Getting a-Round Guarantees: Floating-Point Attacks on Certified Robustness. (arXiv:2205.10159v1 [cs.CR])

Adversarial examples pose a security risk as they can alter a classifier's
decision through slight perturbations to a benign input. Certified robustness
has been proposed as a mitigation strategy where given an input $x$, a
classifier returns a prediction and a radius with a provable guarantee that any
perturbation to $x$ within this radius (e.g., under the $L_2$ norm) will not
alter the classifier's prediction. In this work, we show that these guarantees
can be invalidated due to limitations of …

attacks certified