In recent years, high-performance machine learning models have been employed in various control settings, including reinforcement learning for dynamic systems with uncertainty (Levine et al., 2016;Sutton and Barto, 2018) and autonomous driving (Bojarski et al., 2016;Wu et al., 2017). However, models such as neural networks have been shown to be vulnerable to adversarial attacks, which are imperceptibly small input data alterations maliciously designed to cause failure (Szegedy et al., 2014;Nguyen et al., 2015;Huang et al., 2017;Eykholt et al., 2018;Liu et al., 2019). This vulnerability makes such models unreliable for safety-critical control where guaranteeing robustness is necessary. In response, "adversarial training (AT)" (Kurakin et al., 2017;Goodfellow et al., 2015;Bai et al., 2022a,b;Zheng et al., 2020;Zhang et al., 2019) have been studied to alleviate the susceptibility. AT builds robust neural networks by training on adversarially attacked data.
A parallel line of work focuses on mathematically certified robustness (Anderson et al., 2020;Ma and Sojoudi, 2021;Anderson and Sojoudi, 2022a). Among these methods, "randomized smoothing (RS)" is a particularly popular one that seeks to achieve certified robustness by processing intentionally corrupted data at inference time (Cohen et al., 2019;Li et al., 2019;Pfrommer et al., 2023), and has recently been applied to robustify reinforcement learning-based control strategies (Kumar et al., 2022;Wu et al., 2022). The recent work (Anderson and Sojoudi, 2022b) has shown that "locally biased smoothing," which robustifies the model locally based on the input test datum, outperforms the traditional RS with fixed smoothing noise. However, Anderson and Sojoudi (2022b) only focus on binary classification problems, significantly limiting the applications. Moreover, Anderson and Sojoudi (2022b) rely on the robustness of a K-nearest-neighbor (K-NN) classifier, which suffers from a lack of representation power when applied to harder problems and becomes a bottleneck.
While some works have shown that there exists a fundamental trade-off between accuracy and robustness (Tsipras et al., 2019;Zhang et al., 2019), recent research has argued that it should be possible to simultaneously achieve robustness and accuracy on benchmark datasets (Yang et al., 2020). To this end, variants of AT that improve the accuracy-robustness trade-off have been proposed, including TRADES (Zhang et al., 2019), Interpolated Adversarial Training (Lamb et al., 2019), and many others (Raghunathan et al., 2020;Zhang and Wang, 2019;Tramèr et al., 2018;Balaji et al., 2019). However, even with these improvements, degraded clean accuracy is often an inevitable price of achieving robustness. Moreover, standard non-robust models often achieve enormous performance gains by pre-training on larger datasets, whereas the effect of pre-training on robust classifiers is less understood and may be less prominent (Chen et al., 2020;Fan et al., 2021).
This work makes a theoretically disciplined step towards robustifying models without sacrificing clean accuracy. Specifically, we build upon locally biased smoothing and replace its underlying K-NN classifier with a robust neural network that can be obtained via various existing methods. We then modify how the standard base model (a highly accurate but possibly non-robust neural network) and the robust base model are "mixed" accordingly. The resulting formulation, to be introduced in Section 3, is a convex combination of the output probabilities from the two base classifiers. We prove that, when the robust network has a bounded Lipschitz constant or is built via RS, the mixed classifier also has a closed-form certified robust radius. More importantly, our method achieves an empirical robustness level close to that of the robust base model while approaching the standard base model's clean accuracy. This desirable behavior significantly improves the accuracy-robustness trade-off, especially for tasks where standard models noticeably outperform robust models on clean data.
Note that we do not make any assumptions about how the standard and robust base models are obtained (can be AT, RS, or others), nor do we assume the adversarial attack type and budget. Thus, our mixed classification scheme can take advantage of pre-training on large datasets via the standard base classifier and benefit from ever-improving robust training methods via the robust base classifier.
