SPLITZ: Certifiable Robustness via Split Lipschitz Randomized Smoothing

1. Can author comment on the normalization process?
   Thank you for your insightful and constructive feedback. Your comments on the normalization process in our work are highly appreciated and have prompted a deeper examination of our methodology.
   Initially, we adopted normalization in the first layer to align our approach with existing baseline methodologies, ensuring a fair comparison of results. However, your observations led us to recognize potential issues with this approach. In response, we have conducted a series of experiments to better understand the impact of normalization on our model's performance.
   Our initial experiment involved removing the normalization layer, which, interestingly, resulted in a decrease in certified accuracy under the same training parameters. This finding prompted further experimentation. We then tested the effect of applying normalization post-noise insertion, which yielded similar performance outcomes. Finally, we incorporated the normalization layer in the left half of our classifier while focusing on minimizing the local Lipschitz constant of the left half of the classifier. This was achieved by adjusting the loss function to include the multiplied maximum variance among the input channels and the previous local Lipschitz constant. These modifications led to notable findings. Our revised SPLITZ model not only addressed the initial concerns but also demonstrated superior performance compared to other baseline models. We show the certified test accuracy w.r.t $\epsilon$ in the Table 1 as follows
   $\begin{array}{|c|c|c|c|} \hline Method & \epsilon = 1.50 & \epsilon =1.75 & \epsilon =2.00 & \epsilon =2.25 & \epsilon =2.50 \\\\ \hline RS [1] & 67.3 & 46.2 & 32.5 & 19.7 & 10.9 \\\\ \hline MACER [2] & 73.0 & 50.0 & 36.0 & 28.0 & -\\\\ \hline Consistency [3] &82.2 & 70.5 & 45.5 & 37.2 & 28.0 \\\\ \hline SmoothMix [4] & 81.8 & 70.7 & 44.9 & 37.1 & 29.3 \\\\ \hline DRT [5] &83.3 & 69.6 & 48.3 & 40.3 & 34.8 \\\\ \hline SPLITZ (revised) & 83.1 & **75.9** & **66.2** & **54.3** & **40.5**\\\\ \hline \end{array}$
   As shown in the above table, we achieve the comparative results when $\epsilon = 1.50$. Our SPLITZ classifier outperforms other baselines when $\epsilon$ is larger. However, we acknowledge that further optimization of training parameters may be required for larger datasets, such as CIFAR-10 and ImageNet.
   We plan to include a detailed account of these experiments and their implications in the appendix of our revised paper, with a summarized version in the main text. Your feedback has been instrumental in guiding these improvements, and we are grateful for your thorough and thoughtful review.
2. Can you explain the difference between the preprint [6] and yours work?
   Thanks for bringing this preprint [6] to our attention. While this preprint [6] also proposes the idea of breaking the network into two halves, there are several key distinctions as we elaborate upon next. The preprint [6] uses an orthogonal convolutional network-based encoder followed by a randomized smoothing classifier. The key idea herein is to ensure that the global Lipschitz constant of the first half of the network (termed as "encoder" in the preprint) is close to $1$, then, the certified radius is essentially given by the ceritified radius of the second half (obtained by randomized smoothing).
   Our work introduces a novel approach where we focus on measuring the $\gamma$-local Lipschitz constant of the network's first half. This is a strategic choice as it enables the capture of local information specific to each input $x$, offering a more nuanced understanding of the network’s behavior at an individual input level. To further enhance certified robustness, we have integrated the local Lipschitz constant of the network's first half into the loss function as a regularization term. This methodology aims to maintain a smaller local Lipschitz constant (specifically, $L_{f_L}^{(\gamma)} < 1$) for the first half of the network, which in turn significantly boosts the certified radius. For example, in the CIFAR-10 datasets, we found that the average local Lipschitz constant for the first half of the network is approximately 0.62, even though the global Lipschitz constants could be significantly higher. Furthermore, in Theorem $1$, we show that the certified radius can then be further optimized by varying $\gamma$ around each individual input $x$. Specifically, our certified radius is given by \underset{\gamma \geq 0 }{\max}~~\min \left\\{\frac{R_{f_\text{R}}(f_\text{L}(x))}{L_{f_\text{L}}^{(\gamma)}(x)}, \gamma \right\\}. This aspect of our work represents a unique and substantial deviation from previous studies, focusing on localized sensitivity and its impact on network robustness.

