English

Adaptive Randomized Smoothing: Certified Adversarial Robustness for Multi-Step Defences

Machine Learning 2025-07-11 v3 Cryptography and Security

Abstract

We propose Adaptive Randomized Smoothing (ARS) to certify the predictions of our test-time adaptive models against adversarial examples. ARS extends the analysis of randomized smoothing using ff-Differential Privacy to certify the adaptive composition of multiple steps. For the first time, our theory covers the sound adaptive composition of general and high-dimensional functions of noisy inputs. We instantiate ARS on deep image classification to certify predictions against adversarial examples of bounded LL_{\infty} norm. In the LL_{\infty} threat model, ARS enables flexible adaptation through high-dimensional input-dependent masking. We design adaptivity benchmarks, based on CIFAR-10 and CelebA, and show that ARS improves standard test accuracy by 11 to 15%15\% points. On ImageNet, ARS improves certified test accuracy by up to 1.6%1.6\% points over standard RS without adaptivity. Our code is available at https://github.com/ubc-systopia/adaptive-randomized-smoothing .

Keywords

Cite

@article{arxiv.2406.10427,
  title  = {Adaptive Randomized Smoothing: Certified Adversarial Robustness for Multi-Step Defences},
  author = {Saiyue Lyu and Shadab Shaikh and Frederick Shpilevskiy and Evan Shelhamer and Mathias Lécuyer},
  journal= {arXiv preprint arXiv:2406.10427},
  year   = {2025}
}
R2 v1 2026-06-28T17:06:52.987Z