MACER: Attack-free and Scalable Robust Training via Maximizing Certified Radius
read the original abstract
Adversarial training is one of the most popular ways to learn robust models but is usually attack-dependent and time costly. In this paper, we propose the MACER algorithm, which learns robust models without using adversarial training but performs better than all existing provable l2-defenses. Recent work shows that randomized smoothing can be used to provide a certified l2 radius to smoothed classifiers, and our algorithm trains provably robust smoothed classifiers via MAximizing the CErtified Radius (MACER). The attack-free characteristic makes MACER faster to train and easier to optimize. In our experiments, we show that our method can be applied to modern deep neural networks on a wide range of datasets, including Cifar-10, ImageNet, MNIST, and SVHN. For all tasks, MACER spends less training time than state-of-the-art adversarial training algorithms, and the learned models achieve larger average certified radius.
This paper has not been read by Pith yet.
Forward citations
Cited by 1 Pith paper
-
Provable Robustness against Backdoor Attacks via the Primal-Dual Perspective on Differential Privacy
A new framework is introduced for end-to-end provable robustness against backdoor attacks by composing randomized smoothing with differentially private training via privacy profiles.
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.