Certified Defenses and Randomized Smoothing

Bound propagation gives deterministic guarantees. But what if you’re willing to accept probabilistic ones? When networks grow large, deterministic verification becomes intractable. Randomized smoothing offers an alternative: probabilistic certification that scales where traditional verification hits its limits. This guide explores how probabilistic certification works, when it’s appropriate, and why the tradeoffs are different from deterministic methods.

The Certification Challenge at Scale

Deterministic verification methods face fundamental limits. As networks grow deeper and wider, the bounds propagated through layers become increasingly loose. Complete methods require exploring exponential decision trees. For very large networks—modern ResNets, transformers, large vision models—this is computationally infeasible.

Probabilistic certification approaches this differently. Instead of proving a property holds for all inputs in a region, randomized smoothing proves it holds for the vast majority with high statistical confidence. The guarantee is weaker in form, but the computational requirement is orders of magnitude lower.

The tradeoff is explicit: you exchange absolute certainty for tractability. Not all applications can accept probabilistic guarantees. Safety-critical systems often require deterministic certainty. But for many practical applications—model deployment, robustness evaluation, iterative improvement—probabilistic certification is both sufficient and practical.

When Probabilistic is Acceptable

Use probabilistic methods when: you need to certify large networks, computational budget is limited, or the application can accept high-confidence bounds rather than absolute guarantees. Avoid them when: failures have critical consequences, regulatory compliance requires determinism, or you need proof-level assurance.

Randomized Smoothing: The Core Idea

The insight behind randomized smoothing is elegant: add noise to your classifier and analyze the smoothed version. A classifier that predicts the same class regardless of small random perturbations must have some robustness—it’s tolerating the noise.

Here’s the concept: for an input \(x\), instead of classifying it directly, sample many noisy versions \(x + \varepsilon\) where \(\varepsilon\) is drawn from a Gaussian distribution. Classify each noisy input and return the majority prediction. This smoothed classifier, by construction, is robust to perturbations.

\[g(x) = \arg \max_{c} \mathbb{E}_{\varepsilon \sim N(0, \sigma^2 I)}[f(x + \varepsilon) = c]\]

The smoothed classifier \(g(x)\) returns the class that the base classifier \(f\) predicts most frequently under Gaussian noise.

The key guarantee comes from the Neyman-Pearson lemma, which provides a certificate: if the base classifier predicts class \(c_A\) with probability \(p_A\) and the runner-up class with probability \(p_B\), then the network is provably robust to perturbations up to a radius derived from these probabilities.

\[r = \frac{\sigma}{2} \left( \Phi^{-1}(p_A) - \Phi^{-1}(p_B) \right)\]

where \(\Phi^{-1}\) is the inverse Gaussian CDF. This radius represents the guaranteed perturbation distance—within this radius, no adversarial example exists.

What makes this powerful: the certificate is deterministic. You’re not claiming probabilistic robustness; you’re computing statistical confidence in class majorities, which then gives you a deterministic robustness radius. The randomness is in estimation, not in the final guarantee.

Hint

The certified radius depends on the margin between the top-two predicted classes. If your classifier is uncertain, the margin is small and the radius is tight. If predictions are confident, the margin is large and you get better certification. This creates natural incentive alignment: training for clean accuracy also helps certification.

Computing Certified Radii in Practice

Computing the certificate requires estimating \(p_A\) and \(p_B\)—the probabilities that the smoothed classifier predicts the top-two classes. You can’t enumerate all possible noise samples, so you use Monte Carlo estimation: sample many noisy versions, classify each, and count predictions.

The number of samples needed depends on your desired confidence level. If you want high confidence that your probability estimate is accurate, you need more samples. This is a statistical confidence interval problem.

For each class, estimate its probability as the fraction of samples predicting that class. Use the binomial confidence interval to determine how many samples you need. Generally, thousands to tens of thousands of samples per input are sufficient for strong confidence.

Once you have estimated \(\hat{p}_A\) and \(\hat{p}_B\), compute the certified radius using the empirical formula:

\[r_{\text{cert}} = \frac{\sigma}{2} \left( \Phi^{-1}(\hat{p}_A) - \Phi^{-1}(\hat{p}_B) \right)\]

Computational cost is linear in number of samples and samples per class. For moderate sample counts, this is feasible even for large networks—no bound propagation, no branch-and-bound exploration. Just forward passes.

Tip

Balance your sample count against your computational budget and confidence requirements. More samples → tighter confidence intervals → more reliable certificates. Fewer samples → faster certification → wider confidence margins. For rapid iteration, fewer samples suffice; for final certification, use more.

The Role of Noise Level

The noise standard deviation \(\sigma\) is a critical hyperparameter. Larger \(\sigma\) means you’re adding more noise, so the smoothed classifier must tolerate larger perturbations—yielding larger certified radii. But larger noise also reduces clean accuracy; the classifier sees noisier inputs and makes more mistakes.

This creates the fundamental tradeoff: increasing \(\sigma\) improves certified radius but hurts clean accuracy. You must find the sweet spot for your application.

Different applications need different noise levels. Computer vision might use \(\sigma\) values that slightly blur pixels. NLP tasks might use different perturbation semantics entirely. The key is that \(\sigma\) must be chosen before training to shape the model appropriately.

Choosing Noise Level

Select \(\sigma\) based on your application’s perturbation model. For vision, common values correspond to pixel-level noise. For other domains, think about what perturbations are physically meaningful. The larger your \(\sigma\), the larger your certified radius—but the higher your clean accuracy cost.

Training for Randomized Smoothing

Standard training doesn’t work well for randomized smoothing. A model trained on clean images will have poor accuracy when evaluated on noisy versions. You’ll get large certified radii but only for a small portion of inputs—most will fail the clean accuracy threshold.

The solution is noise augmentation training: train on inputs mixed with the same Gaussian noise you’ll use at certification time. For each batch, add noise to training examples and train the model to predict correctly on the noisy versions.

\[\mathcal{L} = \mathbb{E}_{x, y, \varepsilon}[L(f(x + \varepsilon), y)]\]

Training with noise augmentation directly prepares the model for the smoothing process. By seeing noisy inputs during training, the model learns to tolerate the noise and maintain reasonable accuracy even when noise is applied.

There’s also consistency regularization: adding an additional loss term that encourages the model to make similar predictions on original and noisy versions of the same input. This can improve certified robustness.

Hint

Train with the exact noise distribution you’ll use for certification. Mismatches between training and certification noise lead to pessimistic certificates. Noise augmentation is simple, but critical.

Comparing Certification Methods

Different noise distributions and estimation strategies exist. Gaussian smoothing is most common, but researchers have explored Laplace, uniform, and other distributions. Each has different properties regarding certified radius and computational efficiency.

Method	Noise Distribution	Certified Radius	Training Cost	Certification Cost
Randomized Smoothing (Gaussian)	Gaussian	Via Neyman-Pearson	Moderate (noise augmentation)	Low (Monte Carlo sampling)
Lipschitz-based Certification	N/A	Via Lipschitz constant	High (adversarial training)	Low (single forward pass)
Statistical Verification	Problem-specific	Varies	Varies	Variable

Gaussian smoothing is popular because the Neyman-Pearson connection is well-established and the certificates are relatively tight. Lipschitz-based methods might give larger certified radii in some cases but require expensive adversarial training.

Tip

For practical certification at scale, randomized smoothing with Gaussian noise is hard to beat. It’s simple to implement, theoretically grounded, and computationally efficient.

Other Probabilistic Certification Approaches

Beyond randomized smoothing, other probabilistic techniques exist.

Lipschitz-based certification: Compute or bound the Lipschitz constant of your network—the maximum rate of change. If you know \(L\), then input changes up to \(\varepsilon\) can cause output changes up to \(L \cdot \varepsilon\). This gives certified robustness without noise. But estimating tight Lipschitz constants requires expensive adversarial training.

Statistical verification: For properties involving probability distributions or empirical estimates, you can use statistical hypothesis testing. Rather than certifying all possible inputs, certify that the empirical risk (evaluated on test set) implies true risk bounds. Useful for fairness and bias properties.

Abstraction-based probabilistic methods: Some work uses learned approximations or abstract models that trade certainty for scalability. Less established than randomized smoothing but emerging in research.

Randomized smoothing remains dominant because it combines theoretical rigor, scalability, and ease of implementation.

Practical Usage and Limitations

Randomized smoothing scales well. Certification time is proportional to number of samples times network size—no exponential blowup. You can certify large ResNets, transformers, and other modern architectures in reasonable time.

But there are limitations. The certified radius depends heavily on the margin between top predicted classes. For inputs where the network is uncertain, margins are small and certificates are weak. Certification also requires many forward passes per input, so while asymptotically efficient, it’s slower than single-pass verification.

The method also makes assumptions: Gaussian noise must be appropriate for your domain. For images, it’s intuitive. For text or time series, you need to think carefully about what perturbations the noise represents.

Scenario	Recommendation	Reasoning
Certifying large vision models	Randomized smoothing	Scales well, minimal overhead
Safety-critical systems requiring absolute guarantees	Deterministic methods	Probabilistic bounds insufficient
Large networks with limited compute	Randomized smoothing	Most practical option
Small networks where completeness is feasible	Complete verification	Deterministic certainty possible
Development and iteration	Randomized smoothing + attacks	Fast feedback, reasonable confidence

Common Pitfalls

Misinterpreting the guarantee: Randomized smoothing provides a deterministic certified radius, not a probabilistic one. The radius is absolute—inputs within it are provably safe. What’s probabilistic is the estimation of the radius. Don’t confuse these.

Insufficient samples: Using too few Monte Carlo samples makes your confidence intervals wide. This doesn’t invalidate the certificate, but it means the certified radius is smaller than it could be with more samples. Insufficient sampling wastes the method’s potential.

Noise-accuracy mismatch: Training with different noise than certification uses leads to pessimistic certificates. The model hasn’t learned to handle the certification noise, so margins are smaller. Match training and certification noise exactly.

Ignoring clean accuracy: Randomized smoothing requires good clean accuracy. If your model is only correct on half your inputs, certificates on the other half are irrelevant. Train for both clean accuracy and robustness.

Inappropriate noise level: Noise level determines maximum possible certified radius. Too small and you get tight but short radii. Too large and clean accuracy suffers. Choose based on your application’s requirements.

Hint

Test your certification pipeline on a validation set before deployment. Verify that sample counts and noise levels give the radii you expect. Simulation catches implementation issues.

Randomized Smoothing vs Deterministic Verification

When should you use randomized smoothing instead of deterministic verification?

Use randomized smoothing when: - Networks are very large (hundreds of millions of parameters) - Computational budget is limited - You need to certify many inputs quickly - Probabilistic confidence is acceptable for your application - The perturbation model is well-understood (e.g., pixel noise)

Use deterministic verification when: - Network is small enough for practical complete verification - Safety regulations require absolute guarantees - Probabilistic bounds are unacceptable - You need to explore which properties can/cannot be proven

In practice, they complement each other. Use randomized smoothing for fast empirical certification, then verify critical regions with deterministic methods. Use both to get comprehensive confidence in your system’s robustness.

Final Thoughts

Randomized smoothing brings certification to the scale of modern networks. By accepting probabilistic estimation of deterministic guarantees, you gain orders-of-magnitude speedup compared to deterministic methods. The certificates are rigorous, the training is straightforward, and implementation is accessible.

The method has limitations—it requires careful choice of noise level and sample count—but for practitioners certifying large networks in reasonable time, it’s often the right choice. Understanding when to use randomized smoothing, when to combine it with deterministic methods, and when to fall back to faster attacks is part of building robust and verified systems.

The field continues improving. Tighter estimation techniques reduce required samples. New noise distributions optimize for different domains. The combination of randomized and deterministic methods gives flexibility to handle diverse applications.

Note

Further reading:

• Certified Adversarial Robustness via Randomized Smoothing (ICML 2019) - Original randomized smoothing work by Cohen et al.

• Leveraging Diversity for Certified Robustness via Randomized Smoothing - Extensions and variants

• Statistical Verification (ICML 2017) - Statistical approaches to certification

• Related: Soundness and Completeness in Neural Network Verification for understanding guarantee types

• Related: Training Robust and Verifiable Neural Networks for preparation strategies