Real-world data is complex and often consists of objects that can be decomposed into multiple entities (e.g. images into pixels, graphs into interconnected nodes). Randomized smoothing is a powerful framework for making models provably robust against small changes to their inputs - by guaranteeing robustness of the majority vote when randomly adding noise before classification. Yet, certifying robustness on such complex data via randomized smoothing is challenging when adversaries do not arbitrarily perturb entire objects (e.g. images) but only a subset of their entities (e.g. pixels). As a solution, we introduce hierarchical randomized smoothing: We partially smooth objects by adding random noise only on a randomly selected subset of their entities. By adding noise in a more targeted manner than existing methods we obtain stronger robustness guarantees while maintaining high accuracy. We initialize hierarchical smoothing using different noising distributions, yielding novel robustness certificates for discrete and continuous domains. We experimentally demonstrate the importance of hierarchical smoothing in image and node classification, where it yields superior robustness-accuracy trade-offs. Overall, hierarchical smoothing is an important contribution towards models that are both - certifiably robust to perturbations and accurate.

翻译：现实世界的数据具有复杂性，通常包含可分解为多个实体的对象（例如图像分解为像素，图分解为互连的节点）。随机平滑是一个强大的框架，通过保证在分类前随机添加噪声时多数投票的鲁棒性，使模型对其输入的微小变化具有可证明的鲁棒性。然而，当攻击者并非任意扰动整个对象（如图像），而仅扰动其部分实体（如像素）时，通过随机平滑对此类复杂数据进行鲁棒性认证具有挑战性。作为解决方案，我们提出了分层随机平滑：我们仅对随机选择的实体子集添加随机噪声，从而部分平滑对象。通过比现有方法更具针对性的噪声添加方式，我们在保持高精度的同时获得了更强的鲁棒性保证。我们使用不同的噪声分布初始化分层平滑，从而为离散和连续域提供了新的鲁棒性证明。我们在图像和节点分类任务中通过实验验证了分层平滑的重要性，该方法实现了更优的鲁棒性与准确性的权衡。总体而言，分层平滑是对同时具备可证明的扰动鲁棒性与高精度的模型的重要贡献。