Randomized Smoothing under Attack: How Good is it in Pratice?

Add code
Apr 28, 2022
Thibault Maho, Teddy Furon, Erwan Le Merrer
Figure 1 for Randomized Smoothing under Attack: How Good is it in Pratice?
Figure 2 for Randomized Smoothing under Attack: How Good is it in Pratice?
Figure 3 for Randomized Smoothing under Attack: How Good is it in Pratice?
Figure 4 for Randomized Smoothing under Attack: How Good is it in Pratice?

Share this with someone who'll enjoy it:

Twitter IconFacebook IconLinkedin IconWhatsapp IconMessenger Icon

Randomized smoothing is a recent and celebrated solution to certify the robustness of any classifier. While it indeed provides a theoretical robustness against adversarial attacks, the dimensionality of current classifiers necessarily imposes Monte Carlo approaches for its application in practice. This paper questions the effectiveness of randomized smoothing as a defense, against state of the art black-box attacks. This is a novel perspective, as previous research works considered the certification as an unquestionable guarantee. We first formally highlight the mismatch between a theoretical certification and the practice of attacks on classifiers. We then perform attacks on randomized smoothing as a defense. Our main observation is that there is a major mismatch in the settings of the RS for obtaining high certified robustness or when defeating black box attacks while preserving the classifier accuracy.

* ICASSP 2022  
View paper onarxiv icon

Share this with someone who'll enjoy it:

Twitter IconFacebook IconLinkedin IconWhatsapp IconMessenger Icon