ePrints@IIScePrints@IISc Home | About | Browse | Latest Additions | Advanced Search | Contact | Help

DE-CROP: Data-efficient Certified Robustness for Pretrained Classifiers

Nayak, GK and Rawal, R and Chakraborty, A (2023) DE-CROP: Data-efficient Certified Robustness for Pretrained Classifiers. In: 23rd IEEE/CVF Winter Conference on Applications of Computer Vision, WACV 2023, 3 - 7 January 2023, Waikoloa, pp. 4611-4620.

[img]
Preview
PDF
wacv_ 2023.pdf - Published Version

Download (2MB) | Preview
Official URL: https://doi.org/10.1109/WACV56688.2023.00460

Abstract

Certified defense using randomized smoothing is a popular technique to provide robustness guarantees for deep neural networks against l2 adversarial attacks. Existing works use this technique to provably secure a pretrained non-robust model by training a custom denoiser network on entire training data. However, access to the training set may be restricted to a handful of data samples due to constraints such as high transmission cost and the proprietary nature of the data. Thus, we formulate a novel problem of "how to certify the robustness of pretrained models using only a few training samples". We observe that training the custom denoiser directly using the existing techniques on limited samples yields poor certification. To overcome this, our proposed approach (DE-CROP)1 generates class-boundary and interpolated samples corresponding to each training sample, ensuring high diversity in the feature space of the pretrained classifier. We train the denoiser by maximizing the similarity between the denoised output of the generated sample and the original training sample in the classifier's logit space. We also perform distribution level matching using domain discriminator and maximum mean discrepancy that yields further benefit. In white box setup, we obtain significant improvements over the baseline on multiple benchmark datasets and also report similar performance under the challenging black box setup. © 2023 IEEE.

Item Type: Conference Paper
Publication: Proceedings - 2023 IEEE Winter Conference on Applications of Computer Vision, WACV 2023
Publisher: Institute of Electrical and Electronics Engineers Inc.
Additional Information: The copyright for this article belongs to the Authors.
Keywords: Benchmarking; Crops; Learning algorithms; Network security; Sampling; Supervised learning, Adversarial attack and defense method; Adversarial learning; Algorithm: adversarial learning; And algorithm (including transfer, low-shot, semi-, self-, and un-supervised learning); Formulation; Learning architectures; Machine learning architecture; Machine-learning; Training sample; Un-supervised learning, Deep neural networks
Department/Centre: Division of Interdisciplinary Sciences > Computational and Data Sciences
Date Deposited: 15 Mar 2023 05:51
Last Modified: 15 Mar 2023 05:51
URI: https://eprints.iisc.ac.in/id/eprint/80986

Actions (login required)

View Item View Item