MACER: Attack-free and Scalable Robust Training via Maximizing Certified Radius
Runtian Zhai*, Chen Dan*, Di He*, Huan Zhang, Boqing Gong, Pradeep Ravikumar, Cho-Jui Hsieh, Liwei Wang
To appear in ICLR 2020
Paper   Code
Adversarial training is one of the most popular ways to learn robust models but is usually attack-dependent and time costly. In this paper, we propose the MACER algorithm, which learns robust models without using adversarial training but performs better than all existing provable l2-defenses. Recent work shows that randomized smoothing can be used to provide certified l2 radius to smoothed classifiers, and our algorithm trains provably robust smoothed classifiers via MAximizing the CErtified Radius (MACER). The attack-free characteristic makes MACER faster to train and easier to optimize. Our experiments show that MACER runs faster than state-of-the-art adversarial training algorithms, and the learned models achieve larger average certified radius.
MACER Performance

Adversarially Robust Generalization Just Requires More Unlabeled Data
Runtian Zhai*, Tianle Cai*, Di He*, Chen Dan, Kun He, John E. Hopcroft, Liwei Wang
arXiv: 1906.00555   Code
Previous works show that significantly more labeled data is required to achieve adversarially robust generalization. In this paper, we show that just more unlabeled data is required. The key insight is based on a risk decomposition theorem, in which the expected robust risk is separated into two parts: the stability part which measures the prediction stability in the presence of perturbations, and the accuracy part which evaluates the standard classification accuracy. As the stability part does not depend on any label information, we can optimize this part using unlabeled data. Inspired by the theoretical findings, we further show that a practical adversarial training algorithm that leverages unlabeled data can improve adversarial robust generalization on MNIST and Cifar-10.
Core Idea
Tianle Cai
Chen Dan
Di He
Huan Zhang
NeurIPS 2019: