Denoised-Smoothing-TF
Minimal implementation of Denoised Smoothing: A Provable Defense for Pretrained Classifiers in TensorFlow.
Denoised Smoothing is a simple and elegant way to (provably) robustify pre-trained image classification models (including the cloud APIs with only query access) and l2 adversarial attacks. This blog post provides a nice introduction to the method. The figure below summarizes what Denoised Smoothing is and how it works:
- Take a pre-trained classifier and prepend a pre-trained denoiser with it. Of course, the dataset on which the classifier and the denoiser would need to be trained on the same/similar dataset.
- Apply Randomized Smoothing.
Randomized Smoothing is a well-tested method to provably defend against l2 adversarial attacks under a specific radii. But it assumes that a classifier performs well under Gaussian noisy perturbations which may not always be the case.
Note: I utilized many scripts from the official repository of Denoised Smoothing to develop this repository. My aim with this repository is to provide a template for researchers to conduct certification tests with Keras/TensorFlow models. I encourage the readers to check out the original repository, it's really well-developed.
Further notes
- The Denoised Smoothing process is demonstrated on the CIFAR-10 dataset.
- You can train a classifier quickly with the
Train_Classifier.ipynbnotebook. - Training the denoiser is demonstrated in the
Train_Denoiser.ipynbnotebook. - Certification tests are in
Certification_Test.ipynbnotebook.
All the notebooks can be executed on Colab! You also have the option to train using the free TPUs.
Results
| Denoiser with stability objective | Denoiser with MSE objective |
|---|---|
 |
 |
As we can see prepending a pre-trained denoiser is extremely helpful for our purpose.
Models
The models are available inside models.tar.gz in the SavedModel format. In the interest of reproducibility, the initial model weights are also provided.
Acknowledgements
- Hadi Salman (first author of Denoised Smoothing) for fruitful discussions.
- ML-GDE program for providing GCP credits.
Paper citation
@inproceedings{NEURIPS2020_f9fd2624,
author = {Salman, Hadi and Sun, Mingjie and Yang, Greg and Kapoor, Ashish and Kolter, J. Zico},
booktitle = {Advances in Neural Information Processing Systems},
editor = {H. Larochelle and M. Ranzato and R. Hadsell and M. F. Balcan and H. Lin},
pages = {21945--21957},
publisher = {Curran Associates, Inc.},
title = {Denoised Smoothing: A Provable Defense for Pretrained Classifiers},
url = {https://proceedings.neurips.cc/paper/2020/file/f9fd2624beefbc7808e4e405d73f57ab-Paper.pdf},
volume = {33},
year = {2020}
}
![A repository that shares tuning results of trained models generated by TensorFlow / Keras. Post-training quantization (Weight Quantization, Integer Quantization, Full Integer Quantization, Float16 Quantization), Quantization-aware training. TensorFlow Lite. OpenVINO. CoreML. TensorFlow.js. TF-TRT. MediaPipe. ONNX. [.tflite,.h5,.pb,saved_model,tfjs,tftrt,mlmodel,.xml/.bin, .onnx]](https://user-images.githubusercontent.com/33194443/104581604-2592cb00-56a2-11eb-9610-5eaa0afb6e1f.png)
2.4k Jan 5, 2023
188 Dec 29, 2022
54 Nov 25, 2022
0 Oct 31, 2021
12 Nov 14, 2022
1 Dec 28, 2021
4 Aug 24, 2022
24 Dec 21, 2022
605 Jan 2, 2023
16 Oct 6, 2022
72 Dec 16, 2022
202 Dec 13, 2022
20 Dec 2, 2022
46 Sep 13, 2022
83 Dec 14, 2022
1.1k Dec 27, 2022
3 Aug 17, 2022
3 Aug 3, 2022
43 Jan 8, 2023