Models for image segmentation, node classification and many other tasks map a single input to multiple labels. By perturbing this single shared input (e.g. the image) an adversary can manipulate several predictions (e.g. misclassify several pixels). Collective robustness certification is the task of provably bounding the number of robust predictions under this threat model. The only dedicated method that goes beyond certifying each output independently is limited to strictly local models, where each prediction is associated with a small receptive field. We propose a more general collective robustness certificate for all types of models. We further show that this approach is beneficial for the larger class of softly local models, where each output is dependent on the entire input but assigns different levels of importance to different input regions (e.g. based on their proximity in the image). The certificate is based on our novel localized randomized smoothing approach, where the random perturbation strength for different input regions is proportional to their importance for the outputs. Localized smoothing Pareto-dominates existing certificates on both image segmentation and node classification tasks, simultaneously offering higher accuracy and stronger certificates.
翻译:图像分割、 节点分类 和许多其他任务的模型 映射向多个标签的单个输入 。 通过扰动此单一共享输入( 如图像), 对手可以操纵几种预测( 例如, 某些像素分类错误 ) 。 集体稳健度认证是在这个威胁模型下对稳健预测数量进行可辨别约束的任务 。 唯一超出独立验证每项输出的唯一专用方法仅限于严格的本地模型, 每个预测都与一个小的可接收字段相关联 。 我们为所有类型的模型提议一个更一般的集体稳健性证书 。 我们进一步显示, 这种方法有利于较大的软性本地模型, 其中每个输出都依赖于整个输入, 但给不同输入区域分配不同程度的重要性( 如, 因为它们在图像中相近 ) 。 该证书基于我们新的本地随机滑动方法, 不同输入区域的随机扰动强度与其输出的重要性成正比例 。 本地化平滑动平滑操作将现有关于图像分割和节点分类任务的证书 。</s>