The ℓ p norm is denoted by ∥•∥ p , while ∥•∥ p * denotes its dual norm. The matrix I d denotes the identity matrix in R d×d . For a scalar a, sgn(a) ∈ {-1, 0, 1} denotes its sign. For a natural number c, the set [c] is defined as {1, 2, . . . , c}. For an event A, the indicator function I(A) evaluates to 1 if A takes place and 0 otherwise. The notation P X∼S [A(X)] denotes the probability for an event A(X) to occur, where X is a random variable drawn from the distribution S. The normal distribution on R d with mean x and covariance Σ is written as N (x, Σ). We denote the cumulative distribution function of N (0, 1) on R by Φ and write its inverse function as Φ -1 .
Consider a model g : R d → R c , whose components are
where d is the dimension of the input and c is the number of classes. In this paper, we assume that g(•) does not have the desired level of robustness, and refer to it as a "standard model", as opposed to a "robust model" which we denote as h(•). We consider ℓ p norm-bounded attacks on differentiable neural networks. A classifier f : R d → [c], defined as f (x) = arg max i∈[c] g i (x), is considered robust against adversarial attacks at an input datum x ∈ R d if it assigns the same class to all perturbed inputs x + δ such that ∥δ∥ p ≤ ϵ, where ϵ ≥ 0 is the attack radius.
The fast gradient sign method (FGSM) and projected gradient descent (PGD) attacks based on differentiating the cross-entropy loss are highly effective and have been considered the most standard attacks for evaluating robust models (Madry et al., 2018;Goodfellow et al., 2015). To exploit the structures of the defense methods, adaptive attacks have also been introduced (Tramèr et al., 2020).
On the defense side, while AT (Madry et al., 2018) and TRADES (Zhang et al., 2019) have seen enormous success, such methods are often limited by a significantly larger amount of required training data (Schmidt et al., 2018) and a decrease in generalization capability. Initiatives that construct more effective training data via data augmentation (Rebuffi et al., 2021;Gowal et al., 2021) and generative models (Sehwag et al., 2022) have successfully produced more robust models. Improved versions of AT (Jia et al., 2022;Shafahi et al., 2019) have also been proposed.
Previous initiatives that aim to enhance the accuracy-robustness trade-off include using alternative attacks during training (Pang et al., 2022), appending early-exit side branches to a single network (Hu et al., 2020), and applying AT for regularization (Zheng et al., 2021). Moreover, ensemble-based defenses, such as random ensemble (Liu et al., 2018) and diverse ensemble (Pang et al., 2019;Alam et al., 2022), have been proposed. In comparison, this work considers two separate classifiers and uses their synergy to improve the accuracy-robustness trade-off, achieving higher performances.
Randomized smoothing, popularized by (Cohen et al., 2019), achieves robustness at inference time by replacing f
where S is a smoothing distribution. A common choice for S is a Gaussian distribution. Anderson and Sojoudi (2022b) have recently argued that data-invariant RS does not always achieve robustness. They have shown that in the binary classification setting, RS with an unbiased distribution is suboptimal, and an optimal smoothing procedure shifts the input point in the direction of its true class. Since the true class is generally unavailable, a "direction oracle" is used as a surrogate. This "locally biased smoothing" method is no longer randomized and outperforms traditional data-blind RS. The locally biased smoothed classifier, denoted h γ : R d → R, is obtained via the deterministic calculation h γ (x) = g(x) + γh(x)∥∇g(x)∥ p * , where h(x) ∈ {-1, 1} is the direction oracle and γ ≥ 0 is a trade-off parameter. The direction oracle should come from an inherently robust classifier (which is often less accurate). In (Anderson and Sojoudi, 2022b), this direction oracle is chosen to be a one-nearest-neighbor classifier.
Locally biased smoothing was designed for binary classification, restricting its practicality. Here, we first extend it to the multi-class setting by treating the output of each class, denoted as h γ i (x), independently, giving rise to:
Note that if ∥∇g i (x)∥ p * is large for some class i, then h γ smo1,i (x) can be large for class i even if both g i (x) and h i (x) are small, leading to incorrect predictions. To remove the effect of the gradient magnitude difference across the classes, we propose a normalized formulation as follows:
84 86 88 90 92 94 96 Clean accuracy of the mixed classifier 0 10 20 30 40 PGD10 attacked accuracy 1, No SoftMax ||∇gi(⋅)||p * , No SoftMax ||∇ max j gj(⋅)||p * , No SoftMax ||∇g(⋅)||p * ||∇h(⋅)||p * , No SoftMax 1, SoftMax
• "No Softmax" represents Option 1, i.e., use the logits for g(•) and h(•).
