Models for image segmentation, node classification and many other tasks map a single input to multiple labels. By perturbing this single shared input (e.g. the image) an adversary can manipulate several predictions (e.g. misclassify several pixels). Collective robustness certification is the task of provably bounding the number of robust predictions under this threat model. The only dedicated method that goes beyond certifying each output independently is limited to strictly local models, where each prediction is associated with a small receptive field. We propose a more general collective robustness certificate for all types of models. We further show that this approach is beneficial for the larger class of softly local models, where each output is dependent on the entire input but assigns different levels of importance to different input regions (e.g. based on their proximity in the image). The certificate is based on our novel localized randomized smoothing approach, where the random perturbation strength for different input regions is proportional to their importance for the outputs. Localized smoothing Pareto-dominates existing certificates on both image segmentation and node classification tasks, simultaneously offering higher accuracy and stronger certificates.

翻译：图像分割、节点分类及许多其他任务的模型将单个输入映射到多个标签。通过扰动这个共享的单一输入（例如图像），攻击者可以操纵多个预测（例如错误分类多个像素）。集体鲁棒性认证的任务是在这种威胁模型下，可证明地约束鲁棒预测的数量。唯一超越独立认证每个输出的专用方法仅限于严格局部模型，其中每个预测关联一个较小的感受野。我们提出了一种适用于所有类型模型的更通用的集体鲁棒性证书。进一步表明，该方法对于更大类别的软局部模型是有益的，其中每个输出依赖于整个输入，但对不同输入区域（例如基于它们在图像中的邻近性）赋予不同重要程度。该证书基于我们新颖的局部化随机平滑方法，其中不同输入区域的随机扰动强度与其对于输出的重要性成比例。局部化平滑在图像分割和节点分类任务上帕累托支配现有证书，同时提供更高的准确性和更强的证书。