Skip to main content
SpringerLink
Log in

A Spectral View of Randomized Smoothing Under Common Corruptions: Benchmarking and Improving Certified Robustness

  • Conference paper
  • First Online:
Computer Vision – ECCV 2022 (ECCV 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13664))

Included in the following conference series:

Abstract

Certified robustness guarantee gauges a model’s resistance to test-time attacks and can assess the model’s readiness for deployment in the real world. In this work, we explore a new problem setting to critically examine how the adversarial robustness guarantees change when state-of-the-art randomized smoothing-based certifications encounter common corruptions of the test data. Our analysis demonstrates a previously unknown vulnerability of these certifiably robust models to low-frequency corruptions such as weather changes, rendering these models unfit for deployment in the wild. To alleviate this issue, we propose a novel data augmentation scheme, FourierMix, that produces augmentations to improve the spectral coverage of the training data. Furthermore, we propose a new regularizer that encourages consistent predictions on noise perturbations of the augmented data to improve the quality of the smoothed models. We show that FourierMix helps eliminate the spectral bias of certifiably robust models, enabling them to achieve significantly better certified robustness on a range of corruption benchmarks. Our evaluation also uncovers the inability of current corruption benchmarks to highlight the spectral biases of the models. To this end, we propose a comprehensive benchmarking suite that contains corruptions from different regions in the spectral domain. Evaluation of models trained with popular augmentation methods on the proposed suite unveils their spectral biases. It also establishes the superiority of FourierMix trained models in achieving stronger certified robustness guarantees under corruptions over the entire frequency spectrum.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The codebase and dataset of this work are available at https://github.com/jiachens/FourierMix.

References

  1. 1/f noise (2021). http://www.scholarpedia.org/article/1/f_noise

  2. Alfarra, M., Bibi, A., Khan, N., Torr, P.H., Ghanem, B.: DeformRS: certifying input deformations with randomized smoothing. Proc. AAAI Conf. Artif. Intell. 36(6), 6001–6009 (2022). https://doi.org/10.1609/aaai.v36i6.20546, https://ojs.aaai.org/index.php/AAAI/article/view/20546

  3. Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: International Conference on Machine Learning, pp. 274–283. PMLR (2018)

    Google Scholar 

  4. Bulusu, S., Kailkhura, B., Li, B., Varshney, P.K., Song, D.: Anomalous example detection in deep learning: a survey. IEEE Access 8, 132330–132347 (2020)

    Article  Google Scholar 

  5. Burton, G.J., Moorhead, I.R.: Color and spatial structure in natural scenes. Appl. Opt. 26(1), 157–170 (1987)

    Article  Google Scholar 

  6. Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 39–57 (2017). https://doi.org/10.1109/SP.2017.49

  7. Chen, P.Y., Sharma, Y., Zhang, H., Yi, J., Hsieh, C.J.: EAD: elastic-net attacks to deep neural networks via adversarial examples. In: Proceedings of the AAAI Conference on Artificial Intelligence, pp. 10–17 (2018)

    Google Scholar 

  8. Chen, P.Y., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.J.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: ACM Workshop on Artificial Intelligence and Security, pp. 15–26 (2017)

    Google Scholar 

  9. Cohen, J., Rosenfeld, E., Kolter, Z.: Certified adversarial robustness via randomized smoothing. In: International Conference on Machine Learning, pp. 1310–1320. PMLR (2019)

    Google Scholar 

  10. Croce, F., et al.: Robustbench: a standardized adversarial robustness benchmark. arXiv preprint arXiv:2010.09670 (2020)

  11. Cubuk, E.D., Zoph, B., Mane, D., Vasudevan, V., Le, Q.V.: AutoAugment: learning augmentation strategies from data. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 113–123 (2019)

    Google Scholar 

  12. Deng, J., Dong, W., Socher, R., Li, L.J., Li, K., Fei-Fei, L.: ImageNet: a large-scale hierarchical image database. In: 2009 IEEE Conference on Computer Vision and Pattern Recognition, pp. 248–255. IEEE (2009)

    Google Scholar 

  13. Dodge, S., Karam, L.: Understanding how image quality affects deep neural networks. In: 2016 Eighth International Conference on Quality of Multimedia Experience (QoMEX), pp. 1–6. IEEE (2016)