3. Why not include more works in the Lipschitz constrained training?
   Thank you for directing us to the literature on Lipschitz-constrained training. We will certainly enhance our paper with additional discussion on this topic. Our proposed framework is notably adaptable. As mentioned in our comment on "Room for Improvement" and Appendix B, we discuss the integration of methods that a) improve local Lipschitz constants training in the first half of the network, and b) augment the second half with techniques like denoising models.
4. Why do you use MNIST dataset?
   We acknowledge that compared to datasets like CIFAR-10 and ImageNet, MNIST is relatively smaller in scale. However, there are compelling reasons for its inclusion in our study. Firstly, MNIST is widely recognized as a benchmark dataset in the realm of randomized smoothing frameworks, as highlighted in various research papers [2,3,4,5]. Therefore, incorporating MNIST alongside CIFAR-10 and ImageNet allows for a more comprehensive and equitable comparison across standard datasets.
   Secondly, a retrospective analysis of the state-of-the-art certified accuracy achievements on MNIST reveals there is still a significant room for improvement, particularly at higher values of $\epsilon$ (i.e., the budget of adversarial perturbations). For example, when $\epsilon$ is set to $2$, the current best-certified accuracy stands at only 48.3% as proposed by [5]. This indicates a substantial opportunity for advancements using our methodology, particularly in enhancing certified accuracy under conditions of large $\epsilon$. From our revised experiments (accounting for the normalization as you pointed out), we achieve a certified test accuracy of $66.2\%$. Our study aims to address this gap, demonstrating the effectiveness of our approach in optimizing certified robustness in a well-established and challenging benchmark scenario.

Best regards,

The authors

[1] J. Cohen, E. Rosenfeld, and Z. Kolter, “Certified adversarial robustness via randomized smoothing,” in international conference on machine learning, pp. 1310–1320, PMLR, 2019.
[2] R. Zhai, C. Dan, D. He, H. Zhang, B. Gong, P. Ravikumar, C.-J. Hsieh, and L. Wang, “Macer: Attack-free and scalable robust training via maximizing certified radius,” in International Conference on Learning Representations, 2020.
[3] J. Jeong and J. Shin, “Consistency regularization for certified robustness of smoothed classifiers,” Advances in Neural Information Processing Systems, vol. 33, pp. 10558–10570, 2020.
[4] J. Jeong, S. Park, M. Kim, H.-C. Lee, D.-G. Kim, and J. Shin, “Smoothmix: Training confidence-calibrated smoothed classifiers for certified robustness,” Advances in Neural Information Processing Systems, vol. 34, pp. 30153–30168, 2021.
[5] Z. Yang, L. Li, X. Xu, B. Kailkhura, T. Xie, and B. Li, “On the certified robustness for ensemble models and beyond,” arXiv preprint arXiv:2107.10873, 2021.
[6] H. Zeng, J. Su, and F. Huang, “Certified defense via latent space randomized smoothing with orthogonal encoders,” arXiv preprint arXiv:2108.00491, 2021.

