Leaderboard
This page keeps track of the highest certified accuracy reported by existing papers.
The papers that are not published on conferences or journals, such as preprints, are in gray text.
For probabilistic certification, we only take the results into account if certification confidence
Showing 1 to 12 of 12 entries
Showing 1 to 14 of 14 entries
Showing 1 to 14 of 14 entries
Showing 1 to 13 of 13 entries
| Rank | Paper Name | Reported Certified Accuracy | Certification Type | Venue | Comment |
|---|---|---|---|---|---|
| 1 | Expressive Losses for Verified Robustness via Convex Combinations | 26.39% | Deterministic | ICLR 2024 | Approach name: CC-IBP |
| 2 | Rethinking Lipschitz Neural Networks and Certified Robustness: A Boolean Function Perspective | 18.18% | Deterministic | NeurIPS 2022 | SortNet+MLP (2x larger) |
| 3 | Automatic Perturbation Analysis for Scalable Certified Robustness and Beyond | 15.86% | Deterministic | NeurIPS 2020 | |
| 4 | Scalable verified training for provably robust image classification | 14.85% | Deterministic | ICCV 2019 | WideResNet, reported by Auto-LiRPA paper |
Showing 1 to 4 of 4 entries
| Rank | Paper Name | Reported Certified Accuracy | Certification Type | Venue | Comment |
|---|---|---|---|---|---|
| 1 | Expressive Losses for Verified Robustness via Convex Combinations | 13.30% | Deterministic | ICLR 2024 | Approach name: Exp-IBP |
| 2 | Rethinking Lipschitz Neural Networks and Certified Robustness: A Boolean Function Perspective | 9.54% | Deterministic | NeurIPS 2022 | SortNet+MLP (2x larger) |
| 3 | Automatic Perturbation Analysis for Scalable Certified Robustness and Beyond | 8.73% | Deterministic | NeurIPS 2020 | |
| 4 | Scalable verified training for provably robust image classification | 6.13% | Deterministic | ICCV 2019 | based on arXiv version (1810.12715) |
Showing 1 to 4 of 4 entries
| Rank | Paper Name | Reported Certified Accuracy | Certification Type | Venue | Comment |
|---|---|---|---|---|---|
| 1 | Provably robust deep learning via adversarially trained smoothed classifiers | 38.2% | Probabilistic | NeurIPS 2019 | translated from |
| 2 | Certified adversarial robustness via randomized smoothing | 28.6% | Probabilistic | ICML 2019 | translated from |
Showing 1 to 2 of 2 entries
| Rank | Paper Name | Reported Certified Accuracy | Certification Type | Venue | Comment |
|---|---|---|---|---|---|
| 1 | Provably Adversarially Robust Nearest Prototype Classifiers | 73.0% | Deterministic | ICML 2022 | Non-neural-network approach |
| 2 | SmoothMix: training confidence-calibrated smoothed classifiers for certified robustness | 70.7% | Probabilistic | NeurIPS 2021 | under larger attack radius |
| 3 | Consistency regularization for certified robustness of smoothed classifiers | 70.5% | Probabilistic | NeurIPS 2020 | under larger attack radius |
| 4 | Second-Order Provable Defenses against Adversarial Attacks | 69.79% | Deterministic | ICML 2020 | ! a loose certification --- certified accuracy against only the class with second largest logit, but not all non-ground-truth classes; non-relu neural networks |
| 5 | Certified adversarial robustness with additive noise | 69.0% | Probabilistic | NeurIPS 2019 | |
| 6 | Globally-robust neural networks | 62.8% | Deterministic | ICML 2021 | |
| 7 | Lipschitz-certifiable training with a tight outer bound | 47.95% | Deterministic | NeurIPS 2020 | |
| 8 | Scaling provable adversarial defenses | 44.53% | Deterministic | NeurIPS 2018 |
Showing 1 to 8 of 8 entries
| Rank | Paper Name | Reported Certified Accuracy | Certification Type | Venue | Comment |
|---|---|---|---|---|---|
| 1 | A Recipe for Improved Certifiable Robustness: Capacity and Data | 78.1% | Deterministic | *preprint | |
| 2 | Scaling in Depth: Unlocking Robustness Certification on ImageNet | 70.1% | Deterministic | NeurIPS 2023 | With data-agumentation using a DDPM model. Without the DDPM augmentation for the dataset, it reports 66.9%. |
| 3 | Raising the Bar for Certified Adversarial Robustness with Diffusion Models | 69.05% | Deterministic | *preprint | LOT with EDM-generated data |
| 4 | Certified adversarial robustness with additive noise | 65.6% | Probabilistic | NeurIPS 2019 | |
| 5 | LOT: Layer-wise Orthogonal Training on Improving l2 Certified Robustness | 64.49% | Deterministic | NeurIPS 2022 | |
| 6 | Householder activations for provable robustness against adversarial attacks | 62.96% | Deterministic | ICLR 2022 | |
| 7 | Orthogonalizing convolutional layers with the cayley transform | 59.16% | Deterministic | ICLR 2021 | |
| 8 | Globally-robust neural networks | 58.4% | Deterministic | ICML 2021 | "Scaling in Depth: Unlocking Robustness Certification on ImageNet" reproduced 60.0% |
| 9 | Scaling provable adversarial defenses | 51.96% | Deterministic | NeurIPS 2018 | |
| 10 | Lipschitz-certifiable training with a tight outer bound | 51.30% | Deterministic | NeurIPS 2020 |
