{"day":"09","publication":"Applied Intelligence","publisher":"Springer Nature","language":[{"iso":"eng"}],"author":[{"first_name":"Yaniv","last_name":"Nemcovsky","full_name":"Nemcovsky, Yaniv"},{"last_name":"Zheltonozhskii","first_name":"Evgenii","full_name":"Zheltonozhskii, Evgenii"},{"full_name":"Baskin, Chaim","first_name":"Chaim","last_name":"Baskin"},{"full_name":"Chmiel, Brian","last_name":"Chmiel","first_name":"Brian"},{"first_name":"Alexander","orcid":"0000-0001-9699-8730","last_name":"Bronstein","full_name":"Bronstein, Alexander","id":"58f3726e-7cba-11ef-ad8b-e6e8cb3904e6"},{"full_name":"Mendelson, Avi","first_name":"Avi","last_name":"Mendelson"}],"article_type":"original","doi":"10.1007/s10489-022-03423-5","month":"08","oa_version":"None","status":"public","publication_status":"published","citation":{"ama":"Nemcovsky Y, Zheltonozhskii E, Baskin C, Chmiel B, Bronstein AM, Mendelson A. Adversarial robustness via noise injection in smoothed models. <i>Applied Intelligence</i>. 2022;53(8):9483-9498. doi:<a href=\"https://doi.org/10.1007/s10489-022-03423-5\">10.1007/s10489-022-03423-5</a>","chicago":"Nemcovsky, Yaniv, Evgenii Zheltonozhskii, Chaim Baskin, Brian Chmiel, Alex M. Bronstein, and Avi Mendelson. “Adversarial Robustness via Noise Injection in Smoothed Models.” <i>Applied Intelligence</i>. Springer Nature, 2022. <a href=\"https://doi.org/10.1007/s10489-022-03423-5\">https://doi.org/10.1007/s10489-022-03423-5</a>.","short":"Y. Nemcovsky, E. Zheltonozhskii, C. Baskin, B. Chmiel, A.M. Bronstein, A. Mendelson, Applied Intelligence 53 (2022) 9483–9498.","ieee":"Y. Nemcovsky, E. Zheltonozhskii, C. Baskin, B. Chmiel, A. M. Bronstein, and A. Mendelson, “Adversarial robustness via noise injection in smoothed models,” <i>Applied Intelligence</i>, vol. 53, no. 8. Springer Nature, pp. 9483–9498, 2022.","ista":"Nemcovsky Y, Zheltonozhskii E, Baskin C, Chmiel B, Bronstein AM, Mendelson A. 2022. Adversarial robustness via noise injection in smoothed models. Applied Intelligence. 53(8), 9483–9498.","mla":"Nemcovsky, Yaniv, et al. “Adversarial Robustness via Noise Injection in Smoothed Models.” <i>Applied Intelligence</i>, vol. 53, no. 8, Springer Nature, 2022, pp. 9483–98, doi:<a href=\"https://doi.org/10.1007/s10489-022-03423-5\">10.1007/s10489-022-03423-5</a>.","apa":"Nemcovsky, Y., Zheltonozhskii, E., Baskin, C., Chmiel, B., Bronstein, A. M., &#38; Mendelson, A. (2022). Adversarial robustness via noise injection in smoothed models. <i>Applied Intelligence</i>. Springer Nature. <a href=\"https://doi.org/10.1007/s10489-022-03423-5\">https://doi.org/10.1007/s10489-022-03423-5</a>"},"date_published":"2022-08-09T00:00:00Z","issue":"8","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","title":"Adversarial robustness via noise injection in smoothed models","_id":"18211","article_processing_charge":"No","date_updated":"2024-10-09T11:04:54Z","abstract":[{"lang":"eng","text":"Deep neural networks are known to be vulnerable to malicious perturbations. Current methods for improving adversarial robustness make use of either implicit or explicit regularization, with the latter is usually based on adversarial training. Randomized smoothing, the averaging of the classifier outputs over a random distribution centered in the sample, has been shown to guarantee a classifier’s performance subject to bounded perturbations of the input. In this work, we study the application of randomized smoothing to improve performance on unperturbed data and increase robustness to adversarial attacks. We propose to combine smoothing along with adversarial training and randomization approaches, and find that doing so significantly improves the resilience compared to the baseline. We examine our method’s performance on common whitebox (FGSM, PGD) and black-box (transferable attack and NAttack) attacks on CIFAR-10 and CIFAR-100, and determine that for a low number of iterations, smoothing provides a significant performance boost that persists even for perturbations with a high attack norm, . For example, under a PGD-10 attack on CIFAR-10 using Wide-ResNet28-4, we achieve 60.3% accuracy for infinity norm ∞ = 8/255 and 13.1% accuracy for ∞ = 35/255 – outperforming previous art by 3% and 6%, respectively. We achieve nearly twice the accuracy on ∞ = 35/255 and even more so for perturbations with higher infinity norm. A reference implementation of the proposed method is provided. "}],"scopus_import":"1","intvolume":"        53","extern":"1","date_created":"2024-10-08T12:47:53Z","type":"journal_article","volume":53,"page":"9483-9498","quality_controlled":"1","year":"2022","publication_identifier":{"issn":["0924-669X"],"eissn":["1573-7497"]}}