Certified Robustness for Top-k Predictions against Adversarial Perturbations via Randomized Smoothing
Authors: Jinyuan Jia, Xiaoyu Cao, Binghui Wang, Neil Zhenqiang Gong
ICLR 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We also empirically evaluate our method on CIFAR10 and Image Net. For example, our method can obtain an Image Net classifier with a certified top-5 accuracy of 62.8% when the ℓ2-norms of the adversarial perturbations are less than 0.5 (=127/255).Our contributions are summarized as follows:Theory. We derive the first certified radius for top-k predictions. Moreover, we prove our certified radius is tight for randomized smoothing with Gaussian noise. Algorithm. We develop algorithms to estimate our certified radius in practice. Evaluation. We empirically evaluate our method on CIFAR10 and Image Net. |
| Researcher Affiliation | Academia | Jinyuan Jia, Xiaoyu Cao, Binghui Wang, Neil Zhenqiang Gong Duke University {jinyuan.jia,xiaoyu.cao,binghui.wang,neil.gong}@duke.edu |
| Pseudocode | Yes | Algorithm 1: PREDICT; Algorithm 2: CERTIFY |
| Open Source Code | Yes | Our code is publicly available at: https://github.com/jjy1994/Certify_Topk. |
| Open Datasets | Yes | We conduct experiments on the standard CIFAR10 (Krizhevsky & Hinton, 2009) and Image Net (Deng et al., 2009) datasets to evaluate our method. |
| Dataset Splits | No | The paper mentions training and testing but does not explicitly describe a separate validation split or how it was used. |
| Hardware Specification | No | The paper does not specify any particular hardware (e.g., GPU, CPU models, or memory) used for running the experiments. |
| Software Dependencies | No | The paper does not explicitly list any software dependencies with version numbers. |
| Experiment Setup | Yes | Parameter setting: We study the impact of k, the confidence level 1 α, the noise level σ, the number of samples n, and the confidence interval estimation methods on the certified radius. Unless otherwise mentioned, we use the following default parameters: k = 3, α = 0.001, σ = 0.5, n = 100, 000, and µ = 10 5. Moreover, we use Simu EM to estimate bounds of label probabilities. When studying the impact of one parameter on the certified radius, we fix the other parameters to their default values. |