Randomized smoothing is a defense mechanism that transforms an arbitrary base classifier into a certifiably robust one by injecting isotropic Gaussian noise into inputs and taking a majority vote over the noisy predictions. This creates a smoothed classifier with a formal guarantee that its prediction remains constant within a mathematically defined L2 radius around the input.
Glossary
Randomized Smoothing

What is Randomized Smoothing?
A probabilistic technique that constructs a certifiably robust classifier from any base model by adding Gaussian noise to inputs and aggregating predictions.
The certified radius is derived from the statistical confidence of the majority class under noise, computed via the Neyman-Pearson lemma. Unlike empirical defenses such as adversarial training, randomized smoothing provides a provable lower bound on robustness that holds against any attack within the certified norm ball, independent of the base model's architecture.
Key Features of Randomized Smoothing
Randomized smoothing constructs a certifiably robust classifier by adding Gaussian noise to inputs and aggregating predictions. This section breaks down the core components that make this defense provable, scalable, and practical.
Gaussian Noise Augmentation
The foundational mechanism of randomized smoothing involves adding isotropic Gaussian noise to the input before classification. This creates a smoothed classifier that returns the most likely prediction under the noise distribution.
- The noise level σ (sigma) is a critical hyperparameter controlling the robustness/accuracy trade-off
- Higher σ values provide larger certified radii but degrade standard accuracy
- The smoothed classifier is defined as:
g(x) = argmax P(f(x + ε) = c)whereε ~ N(0, σ²I) - This probabilistic wrapper transforms any base classifier into a certifiably robust one without modifying its architecture
Monte Carlo Certification
Certification relies on Monte Carlo sampling to estimate the probability of the top class under noise. The Neyman-Pearson lemma provides the theoretical foundation for deriving a guaranteed radius.
- The procedure samples
nnoisy copies of the input and counts class predictions - A lower confidence bound on the top class probability
pAis computed using Clopper-Pearson intervals - The certified radius
Ris derived as:R = σ/2 * (Φ⁻¹(pA) - Φ⁻¹(pB))whereΦ⁻¹is the inverse Gaussian CDF - Increasing sample count
ntightens the confidence bound, yielding larger certified radii - Typical values:
n = 100,000for certification,n = 100for prediction
L2-Radius Guarantees
Randomized smoothing provides provable L2-norm robustness guarantees. If the smoothed classifier predicts class cA at input x, the prediction remains constant for all perturbations within the certified radius.
- The guarantee is deterministic and mathematically provable, not empirical
- The certified radius is a lower bound; actual robustness may be larger
- The L2 metric measures Euclidean distance between original and perturbed inputs
- Extensions exist for L1 and L∞ norms using different noise distributions (Laplace, Uniform)
- This contrasts with empirical defenses like adversarial training, which offer no formal guarantees
Prediction vs. Abstention
The smoothed classifier can abstain from prediction when the top two classes are statistically indistinguishable under noise. This is a critical safety mechanism for high-stakes applications.
- If the confidence interval for
pAoverlaps withpB, the classifier abstains - Abstention prevents overconfident misclassifications on ambiguous or out-of-distribution inputs
- The hypothesis test uses a significance level
α(typically 0.001) to control false positive rates - This mechanism naturally integrates with human-in-the-loop workflows for uncertain cases
- The abstention rate increases near decision boundaries, providing a calibrated uncertainty signal
Architecture-Agnostic Defense
Randomized smoothing operates as a wrapper around any base classifier, requiring no architectural modifications or retraining. This makes it uniquely practical for production deployment.
- Compatible with any differentiable model: CNNs, Transformers, ResNets, ViTs
- No adversarial training required; the base model can be trained on clean data only
- The defense is orthogonal to other robustness techniques and can be combined with adversarial training
- Certification is performed at inference time, not during training
- Trade-off: inference latency increases linearly with the number of Monte Carlo samples
Denoised Smoothing Extensions
Standard randomized smoothing suffers from the accuracy-robustness trade-off at high noise levels. Denoised smoothing addresses this by prepending a denoiser before the base classifier.
