Conformal prediction is a powerful tool to generate uncertainty sets with guaranteed coverage using any predictive model, under the assumption that the training and test data are i.i.d.. Recently, it has been shown that adversarial examples are able to manipulate conformal methods to construct prediction sets with invalid coverage rates, as the i.i.d. assumption is violated. To address this issue, a recent work, Randomized Smoothed Conformal Prediction (RSCP), was first proposed to certify the robustness of conformal prediction methods to adversarial noise. However, RSCP has two major limitations: (i) its robustness guarantee is flawed when used in practice and (ii) it tends to produce large uncertainty sets. To address these limitations, we first propose a novel framework called RSCP+ to provide provable robustness guarantee in evaluation, which fixes the issues in the original RSCP method. Next, we propose two novel methods, Post-Training Transformation (PTT) and Robust Conformal Training (RCT), to effectively reduce prediction set size with little computation overhead. Experimental results in CIFAR10, CIFAR100, and ImageNet suggest the baseline method only yields trivial predictions including full label set, while our methods could boost the efficiency by up to $4.36\times$, $5.46\times$, and $16.9\times$ respectively and provide practical robustness guarantee. Our codes are available at https://github.com/Trustworthy-ML-Lab/Provably-Robust-Conformal-Prediction.

翻译：共形预测是一种基于训练集与测试集独立同分布假设，利用任意预测模型生成具有覆盖保证的不确定性集的强大工具。近期研究表明，对抗样本能够通过破坏独立同分布假设，操纵共形方法生成覆盖率无效的预测集。为解决该问题，最新工作"随机平滑共形预测"(RSCP)首次提出认证共形预测方法对对抗噪声的鲁棒性。然而RSCP存在两大缺陷：(i)其实际应用中的鲁棒性保证存在漏洞；(ii)易产生过大的不确定性集。针对这些不足，我们首先提出名为RSCP+的新型框架，在评估阶段提供可证明的鲁棒性保证，修复原始RSCP方法的缺陷。其次提出两种创新方法：后训练变换(PTT)与鲁棒共形训练(RCT)，以微小计算开销显著缩减预测集规模。在CIFAR10、CIFAR100与ImageNet上的实验表明，基线方法仅能生成包含完整标签集的平凡预测结果，而我们的方法可将效率分别提升至$4.36\times$、$5.46\times$和$16.9\times$倍，并提供实用性鲁棒保障。代码已开源：https://github.com/Trustworthy-ML-Lab/Provably-Robust-Conformal-Prediction。