    Google Scholar 

  14. Fischer, M., Baader, M., Vechev, M.: Certified defense to image transformations via randomized smoothing. arXiv preprint arXiv:2002.12463 (2020)

  15. Fuglede, B., Topsoe, F.: Jensen-shannon divergence and HilBERT space embedding. In: International Symposium on Information Theory, 2004. ISIT 2004. Proceedings, p. 31. IEEE (2004)

    Google Scholar 

  16. Gokhale, T., Anirudh, R., Kailkhura, B., Thiagarajan, J.J., Baral, C., Yang, Y.: Attribute-guided adversarial training for robustness to natural perturbations. arXiv preprint arXiv:2012.01806 (2020)

  17. Gowal, S., et al.: On the effectiveness of interval bound propagation for training verifiably robust models. arXiv preprint arXiv:1810.12715 (2018)

  18. Hammersley, J.: Monte Carlo methods. Springer, Singapore (2013). https://doi.org/10.1007/978-981-13-2971-5

  19. He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)

    Google Scholar 

  20. Hendrycks, D., et al.: The many faces of robustness: A critical analysis of out-of-distribution generalization. In: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 8340–8349 (2021)

    Google Scholar 

  21. Hendrycks, D., Carlini, N., Schulman, J., Steinhardt, J.: Unsolved problems in ml safety. ArXiv abs/2109.13916 (2021)

    Google Scholar 

  22. Hendrycks, D., Dietterich, T.: Benchmarking neural network robustness to common corruptions and perturbations. arXiv preprint arXiv:1903.12261 (2019)

  23. Hendrycks, D., Mu, N., Cubuk, E.D., Zoph, B., Gilmer, J., Lakshminarayanan, B.: AugMix: a simple data processing method to improve robustness and uncertainty. arXiv preprint arXiv:1912.02781 (2019)

  24. Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: International Conference on Machine Learning, pp. 2137–2146. PMLR (2018)

    Google Scholar 

  25. Jeong, J., Shin, J.: Consistency regularization for certified robustness of smoothed classifiers. arXiv preprint arXiv:2006.04062 (2020)

  26. Johnson, J.B.: The schottky effect in low frequency circuits. Phys. Rev. 26(1), 71 (1925)

    Article  Google Scholar 

  27. Joubert, O.R., Rousselet, G.A., Fabre-Thorpe, M., Fize, D.: Rapid visual categorization of natural scene contexts with equalized amplitude spectrum and increasing phase noise. J. Vis. 9(1), 2–2 (2009)

    Article  Google Scholar 

  28. Joyce, J.M.: Kullback-Leibler Divergence. In: Lovric, M. (eds.) International Encyclopedia of Statistical Science, pp. 720–722. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-04898-2_327

  29. Kermisch, D.: Image reconstruction from phase information only. J. Opt. Soc. Am. 60(1), 15–17 (1970)

    Article  Google Scholar 

  30. Kireev, K., Andriushchenko, M., Flammarion, N.: On the effectiveness of adversarial training against common corruptions. arXiv preprint arXiv:2103.02325 (2021)

  31. Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Technical Report 0, University of Toronto (2009)

    Google Scholar 

  32. Lecuyer, M., Atlidakis, V., Geambasu, R., Hsu, D., Jana, S.: Certified robustness to adversarial examples with differential privacy. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 656–672. IEEE (2019)

    Google Scholar 

  33. Li, B., Chen, C., Wang, W., Carin, L.: Second-order adversarial attack and certifiable robustness (2018)

    Google Scholar 

  34. Li, L., Qi, X., Xie, T., Li, B.: SoK: certified robustness for deep neural networks. arXiv abs/2009.04131 (2020)

    Google Scholar 

  35. Li, L., et al.: TSS: transformation-specific smoothing for robustness certification. In: ACM CCS (2021)

    Google Scholar 

  36. Lim, J.S.: Two-Dimensional Signal and Image Processing. Prentice-Hall, Englewood Cliffs (1990)

    Google Scholar 

  37. Mehra, A., Kailkhura, B., Chen, P.Y., Hamm, J.: How robust are randomized smoothing based defenses to data poisoning? In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 13244–13253 (2021)

    Google Scholar 

  38. Mintun, E., Kirillov, A., Xie, S.: On interaction between augmentations and corruptions in natural corruption robustness. arXiv preprint arXiv:2102.11273 (2021)

