Randomized smoothing is currently considered the state-of-the-art method to obtain certifiably robust classifiers. Despite its remarkable performance, the method is associated with various serious problems such as ``certified accuracy waterfalls'', certification vs. accuracy trade-off, or even fairness issues. Input-dependent smoothing approaches have been proposed to overcome these flaws. However, we demonstrate that these methods lack formal guarantees and so the resulting certificates are not justified. We show that the input-dependent smoothing, in general, suffers from the curse of dimensionality, forcing the variance function to have low semi-elasticity. On the other hand, we provide a theoretical and practical framework that enables the usage of input-dependent smoothing even in the presence of the curse of dimensionality, under strict restrictions. We present one concrete design of the smoothing variance and test it on CIFAR10 and MNIST. Our design solves some of the problems of classical smoothing and is formally underlined, yet further improvement of the design is still necessary.
翻译:目前,自成一体的平滑方法被认为是目前最先进的获得可证实可靠的稳健分类方法。尽管这种方法表现出色,但它与各种严重问题相关,例如“经认证的准确瀑布 ” 、 认证与准确性权衡,甚至公正问题等。提出了依靠投入的平滑方法,以克服这些缺陷。然而,我们证明这些方法缺乏正式保障,因此由此产生的证书是站不住脚的。我们表明,从总体上看,依赖投入的平滑方法受到维度的诅咒的影响,迫使差异功能具有低的半弹性。另一方面,我们提供了一个理论和实践框架,允许在严格的限制下,即使在存在多元性诅咒的情况下,使用依赖投入的平滑。我们提出了一个具体的设计,以平衡差异,并在CIFAR10和MNIST上进行测试。我们的设计解决了一些典型的平滑问题,并正式强调,但仍然需要进一步改进设计。