• "Softmax" represents Option 2, i.e., use the probabilities for g(•) and h(•).
• With the best formulation, high clean accuracy can be achieved with very little sacrifice on robustness.
Figure 1: Comparing the "attacked accuracy -clean accuracy" curves for various options for R i (x).
The parameter γ adjusts between clean accuracy and robustness. It holds that h γ smo2,i (x) ≡ g i (x) when γ = 0, and h γ smo2,i (x) → h i (x) when γ → ∞ for all x and all i. With the mixing procedure generalized to the multi-class setting, we now discuss the choice of the smoothing oracle h i (•). While K-NN classifiers are relatively robust and can be used as the oracle, their representation power is too weak. On the CIFAR-10 image classification task (Krizhevsky, 2012), K-NN only achieves around 35% accuracy on clean test data. In contrast, an adversarially trained ResNet can reach 50% accuracy on attacked test data (Madry et al., 2018). This lackluster performance of K-NN becomes a significant bottleneck in the accuracy-robustness trade-off of the mixed classifier. To this end, we replace the K-NN model with a robust neural network. The robustness of this network can be achieved via various methods, including AT, TRADES, and RS.
Further scrutinizing (2) leads to the question of whether ∥∇g i (x)∥ p * is the best choice for adjusting the mixture of g(•) and h(•). This gradient magnitude term is a result of Anderson and Sojoudi (2022b)'s assumption that h(x) ∈ {-1, 1}. Here, we no longer have this assumption. Instead, we assume both g(•) and h(•) to be differentiable. Thus, we generalize the formulation to
where R i (x) is an extra scalar term that can potentially depend on both ∇g i (x) and ∇h i (x) to determine the "trustworthiness" of the base classifiers. Here, we empirically compare four options for R i (x), namely, 1, ∥∇g i (x)∥ p * , ∥∇ max j g j (x)∥ p * , and
Another design question is whether g(•) and h(•) should be the pre-softmax logits or the postsoftmax probabilities. Note that since most attack methods are designed based on logits, the output of the mixed classifier should be logits rather than probabilities to avoid gradient masking, an undesirable phenomenon that makes it hard to evaluate the robustness properly. Thus, we have the following two options that make the mixed model compatible with existing gradient-based attacks:
1. Use the logits for both base classifiers, g(•) and h(•).
2. Use the probabilities for both base classifiers, and then convert the mixed probabilities back to logits. The required "inverse-softmax" operator is simply the natural logarithm.
Figure 1 visualizes the accuracy-robustness trade-off achieved by mixing logits or probabilities with different R i (x) options. Here, the base classifiers are a pair of standard and adversarially trained ResNet-18s. This "clean accuracy versus PGD 10 -attacked accuracy" plot concludes that R i (x) = 1 gives the best accuracy-robustness trade-off, and g(•) and h(•) should be probabilities. Appendix A in the supplementary materials confirms this selection by repeating Figure 1 with alternative model architectures, different robust base classifier training methods, and various attack budgets.
Our selection of R i (x) = 1 differs from R i (x) = ∥g i (x)∥ p * used in (Anderson and Sojoudi, 2022b). Intuitively, Anderson and Sojoudi (2022b) used linear classifiers to motivate estimating the base models' trustworthiness with their gradient magnitudes. When the base classifiers are highly nonlinear neural networks as in our case, while a base classifier's local Lipschitzness correlates with its robustness, its gradient magnitude is not always a good local Lipschitzness estimator. Additionally, Section 3.1 offers theoretical intuitions for selecting mixing probabilities over mixing logits.
With these design choices implemented, the formulation (3) can be re-parameterized as
where 4), which is a convex combination of base classifier probabilities, as our proposed mixed classifier. Note that (4) calculates the mixed classifier logits, acting as a drop-in replacement for existing models which usually produce logits. Removing the logarithm recovers the output probabilities without changing the predicted class.
In this section, we derive certified robust radii for the mixed classifier h α (•) introduced in (4), given in terms of the robustness properties of h(•) and the mixing parameter α. The results ensure that despite being more sophisticated than a single model, h α (•) cannot be easily conquered, even if an adversary attempts to adapt its attack methods to its structure. Such guarantees are of paramount importance for reliable deployment in safety-critical control applications.
Noticing that the base model probabilities satisfy 0 ≤ g i (•) ≤ 1 and 0 ≤ h i (•) ≤ 1 for all i, we introduce the following generalized and tightened notion of certified robustness.
Definition 1 Consider an arbitrary input x ∈ R d and let y = arg max i h i (x), µ ∈ [0, 1], and r ≥ 0. Then, h(•) is said to be certifiably robust at x with margin µ and radius r if h y (x + δ) ≥ h i (x + δ) + µ for all i ̸ = y and all δ ∈ R d such that ∥δ∥ p ≤ r.
, 1] and h(•) is certifiably robust at x with margin 1-α α and radius r, then the mixed classifier h α (•) is robust in the sense that
Proof Suppose that h(•) is certifiably robust at x with margin 1-α α and radius r.
Thus, it holds that h α y (x + δ) ≥ h α i (x + δ) for all i ̸ = y, and thus arg max i h α i (x + δ) = y = arg max i h i (x).
Intuitively, Definition 1 ensures that all points within a radius from a nominal point have the same prediction as the nominal point, with the difference between the top and runner-up probabilities no smaller than a threshold. For practical classifiers, the robust margin can be straightforwardly estimated by calculating the confidence gap between the predicted and the runner-up classes at an adversarial input obtained with strong attacks.
While most existing provably robust results consider the special case with zero margin, we will show that models built via common methods are also robust with non-zero margins. We specifically consider two types of popular robust classifiers: Lipschitz continuous models (Theorem 4) and RS models (Theorem 5). Here, Lemma 2 builds the foundation for proving these two theorems, which amounts to showing that Lipschitz and RS models are robust with non-zero margins and thus the mixed classifiers built with them are robust.
Lemma 2 provides further justifications for using probabilities instead of logits in the mixing operation. Intuitively, it holds that (1 -α)g i (•) is bounded between 0 and 1 -α, so as long as α is relatively large (specifically, at least 1 2 ), the detrimental effect of g(•)'s probabilities when subject to attack can be bounded and be overcome by h(•). Had we used the logits for g i (•), since this quantity cannot be bounded, it would have been much harder to overcome the vulnerability of g(•).
Since we do not make assumptions on the Lipschitzness or robustness of g(•), Lemma 2 is tight. To understand this, we suppose that there exists some i ∈ [c]\{y} and δ ̸ = 0 such that ∥δ∥ p ≤ r that make
In this case, it holds that h α y (x + δ) < h α i (x + δ), and thus arg max i h α i (x + δ) ̸ = arg max i h i (x).
Assumption 1 The classifier h(•) is robust in the sense that, for all i ∈ {1, 2, . . . , n}, h i (•) is ℓ p -Lipschitz continuous with Lipschitz constant Lip p (h i ).
Theorem 4 Suppose that Assumption 1 holds, and let x ∈ R d be arbitrary. Let y = arg max i h i (x).
Therefore, h(•) is certifiably robust at x with margin 1-α α and radius r α p (x). Hence, by Lemma 2, the claim holds.
We remark that the ℓ p norm that Theorem 4 certifies may be arbitrary (e.g., ℓ 1 , ℓ 2 , or ℓ ∞ ), so long as the Lipschitz constant of the robust network h(•) is computed with respect to the same norm.
Assumption 1 is not restrictive in practice. For example, Gaussian RS with smoothing variance σ 2 I d yields robust models with ℓ 2 -Lipschitz constant 2 /πσ 2 (Salman et al., 2019). Moreover, empirically robust methods such as AT and TRADES often train locally Lipschitz continuous models, even though there may not be closed-form theoretical guarantees.
Assumption 1 can be relaxed to the even less restrictive scenario of using local Lipschitz constants over a neighborhood (e.g., a norm ball) around a nominal input x (i.e., how flat h(•) is near x) as a surrogate for the global Lipschitz constants. In this case, Theorem 4 holds for all δ within this neighborhood. Specifically, suppose that for an arbitrary input x and an ℓ p attack radius ϵ, it holds that h y (x) -
for all i ̸ = y and all perturbations δ such that ∥δ∥ p ≤ ϵ. Furthermore, suppose that the robust radius r α p (x), as defined in (5) but use the local Lipschitz constant Lip x p as a surrogate to the global constant Lip p , is not smaller than ϵ. Then, if the robust base classifier h(•) is correct at the nominal point x, then the mixed classifier h α (•) is robust at x within the radius ϵ. The proof follows that of Theorem 4.
The relaxed Lipschitzness defined above can be estimated for practical differentiable classifiers via an algorithm similar to the PGD attack (Yang et al., 2020). Yang et al. ( 2020) also showed that many existing empirically robust models, including those trained with AT or TRADES, are in fact locally Lipschitz. Note that Yang et al. ( 2020) evaluated the local Lipschitz constants of the logits, whereas we analyze the probabilities, whose Lipschitz constants are much smaller. Therefore, Theorem 4 provides important insights into the empirical robustness of the mixed classifier.
An intuitive explanation of Theorem 4 is that if α → 1, then r α p (x) → min i̸ =y
Lip p (hy)+Lip p (h i ) , which is the standard Lipschitz-based robust radius of h(•) around x (see (Fazlyab et al., 2019;Hein and Andriushchenko, 2017) for further discussions on Lipschitz-based robustness). On the other hand, if α is too small in comparison to the relative confidence of h(•) and put an excess weight into the non-robust classifier g(•), namely, if there exists i ̸ = y such that α ≤ 1 1+hy(x)-h i (x) , then r α p (x) ≤ 0, and in this case, we cannot provide non-trivial certified robustness for h α (•). If h(•) is 100% confident in its prediction, then h y (x) -h i (x) = 1 for all i ̸ = y, and therefore this threshold value of α becomes 1 2 , leading to non-trivial certified radii for α > 1 2 . However, once we put over 1 2 of the weight into g(•), a nonzero radius around x is no longer certifiable. Since no assumptions on the robustness of g(•) around x have been made, this is intuitively the best one can expect. We now move on to tightening the certified radius in the special case when h(•) is an RS classifier and our robust radii are defined in terms of the ℓ 2 norm.
is not 0 almost everywhere or 1 almost everywhere.
Theorem 5 Suppose that Assumption 2 holds, and let x ∈ R d be arbitrary. Let y = arg max i h i (x) and y ′ = arg max i̸ =y h
The proof of Theorem 5 is provided in Appendix B in the supplementary materials.
To summarize our certified radii, Theorem 4 applies to very general Lipschitz continuous robust base classifiers h(•) and arbitrary ℓ p norms, whereas Theorem 5, applying to the ℓ 2 norm and RS base classifiers, strengthens the certified radius by exploiting the stronger Lipschitzness arising from the special structure and smoothness granted by Gaussian convolution operations. Theorems 4 and 5 guarantee that our proposed robustification cannot be easily circumvented by adaptive attacks.
We first use the CIFAR-10 dataset to evaluate the mixed classifier h α (•) with various values of α.
We use a ResNet18 model trained on unattacked images as the standard base model g(•) and use another ResNet18 trained on PGD 20 data as the robust base model h(•). We consider PGD 20 attacks that target g(•) and h(•) individually (abbreviated as STD and ROB attacks and can be regarded as transfer attacks), in addition to the adaptive PGD 20 attack generated using the end-to-end gradient of h α (•), denoted as the MIX attack.