- A custom-trained denoiser removes Gaussian noise before classification
- This allows the base classifier to operate on near-clean inputs while maintaining certification
- The denoiser must be Lipschitz-constrained to preserve the certification guarantees
- Techniques include stability training and using denoising score matching objectives
- Denoised smoothing significantly improves certified accuracy at large radii compared to standard smoothing
Frequently Asked Questions
Clear, technically precise answers to the most common questions about constructing certifiably robust classifiers using the randomized smoothing framework.
Randomized smoothing is a probabilistic defense that constructs a certifiably robust classifier from any base classifier by adding isotropic Gaussian noise to inputs and aggregating predictions through majority voting. The mechanism works in two phases: during prediction, the smoothed classifier evaluates the base model on multiple noisy copies of the input and returns the most frequent class. During certification, it computes a lower bound on the probability of the top class and uses the Neyman-Pearson lemma to derive a guaranteed radius within which no adversarial perturbation can change the prediction. This transforms a brittle black-box model into a provably robust one without modifying its architecture or training procedure. The certified radius scales with the noise level σ and the margin of the top class probability over 0.5.
Randomized Smoothing vs. Adversarial Training
A technical comparison of two primary paradigms for hardening neural networks against evasion attacks: empirical defense through data augmentation and certified defense through probabilistic noise injection.
| Feature | Randomized Smoothing | Adversarial Training |
|---|---|---|
Defense Paradigm | Certified robustness via noise injection | Empirical robustness via data augmentation |
Mathematical Guarantee | ||
Defense Scope | L2-norm bounded perturbations | Specific attack used during training |
Computational Cost at Training | Low (standard classifier training) | High (multi-step PGD generation) |
Computational Cost at Inference | High (requires 10,000+ Monte Carlo samples) | Low (single forward pass) |
Scalability to Large Datasets (e.g., ImageNet) | ||
Susceptibility to Adaptive Attacks | Low (guarantee holds if noise assumption met) | High (often broken by stronger attacks) |
Typical Certified Radius (L2, CIFAR-10) | 0.5 - 1.0 |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the core concepts surrounding certified robustness and the threat models that randomized smoothing is designed to counter.
Certified Robustness
A formal guarantee that a model's prediction remains constant for all inputs within a mathematically defined perturbation bound (e.g., an L2-radius ball). Unlike empirical defenses, certification provides a provable lower bound on accuracy against any attacker, making it the gold standard for safety-critical systems. Randomized smoothing is the most scalable method to achieve this for large neural networks.
Adversarial Example
A maliciously perturbed input designed to cause a machine learning model to make a mistake while appearing unmodified to human observers. These are the primary threat that randomized smoothing defends against. Key characteristics include:
- Imperceptibility: Changes are invisible to the human eye.
- Transferability: Examples crafted on one model often fool others.
- Lp-norm Bounds: Attacks are typically constrained by L2 or L-infinity distance metrics.
Evasion Attack
An attack that modifies input data at test time to cause misclassification without altering the underlying model. This is the direct threat vector addressed by randomized smoothing. The attacker manipulates a benign input (e.g., adding noise to a stop sign image) to force a target model into an incorrect prediction during inference.
Threat Model
A formal specification of an adversary's goals, knowledge, and capabilities used to evaluate the security posture of a machine learning system. For randomized smoothing, the standard threat model is an L2-bounded adversary with full white-box access to the smoothed classifier's weights but who cannot interfere with the stochastic noise addition process.
Adversarial Training
A defensive technique that augments training data with adversarial examples to improve model robustness. While effective empirically, it often lacks formal guarantees. Randomized smoothing is frequently compared against adversarial training as it provides certifiable guarantees that adversarial training cannot, though it may sacrifice some clean-data accuracy.
Projected Gradient Descent (PGD)
A multi-step iterative white-box attack that projects perturbations onto an Lp-norm ball, serving as the standard benchmark for empirical robustness. PGD is the primary attack used to evaluate non-certified defenses. A key advantage of randomized smoothing is that its guarantees hold against PGD and any other attack within the certified radius.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us