English

Randomized Smoothing under Attack: How Good is it in Pratice?

Cryptography and Security 2022-05-02 v1 Artificial Intelligence Machine Learning

Abstract

Randomized smoothing is a recent and celebrated solution to certify the robustness of any classifier. While it indeed provides a theoretical robustness against adversarial attacks, the dimensionality of current classifiers necessarily imposes Monte Carlo approaches for its application in practice. This paper questions the effectiveness of randomized smoothing as a defense, against state of the art black-box attacks. This is a novel perspective, as previous research works considered the certification as an unquestionable guarantee. We first formally highlight the mismatch between a theoretical certification and the practice of attacks on classifiers. We then perform attacks on randomized smoothing as a defense. Our main observation is that there is a major mismatch in the settings of the RS for obtaining high certified robustness or when defeating black box attacks while preserving the classifier accuracy.

Keywords

Cite

@article{arxiv.2204.14187,
  title  = {Randomized Smoothing under Attack: How Good is it in Pratice?},
  author = {Thibault Maho and Teddy Furon and Erwan Le Merrer},
  journal= {arXiv preprint arXiv:2204.14187},
  year   = {2022}
}

Comments

ICASSP 2022

R2 v1 2026-06-24T11:02:48.653Z