Randomized smoothing (RS) is a well known certified defense against adversarial attacks, which creates a smoothed classifier by predicting the most likely class under random noise perturbations of inputs during inference. While initial work focused on robustness to $\ell_2$ norm perturbations using noise sampled from a Gaussian distribution, subsequent works have shown that different noise distributions can result in robustness to other $\ell_p$ norm bounds as well. In general, a specific noise distribution is optimal for defending against a given $\ell_p$ norm based attack. In this work, we aim to improve the certified adversarial robustness against multiple perturbation bounds simultaneously. Towards this, we firstly present a novel \textit{certification scheme}, that effectively combines the certificates obtained using different noise distributions to obtain optimal results against multiple perturbation bounds. We further propose a novel \textit{training noise distribution} along with a \textit{regularized training scheme} to improve the certification within both $\ell_1$ and $\ell_2$ perturbation norms simultaneously. Contrary to prior works, we compare the certified robustness of different training algorithms across the same natural (clean) accuracy, rather than across fixed noise levels used for training and certification. We also empirically invalidate the argument that training and certifying the classifier with the same amount of noise gives the best results. The proposed approach achieves improvements on the ACR (Average Certified Radius) metric across both $\ell_1$ and $\ell_2$ perturbation bounds.

翻译：随机平滑（RS）是一种广为人知的对抗攻击认证防御方法，该方法通过在推理过程中对输入施加随机噪声扰动，根据预测概率最高的类别构建平滑分类器。尽管初期研究主要针对使用高斯分布采样的噪声实现对 ℓ₂ 范数扰动的鲁棒性，后续工作表明，不同噪声分布亦可产生针对其他 ℓₚ 范数界的鲁棒性。一般而言，特定噪声分布对于防御基于给定 ℓₚ 范数的攻击是最优的。本研究旨在同时提升针对多种扰动界的认证对抗鲁棒性。为此，我们首先提出一种新颖的**认证方案**，该方案有效整合了不同噪声分布所获得的认证结果，以针对多种扰动界实现最优效果。我们进一步提出一种新型**训练噪声分布**，并结合**正则化训练方案**，以同时提升针对 ℓ₁ 和 ℓ₂ 扰动范数的认证性能。与先前工作不同，我们在相同自然（干净）精度下比较不同训练算法的认证鲁棒性，而非固定用于训练和认证的噪声水平。同时，我们通过实验否定了“使用相同噪声量训练和认证分类器可获得最佳结果”的论断。所提出的方法在 ℓ₁ 和 ℓ₂ 扰动界下均能提升平均认证半径（ACR）指标。