Randomized Smoothing (RS), being one of few provable defenses, has been showing great effectiveness and scalability in terms of defending against $\ell_2$-norm adversarial perturbations. However, the cost of MC sampling needed in RS for evaluation is high and computationally expensive. To address this issue, we investigate the possibility of performing randomized smoothing and establishing the robust certification in the latent space of a network, so that the overall dimensionality of tensors involved in computation could be drastically reduced. To this end, we propose Latent Space Randomized Smoothing. Another important aspect is that we use orthogonal modules, whose Lipschitz property is known for free by design, to propagate the certified radius estimated in the latent space back to the input space, providing valid certifiable regions for the test samples in the input space. Experiments on CIFAR10 and ImageNet show that our method achieves competitive certified robustness but with a significant improvement of efficiency during the test phase.

中文翻译：

---

通过使用正交编码器的潜在空间随机平滑进行认证防御

随机平滑 (RS) 是少数可证明的防御措施之一，在防御 $\ell_2$-norm 对抗扰动方面显示出极大的有效性和可扩展性。然而，RS 中用于评估所需的 MC 采样成本很高且计算成本很高。为了解决这个问题，我们研究了在网络的潜在空间中执行随机平滑和建立稳健证明的可能性，以便可以大大降低计算中涉及的张量的整体维数。为此，我们提出潜在空间随机平滑。另一个重要方面是我们使用正交模块，其 Lipschitz 特性在设计上是免费已知的，将潜在空间中估计的认证半径传播回输入空间，为输入空间中的测试样本提供有效的可认证区域。在 CIFAR10 和 ImageNet 上的实验表明，我们的方法实现了有竞争力的认证稳健性，但在测试阶段显着提高了效率。