What problem does this paper attempt to address?

### The problems the paper attempts to solve This paper aims to address the security threats of neural networks when facing adversarial samples. Specifically, the goal of the paper is to construct a neural network model that has both high accuracy and certified probability robustness. Current methods are usually divided into two categories: 1. **Adversarial training**: This method improves the empirical robustness of the model by using a mixture of normal and adversarial samples during the training process. Although adversarial training can improve the robustness of the model, it cannot provide a certified guarantee of the model's robustness and is vulnerable to new attack methods. 2. **Certified training**: This method provides certification of the model's robustness by incorporating robustness verification techniques during the training process. Although certified training can provide robustness certification, it usually leads to a significant decrease in the model's accuracy. The paper proposes a new method that aims to achieve both high accuracy and certified probability robustness simultaneously. Specifically, this method consists of two parts: - **Probabilistic robust training method**: Improve the robustness of the model by minimizing the variance of prediction results on similar inputs. - **Runtime inference method**: During the inference stage, provide the model's probabilistic robustness certification by considering the input and samples within its neighborhood. ### Method overview #### 1. Probabilistic robust training method This method improves the robustness of the model by minimizing the prediction variance of the model between different inputs within the same neighborhood. Specifically, the training objective can be expressed as the following optimization problem: \[ \min_{h} \mathbb{E}_{x \sim D} \left[ \mathbb{E}_{t \sim U(B(x))} [\ell(h(t), G_t)] + \lambda \cdot \text{Var}_{t \sim U(B(x))} [\ell(h(t), G_t)] \right] \] where: - \(\mathbb{E}_{x \sim D}\) represents the expectation of sampling input \(x\) from the data distribution \(D\). - \(\mathbb{E}_{t \sim U(B(x))}\) represents the expectation of uniformly sampling \(t\) within the neighborhood \(B(x)\) of input \(x\). - \(\ell(h(t), G_t)\) is the loss function, which measures the deviation between the model prediction \(h(t)\) and the true label \(G_t\). - \(\text{Var}_{t \sim U(B(x))} [\ell(h(t), G_t)]\) is the variance of the loss function. - \(\lambda\) is a weighting parameter that balances the two terms. By minimizing the above objective function, the model can not only improve its robustness against adversarial samples but also maintain high accuracy. #### 2. Runtime inference method During the inference stage, this method provides the model's probabilistic robustness certification by considering the input and samples within its neighborhood. Specifically, for any input \(x\) and model \(h\), the inference method can be expressed as: \[ h^*(x) := (h * B)(x) := \int_X h(\tau) I(x - \tau \in B(x)) d\tau \] where: - \(h^*\) represents the model based on the proposed inference method. - \(B(x)\) is the neighborhood of input \(x\). - \(I(\phi)\) is an indicator function that returns 1 when the condition \(\phi\) is true and 0 otherwise. To implement this inference method, Algorithm 2 provides a step - by - step implementation scheme. This method samples multiple samples within the neighborhood of input \(x\) and makes the final prediction based on the prediction results of the majority of samples. In this way, the model will only make an error when more than half of the sampled samples are mis - predicted. ### Experimental results The paper demonstrates the effectiveness of this method by training the model on multiple standard benchmark datasets and comparing it with existing state - of - the - art methods. The experimental results show that this method significantly improves the adversarial accuracy and the certified robustness rate while maintaining a relatively high standard accuracy. ### Summary The paper proposes a new...