Randomized smoothing has achieved great success for certified robustness against adversarial perturbations. Given any arbitrary classifier, randomized smoothing can guarantee the classifier's prediction over the perturbed input with provable robustness bound by injecting noise into the classifier. However, all of the existing methods rely on fixed i.i.d. probability distribution to generate noise for all dimensions of the data (e.g., all the pixels in an image), which ignores the heterogeneity of inputs and data dimensions. Thus, existing randomized smoothing methods cannot provide optimal protection for all the inputs. To address this limitation, we propose a novel anisotropic randomized smoothing method which ensures provable robustness guarantee based on pixel-wise noise distributions. Also, we design a novel CNN-based noise generator to efficiently fine-tune the pixel-wise noise distributions for all the pixels in each input. Experimental results demonstrate that our method significantly outperforms the state-of-the-art randomized smoothing methods.

翻译：随机滑动在对抗性扰动的验证稳健性方面取得了巨大成功。 在任何任意分类中,随机滑动可以保证分类者对扰动输入的预测,通过向分类者注入噪音可以保证稳健性。然而,所有现有方法都依赖于固定的 i.d. 概率分布,为数据的所有维度(例如图像中的所有像素)产生噪音,而这些数据忽视了输入和数据维度的异质性。因此,现有的随机滑动方法无法为所有输入提供最佳保护。为了解决这一限制,我们建议一种新型的厌异性随机滑动方法,确保基于像素的噪音分布的可辨别稳健性保证。此外,我们设计了一种新的CNN噪音生成器,以便有效地微调每种输入中所有像素的像素低噪声分布。实验结果表明,我们的方法大大超出了最先进的随机滑动方法。