Showing 1 to 10 of 10 entries
Many records from CIFAR-10,
Showing 1 to 12 of 12 entries
Showing 1 to 11 of 11 entries
| Rank | Paper Name | Reported Certified Accuracy | Certification Type | Venue | Comment |
|---|---|---|---|---|---|
| 1 | On the certified robustness for ensemble models and beyond | 20.3% | Probabilistic | ICLR 2022 | |
| 2 | Boosting Randomized Smoothing with Variance Reduced Classifiers | 19.8% | Probabilistic | ICLR 2022 | From Table 8 |
| 3 | Consistency regularization for certified robustness of smoothed classifiers | 19.5% | Probabilistic | NeurIPS 2020 | |
| 4 | Provably robust deep learning via adversarially trained smoothed classifiers | 19% | Probabilistic | NeurIPS 2019 | combine adversarial training, self-training, and unlabeled data |
| 5 | Macer: attack-free and scalable robust training via maximizing certified radius | 19% | Probabilistic | ICLR 2020 |
Showing 1 to 5 of 5 entries
Showing 1 to 12 of 12 entries
Showing 1 to 10 of 10 entries
| Rank | Paper Name | Reported Certified Accuracy | Certification Type | Venue | Comment |
|---|---|---|---|---|---|
| 1 | Improved, deterministic smoothing for l1 certified robustness | 63.07% | Deterministic | ICML 2021 | |
| 2 | Randomized smoothing of all shapes and sizes | 63% | Probabilistic | ICML 2020 | combine adversarial training, self-training, and unlabeled data |
| 3 | L1 adversarial robustness certificates: a randomized smoothing approach | 39% | Probabilistic | *preprint | parse from Figure 6 |
| 4 | Black-box certification with randomized smoothing: A functional optimization based framework | 34% | Probabilistic | NeurIPS 2020 | |
| 5 | Certified robustness to adversarial examples with differential privacy | 18% | Probabilistic | S&P 2019 | parse from Figures 7 and 8 of this paper since the original paper does not provide certified accuray under this setting |
Showing 1 to 5 of 5 entries
| Rank | Paper Name | Reported Certified Accuracy | Certification Type | Venue | Comment |
|---|---|---|---|---|---|
| 1 | Improved, deterministic smoothing for l1 certified robustness | 51.33% | Deterministic | ICML 2021 | |
| 2 | Randomized smoothing of all shapes and sizes | 48% | Probabilistic | ICML 2020 | combine adversarial training, self-training, and unlabeled data |
| 3 | Black-box certification with randomized smoothing: A functional optimization based framework | 17% | Probabilistic | NeurIPS 2020 | |
| 4 | L1 adversarial robustness certificates: a randomized smoothing approach | 16% | Probabilistic | *preprint | parse from Figure 6 |
| 5 | Certified robustness to adversarial examples with differential privacy | 5% | Probabilistic | S&P 2019 | parse from Figures 7 and 8 of this paper since the original paper does not provide certified accuray under this setting |
Showing 1 to 5 of 5 entries
| Rank | Paper Name | Reported Certified Accuracy | Certification Type | Venue | Comment |
|---|---|---|---|---|---|
| 1 | Randomized smoothing of all shapes and sizes | 55% | Probabilistic | ICML 2020 | combine adversarial training, self-training, and unlabeled data |
| 2 | Improved, deterministic smoothing for l1 certified robustness | 49% | Deterministic | ICML 2021 | |
| 3 | Black-box certification with randomized smoothing: A functional optimization based framework | 42% | Probabilistic | NeurIPS 2020 | |
| 4 | L1 adversarial robustness certificates: a randomized smoothing approach | 40% | Probabilistic | *preprint | parse from Figure 6 |
| 5 | Certified robustness to adversarial examples with differential privacy | 25% | Probabilistic | S&P 2019 | parse from Figures 7 and 8 of this paper since the original paper does not provide certified accuray under this setting |
Showing 1 to 5 of 5 entries
| Rank | Paper Name | Reported Certified Accuracy | Certification Type | Venue | Comment |
|---|---|---|---|---|---|
| 1 | Randomized smoothing of all shapes and sizes | 48% | Probabilistic | ICML 2020 | combine adversarial training, self-training, and unlabeled data |
| 2 | Improved, deterministic smoothing for l1 certified robustness | 45% | Deterministic | ICML 2021 | |
| 3 | Black-box certification with randomized smoothing: A functional optimization based framework | 30% | Probabilistic | NeurIPS 2020 | |
| 4 | L1 adversarial robustness certificates: a randomized smoothing approach | 26% | Probabilistic | *preprint | parse from Figure 6 |
| 5 | Certified robustness to adversarial examples with differential privacy | 16% | Probabilistic | S&P 2019 | parse from Figures 7 and 8 of this paper since the original paper does not provide certified accuray under this setting |
Showing 1 to 5 of 5 entries
- Want to announce your awesome SOTA result, add new leaderboard settings, or report a bug?
Feel free to directly edit _data/board.yml in the website repo and send a pull request.