  39. Mishra, S., Arunkumar, A.: How robust are model rankings: A leaderboard customization approach for equitable evaluation. arXiv preprint arXiv:2106.05532 (2021)

  40. Mohapatra, J., Ko, C.Y., Weng, T.W., Chen, P.Y., Liu, S., Daniel, L.: Higher-order certification for randomized smoothing. In: Proceedings of the 34th International Conference on Neural Information Processing Systems (2020)

    Google Scholar 

  41. Mohapatra, J., Weng, T.W., Chen, P.Y., Liu, S., Daniel, L.: Towards verifying robustness of neural networks against a family of semantic perturbations. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 244–252 (2020)

    Google Scholar 

  42. Raghunathan, A., Steinhardt, J., Liang, P.: Certified defenses against adversarial examples. arXiv preprint arXiv:1801.09344 (2018)

  43. Raji, I.D., Bender, E.M., Paullada, A., Denton, E., Hanna, A.: Ai and the everything in the whole wide world benchmark. arXiv preprint arXiv:2111.15366 (2021)

  44. Rebuffi, S.A., Gowal, S., Calian, D.A., Stimberg, F., Wiles, O., Mann, T.: Fixing data augmentation to improve adversarial robustness. arXiv preprint arXiv:2103.01946 (2021)

  45. Ruder, S.: An overview of gradient descent optimization algorithms. arXiv preprint arXiv:1609.04747 (2016)

  46. Saenko, K., Kulis, B., Fritz, M., Darrell, T.: Adapting visual category models to new domains. In: Daniilidis, K., Maragos, P., Paragios, N. (eds.) ECCV 2010. LNCS, vol. 6314, pp. 213–226. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15561-1_16

    Chapter  Google Scholar 

  47. Salman, H., et al.: Provably robust deep learning via adversarially trained smoothed classifiers. arXiv preprint arXiv:1906.04584 (2019)

  48. Schneider, S., Rusak, E., Eck, L., Bringmann, O., Brendel, W., Bethge, M.: Improving robustness against common corruptions by covariate shift adaptation. In: 34th Conference on Neural Information Processing Systems (NeurIPS 2020), Vancouver, Canada (2020)

    Google Scholar 

  49. Sun, J., Cao, Y., Chen, Q.A., Mao, Z.M.: Towards robust LiDAR-based perception in autonomous driving: General black-box adversarial sensor attack and countermeasures. In: 29th USENIX Security Symposium (USENIX Security 20), pp. 877–894. USENIX Association, August 2020. https://www.usenix.org/conference/usenixsecurity20/presentation/sun

  50. Sun, J., Cao, Y., Choy, C.B., Yu, Z., Anandkumar, A., Mao, Z.M., Xiao, C.: Adversarially robust 3d point cloud recognition using self-supervisions. Adv. Neural. Inf. Process. Syst. 34, 15498–15512 (2021)

    Google Scholar 

  51. Sun, J., Koenig, K., Cao, Y., Chen, Q.A., Mao, Z.M.: On adversarial robustness of 3d point cloud classification under adaptive attacks. arXiv preprint arXiv:2011.11922 (2020)

  52. Sun, J., Zhang, Q., Kailkhura, B., Yu, Z., Xiao, C., Mao, Z.M.: Benchmarking robustness of 3d point cloud recognition against common corruptions. arXiv preprint arXiv:2201.12296 (2022)

  53. Szegedy, C., et al.: Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013)

  54. Tolhurst, D., Tadmor, Y., Chao, T.: Amplitude spectra of natural images. Ophthalmic Physiol. Opt. 12(2), 229–232 (1992)

    Article  Google Scholar 

  55. Tramer, F., Carlini, N., Brendel, W., Madry, A.: On adaptive attacks to adversarial example defenses. arXiv preprint arXiv:2002.08347 (2020)

  56. Wang, D., Shelhamer, E., Liu, S., Olshausen, B., Darrell, T.: Tent: fully test-time adaptation by entropy minimization. In: International Conference on Learning Representations (2021). https://openreview.net/forum?id=uXl3bZLkr3c

  57. Wong, E., Kolter, Z.: Provable defenses against adversarial examples via the convex outer adversarial polytope. In: International Conference on Machine Learning, pp. 5286–5295. PMLR (2018)

