Randomized smoothing is a leading approach for constructing classifiers that are certifiably robust against adversarial examples. Existing work on randomized smoothing has focused on classifiers with continuous inputs, such as images, where $\ell_p$-norm bounded adversaries are commonly studied. However, there has been limited work for classifiers with discrete or variable-size inputs, such as for source code, which require different threat models and smoothing mechanisms. In this work, we adapt randomized smoothing for discrete sequence classifiers to provide certified robustness against edit distance-bounded adversaries. Our proposed smoothing mechanism randomized deletion (RS-Del) applies random deletion edits, which are (perhaps surprisingly) sufficient to confer robustness against adversarial deletion, insertion and substitution edits. Our proof of certification deviates from the established Neyman-Pearson approach, which is intractable in our setting, and is instead organized around longest common subsequences. We present a case study on malware detection--a binary classification problem on byte sequences where classifier evasion is a well-established threat model. When applied to the popular MalConv malware detection model, our smoothing mechanism RS-Del achieves a certified accuracy of 91% at an edit distance radius of 128 bytes.

翻译：随机平滑是为分类器提供对抗样本鲁棒性认证的主流方法。现有关于随机平滑的研究主要聚焦于连续输入（如图像）的分类器，其中通常研究带ℓ_p范数约束的对抗攻击。然而，对于离散或可变大小输入（如源代码）的分类器，相关工作十分有限——这类场景需要不同的威胁模型与平滑机制。在本工作中，我们将随机平滑适配到离散序列分类器，以提供针对编辑距离有界对抗攻击的认证鲁棒性。我们提出的平滑机制——随机删除(RS-Del)——通过施加随机删除编辑操作（令人惊讶的是）足以赋予分类器抵御对抗性删除、插入和替换编辑的能力。我们的认证证明偏离了经典的奈曼-皮尔逊方法（该方法在我们的设定中难以处理），转而围绕最长公共子序列展开。我们以恶意软件检测为案例研究——这是一个基于字节序列的二分类问题，其中分类器逃逸是公认的威胁模型。当应用于流行的MalConv恶意软件检测模型时，我们的平滑机制RS-Del在编辑距离半径128字节下实现了91%的认证准确率。