1. Could the authors provide an indication of the overhead of running SPLITZ (including the hyper-parameter tuning process) with respect to the reported baselines?
   Thank you for your insightful query. The essence of our SPLITZ methodology lies in training the network's left half to have a relatively small local Lipschitz constant, while apply the randomized smoothing on the right half of the classifier. To achieve a small local Lipschitz constant for the first half, we initially adopt the settings from [1], setting $\lambda$ between 1 and 0.7. At the same time, we set the threshold of the local Lipschitz constant $\theta$ to be 0.5 by default. Adjustments to $\lambda$ or $\theta$ are made based on test accuracy outcomes. For the right half of the neural network which applies the randomized smoothing (RS), the overhead of running is comparable as RS [2].
   For the optimization over the $\gamma$ happening in the inference time (certification process), as we mentioned in Remark 1, for affine layers, it is sufficient to do a one step search to obtain the $\gamma$. For non-affine layers, it is better to do the binary search over the $\gamma$ to accurately estimate the local Lipschitz constant. From our previous experimental results, it will usually take 10-15 iterations for each input to find the optimized $\gamma$, which is quite efficient compared to the overall training process.
2. Is $\theta$ tunable? Why does not $\lambda$ suffice?
   Thank you for this excellent question. Indeed, the local Lipschitz threshold $\theta$ is tunable within our framework. The necessity of incorporating $\theta$ alongside the trade-off parameter $\lambda$ stems from the limitations observed when only $\lambda$ is used. Our experimental results reveal that solely constraining $\lambda$ tends to lead to an extremely small local Lipschitz constant, such as 0.01. While this might seem advantageous, it significantly compromises certified accuracy. Thus, by introducing $\theta$ as a tunable parameter, we establish a more balanced and effective control mechanism. This dual-parameter approach allows for a more nuanced optimization, ensuring that the reduction in the local Lipschitz constant does not excessively detract from the certified accuracy of the model.
   Additionally, the inclusion of a local Lipschitz constant $\theta$ introduces a greater flexibility in managing a robustness budget. For instance, when presented with a predetermined budget for certified robustness, the ability to adjust $\theta$ becomes particularly advantageous. This flexibility enables a more strategic and efficient training approach, allowing us to maximize the certified robustness of the model within the constraints of the given budget. By tuning $\theta$, we can precisely calibrate the trade-off between robustness and other performance metrics, ensuring optimal model performance under specified robustness requirements.
3. How was $\lambda$ tuned?
   In tuning $\lambda$, we initially established its weight range, guided by the settings referenced in [1], which spans from 1 to 0.7. This range serves as our starting point. We then closely monitored the corresponding certified test accuracy as a key performance indicator. Depending on the observed performance of the classifier, we either narrowed or maintained this range of $\lambda$. This iterative approach allowed us to fine-tune $\lambda$ with precision, ensuring that it optimally contributes to the balance between robustness and accuracy. The decision to adjust the range is made based on a careful analysis of the trade-offs between the strength of regularization (imposed by $\lambda$) and the resultant model performance.

4. How do the authors explain the fact that performance improvements (if any) upon the baselines are significantly smaller on ImageNet?
   Thank you for raising this important question. The disparity in performance improvements between smaller datasets like MNIST and CIFAR-10 and a more complex dataset like ImageNet can be attributed to the challenges in minimizing the local Lipschitz constant for the network's left half. In simpler datasets, due to their limited complexity and diversity, it's relatively easier to achieve a lower local Lipschitz constant, which directly contributes to better performance enhancements. However, ImageNet, with its vast variety and complexity, presents a more challenging environment for this optimization process.
   Our experimental findings support this observation. For example, under a noise variance of 0.25 on MNIST, CIFAR-10 and 0.5 on ImageNet, we observed that the local Lipschitz constants for MNIST, CIFAR-10, and ImageNet were 0.58, 0.62 and 0.80, respectively. This progression indicates an increasing difficulty in minimizing the Lipschitz constant as dataset complexity rises. Consequently, the performance improvements on ImageNet are not as pronounced as those on simpler datasets. This insight highlights the relationship between dataset complexity and the effectiveness of our method in optimizing the local Lipschitz constant for enhanced performance. Furthermore, to improve the performance of SPLITZ in ImageNet dataset, we can natural apply the randomized smoothing based mechanisms on the second half of the neural networks, such as adversarial smoothing [3], mixsmoothing [4] or denoising diffusion models [5] as we discussed in Appendix B.
5. Why the effect of the splitting location on performance increases with $\sigma$?
   Thank you for your question. While varying the splitting location across the layers, to have a fair comparison, we apply the same noise in the model architecture. We will explore the splitting location with the effect of increasing $\sigma$ in our revised version, which will help us to have a better understanding of the effect of the splitting location with respect to $\sigma$.

