Randomized smoothing has achieved state-of-the-art certified robustness
against $l_2$-norm adversarial attacks. However, it is not wholly resolved on
how to find the optimal base classifier for randomized smoothing. In this work,
we employ a Smoothed WEighted ENsembling (SWEEN) scheme to improve the
performance of randomized smoothed classifiers. We show the ensembling
generality that SWEEN can help achieve optimal certified robustness.
Furthermore, theoretical analysis proves that the optimal SWEEN model can be
obtained from training under mild assumptions. We also develop an adaptive
prediction algorithm to reduce the prediction and certification cost of SWEEN
models. Extensive experiments show that SWEEN models outperform the upper
envelope of their corresponding candidate models by a large margin. Moreover,
SWEEN models constructed using a few small models can achieve comparable
performance to a single large model with a notable reduction in training time.
Go to Source of this post
Author Of this post: <a href="http://arxiv.org/find/cs/1/au:+Liu_C/0/1/0/all/0/1">Chizhou Liu</a>, <a href="http://arxiv.org/find/cs/1/au:+Feng_Y/0/1/0/all/0/1">Yunzhen Feng</a>, <a href="http://arxiv.org/find/cs/1/au:+Wang_R/0/1/0/all/0/1">Ranran Wang</a>, <a href="http://arxiv.org/find/cs/1/au:+Dong_B/0/1/0/all/0/1">Bin Dong</a>