Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
169 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Overcoming the Paradox of Certified Training with Gaussian Smoothing (2403.07095v1)

Published 11 Mar 2024 in cs.LG

Abstract: Training neural networks with high certified accuracy against adversarial examples remains an open problem despite significant efforts. While certification methods can effectively leverage tight convex relaxations for bound computation, in training, these methods perform worse than looser relaxations. Prior work hypothesized that this is caused by the discontinuity and perturbation sensitivity of the loss surface induced by these tighter relaxations. In this work, we show theoretically that Gaussian Loss Smoothing can alleviate both of these issues. We confirm this empirically by proposing a certified training method combining PGPE, an algorithm computing gradients of a smoothed loss, with different convex relaxations. When using this training method, we observe that tighter bounds indeed lead to strictly better networks that can outperform state-of-the-art methods on the same network. While scaling PGPE-based training remains challenging due to high computational cost, our results clearly demonstrate the promise of Gaussian Loss Smoothing for training certifiably robust neural networks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (35)
  1. Evasion attacks against machine learning at test time. In Proc of ECML PKDD, 2013. doi: 10.1007/978-3-642-40994-3_25.
  2. First three years of the international verification of neural networks competition (VNN-COMP). CoRR, abs/2301.05815, 2023. doi: 10.48550/ARXIV.2301.05815.
  3. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In Proc. of ICML, 2020.
  4. Complete verification via multi-neuron relaxation guided branch-and-bound. In Proc. of ICLR, 2022.
  5. AI2: safety and robustness certification of neural networks with abstract interpretation. In Proc. of S&P, 2018. doi: 10.1109/SP.2018.00058.
  6. On the effectiveness of interval bound propagation for training verifiably robust models. ArXiv preprint, abs/1810.12715, 2018.
  7. Delving deep into rectifiers: Surpassing human-level performance on imagenet classification. In Proc. of ICCV, 2015. doi: 10.1109/ICCV.2015.123.
  8. On the paradox of certified training. Trans. Mach. Learn. Res., 2022.
  9. Reluplex: An efficient SMT solver for verifying deep neural networks. ArXiv preprint, abs/1702.01135, 2017.
  10. Adam: A method for stochastic optimization. In Bengio, Y. and LeCun, Y. (eds.), Proc. of ICLR, 2015.
  11. Learning multiple layers of features from tiny images. 2009.
  12. Neuroevobench: Benchmarking evolutionary optimizers for deep learning applications. In Proc. of NeurIPS Datasets and Benchmarks Track, 2023.
  13. Mnist handwritten digit database. ATT Labs [Online]. Available: http://yann.lecun.com/exdb/mnist, 2010.
  14. Connecting certified and adversarial training. In Proc. of NeurIPS, 2023a.
  15. Understanding certified training with interval bound propagation. CoRR, abs/2306.10426, 2023b. doi: 10.48550/ARXIV.2306.10426.
  16. Differentiable abstract interpretation for provably robust neural networks. In Dy, J. G. and Krause, A. (eds.), Proc. of ICML, 2018.
  17. Certify or predict: Boosting certified robustness with compositional architectures. In Proc. of ICLR, 2021.
  18. Certified training: Small boxes are all you need. In Proc. of ICLR, 2023.
  19. IBP regularization for verified adversarial robustness via branch-and-bound. ArXiv preprint, abs/2206.14772, 2022.
  20. Expressive losses for verified robustness via convex combinations. CoRR, abs/2305.13991, 2023. doi: 10.48550/arXiv.2305.13991.
  21. Pytorch: An imperative style, high-performance deep learning library. In Proc. of NeurIPS, 2019.
  22. Parameter-exploring policy gradients. Neural Networks, 2010. doi: 10.1016/J.NEUNET.2009.12.004.
  23. Fast certified robust training with short warmup. In Ranzato, M., Beygelzimer, A., Dauphin, Y. N., Liang, P., and Vaughan, J. W. (eds.), Proc. of NeurIPS, 2021.
  24. Fast and effective robustness certification. In Proc. of NeurIPS, 2018.
  25. An abstract domain for certifying neural networks. Proc. of POPL, 2019. doi: 10.1145/3290354.
  26. Gaussian smoothing gradient descent for minimizing high-dimensional non-convex functions, 2023.
  27. Intriguing properties of neural networks. In Proc. of ICLR, 2014.
  28. Evotorch: Scalable evolutionary computation in python, 2023.
  29. On adaptive attacks to adversarial example defenses. In Proc. of NeurIPS, 2020.
  30. Efficient formal safety analysis of neural networks. In Proc. of NeurIPS, 2018.
  31. Towards fast computation of certified robustness for relu networks. In Proc. of ICML, 2018.
  32. Provable defenses against adversarial examples via the convex outer adversarial polytope. In Proc. of ICML, 2018.
  33. Efficient neural network robustness certification with general activation functions. In Proc. of NeurIPS, 2018.
  34. Towards stable and efficient training of verifiably robust neural networks. In Proc. of ICLR, 2020.
  35. General cutting planes for bound-propagation-based neural network verification. ArXiv preprint, abs/2208.05740, 2022.
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets