。在本工作中，我们将随机平滑适配于离散序列分类器，以提供针对编辑距离有界对抗性攻击的可证明鲁棒性。我们提出的平滑机制——随机删除（RS-Del），通过应用随机删除编辑操作（这令人惊讶地足以抵御对抗性删除、插入和替换编辑）来赋予鲁棒性。我们的证明过程偏离了经典的Neyman-Pearson方法（该方法在本文场景中难以处理），转而围绕最长公共子序列进行组织。我们以恶意软件检测作为案例研究：这是一个针对字节序列的二分类问题，其中分类器规避是一个公认的威胁模型。当应用于流行的MalConv恶意软件检测模型时，我们的平滑机制RS-Del在编辑距离半径128字节下实现了91%的可证明准确率。