Best regards,

The authors

[1] Y. Huang, H. Zhang, Y. Shi, J. Z. Kolter, and A. Anandkumar, “Training certifiably robust neural networks with efficient local lipschitz bounds,” Advances in Neural Information Processing Systems, vol. 34, pp. 22745–22757, 2021.
[2] J. Cohen, E. Rosenfeld, and Z. Kolter, “Certified adversarial robustness via randomized smoothing,” in international conference on machine learning, pp. 1310–1320, PMLR, 2019.
[3] H. Salman, J. Li, I. Razenshteyn, P. Zhang, H. Zhang, S. Bubeck, and G. Yang, “Provably robust deep learning via adversarially trained smoothed classifiers,” Advances in Neural Information Processing Systems, vol. 32, 2019.
[4] J. Jeong, S. Park, M. Kim, H.-C. Lee, D.-G. Kim, and J. Shin, “Smoothmix: Training confidence-calibrated smoothed classifiers for certified robustness,” Advances in Neural Information Processing Systems, vol. 34, pp. 30153–30168, 2021.
[5] N. Carlini, F. Tramer, K. D. Dvijotham, L. Rice, M. Sun, and J. Z. Kolter, “(certified!!) adversarial robustness for free!,” in The Eleventh International Conference on Learning Representations, 2023.\

Could this technique be adapted to incorporate additional training data (like DDS) to improve its performance on large-scale datasets like ImageNet?
Thanks for your reviews and this is a great question! Indeed, our proposed mechanisms can incorporate other mechanisms into two ways: first, we can adopt more tight Lipschitz constrained training to achieve a relatively small local Lipschitz constant of the first half of the network; secondly, we can natural apply the randomized smoothing based mechanisms on the second half of the neural networks, such as adversarial smoothing [1], mixsmoothing [2] or denoising diffusion models [3]. For instance, as we stated in Appendix B, Carlini et al. [3] proposes a denosing mechanism using a diffusion model, which achieves the state-of-the-art. Our SPLITZ classifier contains two parts, left part is constrained by a small local Lipschitz constant while right part is smoothed by noise, which is same as a randomized smoothing based mechanism. Thus, our model can easily add a diffusion denoising model after the noise layer (after $f_L(x)+\delta$) and then feed the denoised samples into the $f_{R}$. Similarly, for adversarial smoothing or mixsmoothing, SPLITZ is adaptable to feed either adversarial examples ($f_L(x')+\delta$) or mixup samples ($f_L(\tilde x)+\delta$) respectively to the right half of the classifier $f_R$.

Best regards,

The Authors

[1] H. Salman, J. Li, I. Razenshteyn, P. Zhang, H. Zhang, S. Bubeck, and G. Yang, “Provably robust deep learning via adversarially trained smoothed classifiers,” Advances in Neural Information Processing Systems, vol. 32, 2019.
[2] J. Jeong, S. Park, M. Kim, H.-C. Lee, D.-G. Kim, and J. Shin, “Smoothmix: Training confidence-calibrated smoothed classifiers for certified robustness,” Advances in Neural Information Processing Systems, vol. 34, pp. 30153–30168, 2021.
[3] N. Carlini, F. Tramer, K. D. Dvijotham, L. Rice, M. Sun, and J. Z. Kolter, “(certified!!) adversarial robustness for free!,” in The Eleventh International Conference on Learning Representations, 2023.