    Google Scholar 

  58. Xiao, C., Li, B., Zhu, J.Y., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. arXiv preprint arXiv:1801.02610 (2018)

  59. Xu, K., et al.: Provable, scalable and automatic perturbation analysis on general computational graphs. arXiv e-prints pp. arXiv-2002 (2020)

    Google Scholar 

  60. Xu, K., Wang, C., Cheng, H., Kailkhura, B., Lin, X., Goldhahn, R.: Mixture of robust experts (MORE): a robust denoising method towards multiple perturbations. arXiv preprint arXiv:2104.10586 (2021)

  61. Xu, Q., Zhang, R., Zhang, Y., Wang, Y., Tian, Q.: A Fourier-based framework for domain generalization. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 14383–14392 (2021)

    Google Scholar 

  62. Xu, Q., Zhang, R., Zhang, Y., Wang, Y., Tian, Q.: A Fourier-based framework for domain generalization. In: IEEE/CVF CVPR, pp. 14383–4392, June 2021

    Google Scholar 

  63. Yang, G., Duan, T., Hu, J.E., Salman, H., Razenshteyn, I., Li, J.: Randomized smoothing of all shapes and sizes. In: International Conference on Machine Learning, pp. 10693–10705. PMLR (2020)

    Google Scholar 

  64. Yang, Y., Lao, D., Sundaramoorthi, G., Soatto, S.: Phase consistent ecological domain adaptation. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 9011–9020 (2020)

    Google Scholar 

  65. Yin, D., Lopes, R.G., Shlens, J., Cubuk, E.D., Gilmer, J.: A fourier perspective on model robustness in computer vision. arXiv preprint arXiv:1906.08988 (2019)

  66. Zhai, R., et al.: MACER: attack-free and scalable robust training via maximizing certified radius. In: International Conference on Learning Representations (2020). https://openreview.net/forum?id=rJx1Na4Fwr

  67. Zhang, H., Weng, T.W., Chen, P.Y., Hsieh, C.J., Daniel, L.: Efficient neural network robustness certification with general activation functions. In: Advances in Neural Information Processing Systems, pp. 4944–4953 (2018)

    Google Scholar 

Download references

Acknowledgements

This work was performed under the auspices of the U.S. Department of Energy by the Lawrence Livermore National Laboratory under Contract No. DE-AC52-07NA27344 and LLNL LDRD Program Project No. 20-ER-014. This work was partially supported by NSF under the National AI Institute for Edge Computing Leveraging Next Generation Wireless Networks, Grant # 2112562, in addition to NSF grants CMMI-2038215 and CNS-1930041.

Author information

Authors and Affiliations

  1. University of Michigan, Ann Arbor, USA

    Jiachen Sun & Z. Morley Mao

  2. Tulane University, New Orleans, USA

    Akshay Mehra & Jihun Hamm

  3. Lawrence Livermore National Laboratory, Livermore, USA

    Bhavya Kailkhura

  4. IBM Research, Armonk, USA

    Pin-Yu Chen

  5. University of California, Berkeley, USA

    Dan Hendrycks

Authors
  1. Jiachen Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Akshay Mehra
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bhavya Kailkhura
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Pin-Yu Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Dan Hendrycks
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Jihun Hamm
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Z. Morley Mao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jiachen Sun .

Editor information

Editors and Affiliations

  1. Tel Aviv University, Tel Aviv, Israel

    Shai Avidan

  2. University College London, London, UK

    Gabriel Brostow

  3. Google AI, Accra, Ghana

    Moustapha Cissé

  4. University of Catania, Catania, Italy

    Giovanni Maria Farinella

  5. Facebook (United States), Menlo Park, CA, USA

    Tal Hassner

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (pdf 13435 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sun, J. et al. (2022). A Spectral View of Randomized Smoothing Under Common Corruptions: Benchmarking and Improving Certified Robustness. In: Avidan, S., Brostow, G., Cissé, M., Farinella, G.M., Hassner, T. (eds) Computer Vision – ECCV 2022. ECCV 2022. Lecture Notes in Computer Science, vol 13664. Springer, Cham. https://doi.org/10.1007/978-3-031-19772-7_38

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-19772-7_38

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-19771-0

  • Online ISBN: 978-3-031-19772-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation