Second-Order Provable Defenses against Adversarial Attacks
- URL: http://arxiv.org/abs/2006.00731v1
- Date: Mon, 1 Jun 2020 05:55:18 GMT
- Title: Second-Order Provable Defenses against Adversarial Attacks
- Authors: Sahil Singla, Soheil Feizi
- Abstract summary: We show that if the eigenvalues of the network are bounded, we can compute a certificate in the $l$ norm efficiently using convex optimization.
We achieve certified accuracy of 5.78%, and 44.96%, and 43.19% on 2,59% and 4BP-based methods respectively.
- Score: 63.34032156196848
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: A robustness certificate is the minimum distance of a given input to the
decision boundary of the classifier (or its lower bound). For {\it any} input
perturbations with a magnitude smaller than the certificate value, the
classification output will provably remain unchanged. Exactly computing the
robustness certificates for neural networks is difficult since it requires
solving a non-convex optimization. In this paper, we provide
computationally-efficient robustness certificates for neural networks with
differentiable activation functions in two steps. First, we show that if the
eigenvalues of the Hessian of the network are bounded, we can compute a
robustness certificate in the $l_2$ norm efficiently using convex optimization.
Second, we derive a computationally-efficient differentiable upper bound on the
curvature of a deep network. We also use the curvature bound as a
regularization term during the training of the network to boost its certified
robustness. Putting these results together leads to our proposed {\bf
C}urvature-based {\bf R}obustness {\bf C}ertificate (CRC) and {\bf
C}urvature-based {\bf R}obust {\bf T}raining (CRT). Our numerical results show
that CRT leads to significantly higher certified robust accuracy compared to
interval-bound propagation (IBP) based training. We achieve certified robust
accuracy 69.79\%, 57.78\% and 53.19\% while IBP-based methods achieve 44.96\%,
44.74\% and 44.66\% on 2,3 and 4 layer networks respectively on the
MNIST-dataset.
Related papers
- Towards General Robustness Verification of MaxPool-based Convolutional Neural Networks via Tightening Linear Approximation [51.235583545740674]
MaxLin is a robustness verifier for MaxPool-based CNNs with tight linear approximation.
We evaluate MaxLin with open-sourced benchmarks, including LeNet and networks trained on the MNIST, CIFAR-10, and Tiny ImageNet datasets.
arXiv Detail & Related papers (2024-06-02T10:33:04Z) - Certifying Robustness of Convolutional Neural Networks with Tight Linear
Approximation [5.678314425261842]
Ti-Lin is a Tight Linear approximation approach for robustness verification of Conal Neural Networks.
We present a new linear constraints for S-shaped activation functions, which is better than both existing Neuron-wise Tightest and Network-wise Tightest tools.
We evaluate it with 48 different CNNs trained on MNIST, CIFAR-10, and Tiny ImageNet datasets.
arXiv Detail & Related papers (2022-11-13T08:37:13Z) - LOT: Layer-wise Orthogonal Training on Improving $\ell_2$ Certified
Robustness [14.206377940235091]
Recent studies show that training deep neural networks (DNNs) with Lipschitz constraints are able to enhance adversarial robustness and other model properties such as stability.
We propose a layer-wise orthogonal training method (LOT) to effectively train 1-Lipschitz convolution layers.
We show that LOT significantly outperforms baselines regarding deterministic l2 certified robustness, and scales to deeper neural networks.
arXiv Detail & Related papers (2022-10-20T22:31:26Z) - Smooth-Reduce: Leveraging Patches for Improved Certified Robustness [100.28947222215463]
We propose a training-free, modified smoothing approach, Smooth-Reduce.
Our algorithm classifies overlapping patches extracted from an input image, and aggregates the predicted logits to certify a larger radius around the input.
We provide theoretical guarantees for such certificates, and empirically show significant improvements over other randomized smoothing methods.
arXiv Detail & Related papers (2022-05-12T15:26:20Z) - Training Certifiably Robust Neural Networks with Efficient Local
Lipschitz Bounds [99.23098204458336]
Certified robustness is a desirable property for deep neural networks in safety-critical applications.
We show that our method consistently outperforms state-of-the-art methods on MNIST and TinyNet datasets.
arXiv Detail & Related papers (2021-11-02T06:44:10Z) - Enabling certification of verification-agnostic networks via
memory-efficient semidefinite programming [97.40955121478716]
We propose a first-order dual SDP algorithm that requires memory only linear in the total number of network activations.
We significantly improve L-inf verified robust accuracy from 1% to 88% and 6% to 40% respectively.
We also demonstrate tight verification of a quadratic stability specification for the decoder of a variational autoencoder.
arXiv Detail & Related papers (2020-10-22T12:32:29Z) - Tight Second-Order Certificates for Randomized Smoothing [106.06908242424481]
We show that there also exists a universal curvature-like bound for Gaussian random smoothing.
In addition to proving the correctness of this novel certificate, we show that SoS certificates are realizable and therefore tight.
arXiv Detail & Related papers (2020-10-20T18:03:45Z) - Regularized Training and Tight Certification for Randomized Smoothed
Classifier with Provable Robustness [15.38718018477333]
We derive a new regularized risk, in which the regularizer can adaptively encourage the accuracy and robustness of the smoothed counterpart.
We also design a new certification algorithm, which can leverage the regularization effect to provide tighter robustness lower bound that holds with high probability.
arXiv Detail & Related papers (2020-02-17T20:54:34Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.