The test accuracy of each mixed classifier is presented in Figure 2. As α increases, the clean accuracy of h α (•) converges from the clean accuracy of g(•) to the clean accuracy of h(•). In terms of attacked performance, when the attack targets g(•), the attacked accuracy increases with α. When the attack targets h(•), the attacked accuracy decreases with α, showing that the attack targeting h(•) becomes more benign when the mixed classifier emphasizes g(•). When the attack targets the mixed classifier h α (•), the attacked accuracy increases with α.
When α is around 0.5, the MIX-attacked accuracy of h α (•) quickly increases from near zero to more than 30% (two-thirds of h(•)'s attacked accuracy). This observation precisely matches the theoretical intuition from Theorem 4. Meanwhile, when α is greater than 0.5, the clean accuracy gradually decreases at a much slower rate, leading to the alleviated accuracy-robustness trade-off.
This difference in how clean and attacked accuracy change with α can be explained by the prediction confidence of the robust base classifier h(•). Specifically, Table 1 confirms that h(•) makes confident correct predictions even when under attack (average robust margin is 0.768). Moreover, h(•)'s robust margin follows a long-tail distribution: the median robust margin is 0.933, much larger than the 0.768 mean. Thus, most attacked inputs correctly classified by h(•) are highly confident (i.e., robust with large margins). As Lemma 2 suggests, such a property is precisely what the mixed classifier relies on. Intuitively, once α becomes greater than 0.5 and gives h(•) more authority over g(•), h(•) can use its confidence to correct g(•)'s mistakes under attack.
On the other hand, h(•) is unconfident when producing incorrect predictions on clean data, with the top two classes' output probabilities separated by merely 0.434. This probability gap again forms a long-tail distribution (the median is 0.378 which is less than the mean), confirming that h(•) rarely makes confident incorrect predictions. Now, consider clean data that g(•) correctly classifies and h(•) mispredicts. Recall that we assume g(•) to be more accurate but less robust, so this scenario should be common. Since g(•) is confident (average top two classes probability gap is 0.982) and h(•) is usually unconfident, even when α > 0.5 and g(•) has less authority than h(•) in the mixture, g(•) can still correct some of the mistakes from h(•).
0.0 0.2 0.4 0.5 0.6 0.8 1.0 α 0 10 20 30 40 50 60 70 80 90 100 Clean and PGD10 accuracy (%) In summary, h(•) is confident when making correct predictions on attacked data while being unconfident when misclassifying clean data, and such a confidence property is the key source of the mixed classifier's improved accuracy-robustness trade-off. Additional analyses in Appendix A with alternative base models imply that multiple existing robust classifiers share this benign confidence property and thus help the mixed classifier improve the trade-off.
Next, we visualize the certified robust radii presented in Theorem 4 and Theorem 5. Since a (Gaussian) RS model with smoothing covariance matrix σ 2 I d has an ℓ 2 -Lipschitz constant 2 /πσ 2 , such a model can be used to simultaneously visualize both theorems, with Theorem 5 giving tighter certificates of robustness. Note that RS models with a larger smoothing variance certify larger radii but achieve lower clean accuracy, and vice versa. Here, we consider the CIFAR-10 dataset and select g(•) to be a ConvNeXT-T model with a clean accuracy of 97.25%, and use the RS models presented in (Zhang et al., 2019) as h(•). For a fair comparison, we select an α value such that the clean accuracy of the constructed mixed classifier h α (•) matches that of another RS model h baseline (•) with a smaller smoothing variance. The expectation term in the RS formulation is approximated with the empirical mean of 10000 random perturbations drawn from N (0, σ 2 I d ), and the certified radii of h baseline (•) are calculated using Theorems 4 and 5 by setting α to 1. Figure 3 displays the calculated certified accuracy of h α (•) and h baseline (•) at various attack radii. The ordinate "Accuracy" at a given abscissa "ℓ 2 radius" reflects the percentage of the test data for which the considered model gives a correct prediction as well as a certified radius at least as large as the ℓ 2 radius under consideration.
