Integration of certified defense methods (Randomized Smoothing research)

[henba1]

Extend VERONA to Support Probabilistic Certified Defences (Randomised Smoothing)

Overview

To support robustness experiments and computation of robustness distributions with probabilistic certified defences, specifically Randomised Smoothing (Cohen et al.) and Diffusion Denoised Smoothing (Carlini et al.), VERONA's EpsilonValueEstimator and VerificationModule abstract classes need to be extended to support certification given specific sampling rates for predicting (N₀) and certifying (N), smoothing level (σ), and confidence level (α).

To alleviate the need for pre-training, following the research by Carlini et al., the certification module might call a diffusion denoiser to denoise the images before classification.

It remains to be decided in the course of the research whether (i) all required modules to support this functionality are directly integrated with VERONA or (ii) only minimal changes to the API are introduced, with the functional modules being imported from a separate package, similar to auto-verify.

Background

Randomised Smoothing (Cohen et al.)

• Monte Carlo Sampling: Uses Gaussian noise sampling around input images
• Key Parameters: σ (noise level), N₀ (prediction samples), N (certification samples), α (confidence)
• Probabilistic Certification: Returns both predicted class and certified L₂ radius
• Algorithm: Samples base classifier predictions under noise, uses statistical bounds for certification

Diffusion Denoised Smoothing (Carlini et al.)

• Diffusion Enhancement: Extends randomised smoothing with diffusion model denoising
• Time step Control: Uses diffusion time step t corresponding to desired noise level σ
• Pre-trained Models: Leverages off-the-shelf diffusion models (no pre-training required)
• Same Certification Logic: Otherwise follows identical Monte Carlo approach

Proposed Changes

1. New Verification Module

Create RandomizedSmoothingModule implementing Monte Carlo sampling with:

• Support for both standard and diffusion-enhanced smoothing
• Configurable parameters (σ, N₀, N, α, t)
• Integration with existing VerificationModule interface

2. Enhanced Epsilon Value Estimator

Create RandomizedSmoothingEstimator supporting:

• Probabilistic certification instead of binary search
• Direct computation of certified radii
• Integration with existing EpsilonValueEstimator interface

3. Extended Data Structures

Expand EpsilonValueResult to include:

• Predicted class labels
• Certified radius information
• Statistical confidence measures

4. Configuration Support

Add support for new parameters:

• Smoothing level (σ)
• Sample counts (N₀, N)
• Confidence level (α)
• Diffusion time step (t)

Implementation Options

Option A: Full Integration

• Implement the above directly in VERONA
• Include pre-trained base classifier and denoiser loading and management
• Provide complete end-to-end certification pipeline

Option B: Minimal API Changes

• Import RS-functionality from separate package
• Following auto-verify pattern for external dependencies
• Focus on API compatibility and result processing

References

[1] J. Cohen, E. Rosenfeld, and Z. Kolter, “Certified Adversarial Robustness via Randomized Smoothing,” in Proceedings of the 36th International Conference on Machine Learning, PMLR, May 2019, pp. 1310–1320. Available: https://proceedings.mlr.press/v97/cohen19c.html

[2] N. Carlini, F. Tramer, K. D. Dvijotham, L. Rice, M. Sun, and J. Z. Kolter, “(Certified!!) Adversarial Robustness for Free!,” 2022. Available: https://floriantramer.com/publications/certified22/