Scalable Verified Training for Provably Robust Image Classification

Gowal, Sven; Dvijotham, Krishnamurthy; Stanforth, Robert; Bunel, Rudy; Qin, Chongli; Uesato, Jonathan; Arandjelović, Relja; Mann, Timothy; Kohli, Pushmeet

doi:10.1109/iccv.2019.00494

Cited by 98 publications

(131 citation statements)

References 6 publications

Supporting

Mentioning

117

Contrasting

Order By: Relevance

“…These methods offer exactness guarantees but are based on solving NP-hard optimization problems, which can make them intractable even for small networks. Incomplete methods can be divided into bound propagation approaches [Gowal et al 2019;Müller et al 2020;Singh et al 2018Singh et al , 2019b] and those that generate polynomially-solvable optimization problems [Bunel et al 2020a;Dathathri et al 2020;Lyu et al 2020;Raghunathan et al 2018;Singh et al 2019a;Xiang et al 2018] such as linear programming (LP) or semidefinite programming (SDP) optimization problems. Compared to deterministic certification methods, randomized smoothing [Cohen et al 2019;Lecuyer et al 2018;Salman et al 2019a] is a defence method providing only probabilistic guarantees and incurring significant runtime costs at inference time, with the generalization to arbitrary safety properties still being an open problem.…”

Section: Effectiveness Of Sblm and Pddm For Convex Hull Computationsmentioning

confidence: 99%

PRIMA: general and precise neural network certification via scalable convex hull approximations

Niklas

Makarchuk

Singh

et al. 2022

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Formal verification of neural networks is critical for their safe adoption in real-world applications. However, designing a precise and scalable verifier which can handle different activation functions, realistic network architectures and relevant specifications remains an open and difficult challenge. In this paper, we take a major step forward in addressing this challenge and present a new verification framework, called PRIMA. PRIMA is both (i) general: it handles any non-linear activation function, and (ii) precise: it computes precise convex abstractions involving multiple neurons via novel convex hull approximation algorithms that leverage concepts from computational geometry. The algorithms have polynomial complexity, yield fewer constraints, and minimize precision loss. We evaluate the effectiveness of PRIMA on a variety of challenging tasks from prior work. Our results show that PRIMA is significantly more precise than the state-of-the-art, verifying robustness to input perturbations for up to 20%, 30%, and 34% more images than existing work on ReLU-, Sigmoid-, and Tanh-based networks, respectively. Further, PRIMA enables, for the first time, the precise verification of a realistic neural network for autonomous driving within a few minutes.

show abstract

Section: Effectiveness Of Sblm and Pddm For Convex Hull Computationsmentioning

confidence: 99%

PRIMA: general and precise neural network certification via scalable convex hull approximations

Niklas

Makarchuk

Singh

et al. 2022

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…Apart from minimizing the worst case loss, approaches which minimize the upper bound on worst case loss inclu Wong et al, 2018 ; Tjeng et al (2018) ; Gowal et al (2019) . Another breed of approaches use a modified loss function which considers surrogate adversarial loss as an added regularization, where the surrogate is cross entropy ( Zhang et al, 2019b ) (TRADES), maximum margin cross entropy ( Ding et al, 2019 ) (MMA) and KL divergence ( Wang et al, 2019 ) (MART) between adversarial sample predictions and natural sample predictions.…”

Section: Prior Workmentioning

confidence: 99%

“…Wong and Kolter (2018) use a convex outer adversarial polytope as an upper bound for worst-case loss in robust training; here the network is trained by generating adversarial as well as few non-adversarial examples in the convex polytope of the attack via a linear program. Along the same vein include a mixed-integer programming based certified training for piece-wise linear neural networks ( Tjeng et al, 2018 ) and integer bound propagation ( Gowal et al, 2019 ).…”

Section: Introductionmentioning

confidence: 99%

Adversarially Robust Learning via Entropic Regularization

Jagatap

Joshi

Chowdhury

et al. 2022

Front. Artif. Intell.

View full text Add to dashboard Cite

In this paper we propose a new family of algorithms, ATENT, for training adversarially robust deep neural networks. We formulate a new loss function that is equipped with an additional entropic regularization. Our loss function considers the contribution of adversarial samples that are drawn from a specially designed distribution in the data space that assigns high probability to points with high loss and in the immediate neighborhood of training samples. Our proposed algorithms optimize this loss to seek adversarially robust valleys of the loss landscape. Our approach achieves competitive (or better) performance in terms of robust classification accuracy as compared to several state-of-the-art robust learning approaches on benchmark datasets such as MNIST and CIFAR-10.

show abstract

“…These baselines, defined below in details, are randomized smoothing [5] and adversarial training [4]. Another line of successful works rely on convex relaxations of the adversarial problem [7,6]. Because these methods tend to be heavily model-dependent, we did not find it necessary to adapt them in this exploratory work.…”

Section: Related Workmentioning

confidence: 99%

“…obfuscation mechanisms [3]. On the other hand, defenses that stood the test of time [4] or offer robustness certificates [5,6,7] have in common to address the issue formally and defend against any possible adversarial patterns, regardless of which patterns actually pose a threat.…”

Section: Introductionmentioning

confidence: 99%

High-Frequency Adversarial Defense for Speech and Audio

Olivier

Raj

Shah

2021

ICASSP 2021 - 2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)

View full text Add to dashboard Cite

Recent work suggests that adversarial examples are enabled by high-frequency components in the dataset. In the speech domain where spectrograms are used extensively, masking those components seems like a sound direction for defenses against attacks. We explore a smoothing approach based on additive noise masking in priority high frequencies. We show that this approach is much more robust than the naive noise filtering approach, and a promising research direction. We successfully apply our defense on a Librispeech speaker identification task, and on the UrbanSound8K audio classification dataset.

show abstract

Scalable Verified Training for Provably Robust Image Classification

Cited by 98 publications

References 6 publications

PRIMA: general and precise neural network certification via scalable convex hull approximations

PRIMA: general and precise neural network certification via scalable convex hull approximations

Adversarially Robust Learning via Entropic Regularization

High-Frequency Adversarial Defense for Speech and Audio

Contact Info

Product

Resources

About