In both subplots of Figure 3, the certified robustness curves of h α (•) do not connect to the clean accuracy when α → 0. This is because Theorems 4 and 5 both consider robustness with respect to h(•) and do not certify test inputs at which h(•) makes incorrect predictions, even though h α (•) may correctly predict some of these points. This is reasonable because we do not assume any robustness or Lipschitzness of g(•), and g(•) is allowed to be arbitrarily incorrect whenever the radius is non-zero.
The Lipschitz-based bound of Theorem 4 allows us to visualize the performance of the mixed classifier h α (•) when h(•) is an ℓ 2 -Lipschitz model. In this case, the curves associated with h α (•) and h baseline (•) intersect, with h α (•) achieving higher certified accuracy at larger radii and h baseline (•) certifying more points at smaller radii. Adjusting α and the Lipschitz constant of h(•) can change the location of this intersection while maintaining the clean accuracy. Thus, the mixed classifier allows for optimizing the certified accuracy at a particular radius without sacrificing clean accuracy.
The RS-based bound from Theorem 5 captures the behavior of the mixed classifier h α (•) when h(•) is an RS model. For both h α (•) and h baseline (•), the RS-based bounds certify larger radii than the corresponding Lipschitz-based bounds. Nonetheless, h baseline (•) can certify more points with the RS-based guarantee. Intuitively, this phenomenon suggests that RS models can yield correct but low-confidence predictions when under large-radius attack, and thus may not be best-suited for our mixing operation, which relies on robustness with non-zero margins. Meanwhile, Lipschitz models, a more general and common class of models, exploit the mixing operation more effectively. Moreover, as shown in Figure 2 and Table 1, empirically robust models often yield high-confidence correct predictions when under attack, making them more suitable to be used as h α (•)'s robust base classifier.
This work proposes to mix the predicted probabilities of an accurate classifier and a robust classifier to mitigate the accuracy-robustness trade-off. These two base classifiers can be pre-trained, and the resulting mixed classifier requires no additional training. Theoretical results certify that the mixed classifier inherits the robustness of the robust base model under realistic assumptions. Empirical evaluations show that our method approaches the high accuracy of the latest standard models while retaining the robustness of modern robust classification methods. Hence, this work provides a foundation for future research to focus on either accuracy or robustness without sacrificing the other, providing additional incentives for deploying robust models in safety-critical control. Appendix A. Additional Empirical Support for R i (x) = 1
Finally, we use additional empirical evidence (Figures 4(a) and 4(b)) to show that R i (x) = 1 is the appropriate choice for the mixed classifier and that the probabilities should be used for the mixture. While most experiments in this paper are based on the popular ResNet architecture, our method does not depend on any ResNet properties. Therefore, for the experiment in Figure 4(a), we select a more modern ConvNeXT-T model (Liu et al., 2022) pre-trained on ImageNet-1k as an alternative architecture for g(•). We also use a robust model trained via TRADES in place of an adversarially-trained network for h(•) for the interest of diversity. Additionally, although most of our experiments are based on ℓ ∞ attacks, the proposed method applies to all ℓ p attack budgets.
In Figure 4(b), we provide an example that considers the ℓ 2 attack. The experiment settings are summarized in Table 2.
Figures 4(a) and 4(b) confirm that setting R i (x) to the constant 1 achieves the best trade-off curve between clean and attacked accuracy, and that mixing the probabilities outperforms mixing the logits. This result aligns with the conclusions of Figure 1 and our theoretical analyses.
For all three cases listed in Table 2, the mixed classifier reduces the error rate of h(•) on clean data by half while maintaining 80% of h(•)'s attacked accuracy. This observation suggests that the mixed classifier noticeably alleviates the accuracy-robustness trade-off. Additionally, our method is especially suitable for applications where the clean accuracy gap between g(•) and h(•) is large. On easier datasets such as MNIST and CIFAR-10, this gap has been greatly reduced by the latest advancements in constructing robust classifiers. However, on harder tasks such as CIFAR-100 and ImageNet-1k, this gap is still large, even for state-of-the-art methods. For these applications, standard classifiers often benefit much more from pre-training on larger datasets than robust models.