1. Can the authors be more specific about the unique conceptual novelty of this paper?
   We thank the reviewer for your comments and will include a citation and discussion of the work you mentioned [1]. Unlike the mechanisms previously mentioned, we propose measuring the $\gamma$-local Lipschitz constant of the first half of the network. This is because it can capture the local information specific to each individual input $x$. To enhance certified robustness, we have incorporated the local Lipschitz constant of the network's first half into the loss function as a regularization term. This approach aims to maintain a comparatively small local Lipschitz constant $L_{f_L}^{(\gamma)}(x) < 1$ for the network's first half, thereby increasing the certified radius. For example, in the CIFAR-10 datasets, the average local Lipschitz constant for the first half of the network is approximately 0.62. Furthermore, we have derived a closed-form expression for the certified radius based on the $\gamma$ local Lipschitz constant. To the best of our knowledge, this is the first systematic framework to combine the ideas of local Lipschitz constants with randomized smoothing.
2. From Table 3, it seems that DDS is better for smaller perturbations? Is it possible to make the proposed method achieve better results than DDS even for small perturbations?
   Thank you for your comments. As discussed in Section 4.1, we acknowledge that DDS exhibits superior performance on the ImageNet dataset for smaller values of $\epsilon$. This is attributed to the greater complexity of the ImageNet dataset, which poses challenges for SPLITZ in minimizing the local Lipschitz constant of the network's left half. As far as further possible improvements, it is absolutely possible to combine DDS (and other diffusion models) in the second half of the network. In fact, we have a detailed remark in Appendix B in our the original submission (copied below) which addresses this point:
   We claim that the SPLITZ mechanism is also compatible with other RS based certified robust techniques, such as adversarial smoothing [2], mixsmoothing [3] or denoising diffusion models [4]. As an example, Carlini et al. [4] propose a denosing mechanism using a diffusion model, which achieves the state-of-the-art. Our SPLITZ classifier contains two parts, left part is constrained by a small local Lipschitz constant while right part is smoothed by noise, which is same as a randomized smoothing based mechanism. Thus, our model can easily add a diffusion denoising model after the noise layer (after $f_L(x)+\delta$) and then feed the denoised samples into the $f_{R}$. Similarly, for adversarial smoothing or mixsmoothing, SPLITZ is adaptable to feed either adversarial examples $f_L(x')+\delta$ or mixup samples $f_L(\tilde x)+\delta$ respectively to the right half of the classifier $f_R$.
3. Why do not use the above Lipschitz networks for the first half and then integrate RS with the second half? How to compare such a network parameterization approach with the proposed method?
   Thank you for raising this interesting point. We fully agree that the existing techniques for any improvement in lowering the Lipschitz constants can be readily used (especially for the first half of the network). We do however, note that just minimizing the global Lipschitz constant alone is not necessarily sufficient to obtain high certified radius. As our results demonstrate (for instance, in Theorem 1, the certified radius is given by $\min(R_{f_R}(f_L) / L_{f_L}^{(\gamma)}, \gamma)$), that the local Lipschitz constant (for each input $x$) needs to be minimized in order to achieve a larger certified radius. Consequently, our approach is to minimize the local Lipschitz constant to less than one, rather than merely aiming for it to be equal to one. In the updated version, we will certainly mention the possibility of using specific architectures in the first half of the network that can further improve the robustness.

Best regards,

The authors

[1] H. Zeng, J. Su, and F. Huang, “Certified defense via latent space randomized smoothing with orthogonal encoders,” arXiv preprint arXiv:2108.00491, 2021.
[2] H. Salman, J. Li, I. Razenshteyn, P. Zhang, H. Zhang, S. Bubeck, and G. Yang, “Provably robust deep learning via adversarially trained smoothed classifiers,” Advances in Neural Information Processing Systems, vol. 32, 2019.
[3] J. Jeong, S. Park, M. Kim, H.-C. Lee, D.-G. Kim, and J. Shin, “Smoothmix: Training confidence-calibrated smoothed classifiers for certified robustness,” Advances in Neural Information Processing Systems, vol. 34, pp. 30153–30168, 2021.
[4] N. Carlini, F. Tramer, K. D. Dvijotham, L. Rice, M. Sun, and J. Z. Kolter, “(certified!!) adversarial robustness for free!,” in The Eleventh International Conference on Learning Representations, 2023.