Tight Certificates of Adversarial Robustness for Randomly Smoothed Classifiers
Authors: Guang-He Lee, Yang Yuan, Shiyu Chang, Tommi Jaakkola
NeurIPS 2019 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We empirically illustrate these results with and without functional restrictions across image and molecule datasets. In this section, we validate the robustness certificates of the proposed discrete distribution (D) in ℓ0 norm. We compare to the state-of-the-art additive isotropic Gaussian noise (N) [6], since an ℓ0 certificate with radius r in X = {0, 1K , . . . , 1}d can be obtained from an ℓ2 certificate with radius r. |
| Researcher Affiliation | Collaboration | 1MIT Computer Science and Artificial Intelligence Lab 2Institute for Interdisciplinary Information Sciences, Tsinghua University 3MIT-IBM Watson AI Lab {guanghe, yangyuan, tommi}@csail.mit.edu, shiyu.chang@ibm.com |
| Pseudocode | Yes | Algorithm 1 Computing ρ⁻¹r (0.5) |
| Open Source Code | Yes | 1Project page: http://people.csail.mit.edu/guanghe/randomized_smoothing. the pre-computed ρ⁻¹r (0.5) is available at our code repository. |
| Open Datasets | Yes | We use a 55, 000/5, 000/10, 000 split of the MNIST dataset for training/validation/testing. We conduct experiments on Image Net [8], a large scale image dataset with 1, 000 labels. |
| Dataset Splits | Yes | We use a 55, 000/5, 000/10, 000 split of the MNIST dataset for training/validation/testing. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., GPU/CPU models, memory) used for running its experiments. |
| Software Dependencies | No | The paper mentions 'Pytorch' in the references but does not specify software dependencies with version numbers used for the experiments. |
| Experiment Setup | Yes | Deep networks: We follow the approach proposed by the prior work [21]: training is conducted on samples drawn from the randomization scheme via a cross entropy loss. The prediction probability Pr(f(φ(x)) = y) is estimated by the lower bound of the Clopper-Pearson Bernoulli confidence interval [5] with 100K samples drawn from the distribution and the 99.9% confidence level. Decision trees: we train the decision tree greedily in a breadth-first ordering with a depth limit; for each split, we only search coordinates that are not used before to enforce the functional constraint in 3.6, and optimize a weighted gini index, which weights each training example x by the probability that it is routed to the node by the discrete randomization. |