We empirically demonstrate that test-time adaptive batch normalization, which re-estimates the batch-normalization statistics during inference, can provide $\ell_2$-certification as well as improve the commonly occurring corruption robustness of adversarially trained models while maintaining their state-of-the-art empirical robustness against adversarial attacks. Furthermore, we obtain similar $\ell_2$-certification as the current state-of-the-art certification models for CIFAR-10 by learning our adversarially trained model using larger $\ell_2$-bounded adversaries. Therefore our work is a step towards bridging the gap between the state-of-the-art certification and empirical robustness. Our results also indicate that improving the empirical adversarial robustness may be sufficient as we achieve certification and corruption robustness as a by-product using test-time adaptive batch normalization.
翻译:我们从经验上证明,在推断过程中重新估计批次正常化统计数据的测试-时间适应性批次正常化,可以提供$@ell_2美元认证,并改进经过对抗性训练的模型通常出现的腐败稳健性,同时保持其最先进的对抗性攻击经验强性;此外,我们通过学习我们的对抗性训练模型,使用更大的2美元约束性对手,从而获得类似于目前最新的CIFAR-10认证模型的2美元认证。 因此,我们的工作是缩小最先进的认证和经验强性之间的差距的一个步骤。 我们的结果还表明,改进经验性对抗性强健性可能就足够了,因为我们通过测试-时间适应性分批标准化,实现了认证和腐败稳健性作为副产品。