[Paper Review] Theoretical evidence for adversarial robustness through randomization: the case of the Exponential family.
This paper provides the first theoretical justification for adversarial robustness through randomization, specifically for exponential family noise injection at inference time. It establishes a formal link between the randomization rate and robustness, unifying and extending prior empirical successes with rigorous analysis for the exponential family.
This paper investigates the theory of robustness against adversarial attacks. It focuses on the family of randomization techniques that consist in injecting noise in the network at inference time. These techniques have proven effective in many contexts, but lack theoretical arguments. We close this gap by presenting a theoretical analysis of these approaches, hence explaining why they perform well in practice. More precisely, we provide the first result relating the randomization rate to robustness to adversarial attacks. This result applies for the general family of exponential distributions, and thus extends and unifies the previous approaches. We support our theoretical claims with a set of experiments.
Motivation & Objective
- To address the lack of theoretical understanding behind randomization-based defenses against adversarial attacks.
- To establish a formal connection between the rate of randomization and robustness to adversarial examples.
- To unify and generalize existing randomization techniques under a single theoretical framework based on the exponential family.
- To provide theoretical justification for the empirical success of inference-time noise injection in improving robustness.
Proposed method
- The authors analyze randomization techniques that inject noise from the exponential family during inference, rather than training.
- They derive a theoretical bound relating the robustness of a model to the rate of randomization, using properties of the exponential family.
- The analysis leverages concentration inequalities and the structure of exponential family distributions to quantify robustness gains.
- The method applies to a broad class of models and noise distributions, including Gaussian and Laplace, under mild regularity conditions.
- Theoretical results are supported by empirical experiments on standard benchmarks to validate the predictions.
Experimental results
Research questions
- RQ1How does the rate of randomization affect adversarial robustness in deep neural networks?
- RQ2Can a theoretical framework be established to explain the success of inference-time randomization?
- RQ3To what extent does the exponential family of distributions unify existing randomization-based defenses?
- RQ4What is the mathematical relationship between noise distribution parameters and robustness guarantees?
Key findings
- The paper establishes a formal theoretical relationship between the randomization rate and adversarial robustness, showing that higher randomization rates improve robustness.
- The theoretical analysis applies to the entire exponential family, unifying previous results for specific distributions like Gaussian and Laplace.
- The derived bound demonstrates that randomization can provide robustness even when the model is not adversarially trained.
- Empirical results confirm the theoretical predictions, showing consistent robustness gains across multiple datasets and architectures.
Better researchstarts right now
From paper design to paper writing, dramatically reduce your research time.
No credit card · Free plan available
This review was created by AI and reviewed by human editors.