Deep neural networks are known to be vulnerable to adversarial attacks: A small perturbation that is imperceptible to a human can easily make a well-trained deep neural network misclassify. To defend against adversarial attacks, randomized classifiers have been proposed as a robust alternative to deterministic ones. In this work we show that in the binary classification setting, for any randomized classifier, there is always a deterministic classifier with better adversarial risk. In other words, randomization is not necessary for robustness. In many common randomization schemes, the deterministic classifiers with better risk are explicitly described: For example, we show that ensembles of classifiers are more robust than mixtures of classifiers, and randomized smoothing is more robust than input noise injection. Finally, experiments confirm our theoretical results with the two families of randomized classifiers we analyze.
翻译:众所周知,深神经网络很容易受到对抗性攻击:对人类而言无法察觉的小扰动很容易使训练有素的深神经网络错误分类。为了防范对抗性攻击,建议了随机分类器作为确定性攻击的可靠替代物。在这项工作中,我们表明,对于任何随机分类器来说,二进制分类器总是有一个确定性分类器,其对抗性风险较高。换句话说,随机化对于稳健性来说是不必要的。在许多常见的随机化办法中,明确描述了风险较高的确定性分类器:例如,我们显示分类器的组合比分类器的混合物更强大,随机化的滑动比输入性噪声注入更有力。最后,实验证实了我们与我们分析的随机分类器的两个组合的理论结果。