Randomized Smoothing (RS), being one of few provable defenses, has been showing great effectiveness and scalability in terms of defending against $\ell_2$-norm adversarial perturbations. However, the cost of MC sampling needed in RS for evaluation is high and computationally expensive. To address this issue, we investigate the possibility of performing randomized smoothing and establishing the robust certification in the latent space of a network, so that the overall dimensionality of tensors involved in computation could be drastically reduced. To this end, we propose Latent Space Randomized Smoothing. Another important aspect is that we use orthogonal modules, whose Lipschitz property is known for free by design, to propagate the certified radius estimated in the latent space back to the input space, providing valid certifiable regions for the test samples in the input space. Experiments on CIFAR10 and ImageNet show that our method achieves competitive certified robustness but with a significant improvement of efficiency during the test phase.

翻译：随机滑动(RS)是为数不多的可辨识防御物之一,在防御$@ell_2$-norm对抗性扰动方面一直显示出巨大的有效性和可伸缩性。然而,RS评估所需的MC取样成本很高,而且计算成本很高。为了解决这个问题,我们调查在网络潜伏空间进行随机滑动并在网络潜在空间建立稳健的验证的可能性,以便大幅降低计算中涉及的微粒的整体维度。为此,我们提议了冷冻空间随机滑动。另一个重要方面是,我们使用自由设计的Lipschitz特性为人所知的Orthogonal模块,将潜在空间的经认证的半径传播到输入空间,为输入空间的测试样品提供有效的可验证区域。CIFAR10和图像网络实验显示,我们的方法实现了竞争性的验证强度,但在测试阶段取得了显著效率的提高。