Real-life applications of deep neural networks are hindered by their unsteady predictions when faced with noisy inputs and adversarial attacks. The certified radius is in this context a crucial indicator of the robustness of models. However how to design an efficient classifier with a sufficient certified radius? Randomized smoothing provides a promising framework by relying on noise injection in inputs to obtain a smoothed and more robust classifier. In this paper, we first show that the variance introduced by randomized smoothing closely interacts with two other important properties of the classifier, i.e. its Lipschitz constant and margin. More precisely, our work emphasizes the dual impact of the Lipschitz constant of the base classifier, on both the smoothed classifier and the empirical variance. Moreover, to increase the certified robust radius, we introduce a different simplex projection technique for the base classifier to leverage the variance-margin trade-off thanks to Bernstein's concentration inequality, along with an enhanced Lipschitz bound. Experimental results show a significant improvement in certified accuracy compared to current state-of-the-art methods. Our novel certification procedure allows us to use pre-trained models that are used with randomized smoothing, effectively improving the current certification radius in a zero-shot manner.

翻译：深度神经网络在实际应用中的可靠性受到其在噪声输入和对抗攻击下预测不稳定的限制。认证半径在此背景下成为衡量模型鲁棒性的关键指标。然而，如何设计具有足够认证半径的高效分类器？随机平滑通过向输入注入噪声以获得更平滑、更鲁棒的分类器，为此提供了有前景的框架。本文首先证明随机平滑引入的方差与分类器的另外两个重要属性——即Lipschitz常数和边界——密切相关。具体而言，我们的工作强调了基分类器的Lipschitz常数对平滑分类器和经验方差的双重影响。此外，为增大认证鲁棒半径，我们引入了一种不同的单纯形投影技术用于基分类器，借助伯恩斯坦集中不等式利用方差-边界权衡，并辅以增强的Lipschitz界。实验结果表明，与当前最先进方法相比，认证准确率显著提升。我们提出的新型认证流程使得预训练模型能够与随机平滑结合使用，以零样本方式有效提升当前的认证半径。