Lipschitz-Margin Training: Scalable Certification of Perturbation Invariance for Deep Neural Networks

TL;DR

This paper introduces a scalable method for certifying neural network robustness against input perturbations by leveraging Lipschitz constants and margins, improving security guarantees efficiently across complex models.

Contribution

It presents a novel, computationally efficient technique to lower-bound adversarial perturbations and a training method to enhance network robustness, applicable to large and complex networks.

Findings

Provides provable robustness guarantees for large neural networks.

Significantly improves the robustness of trained models against adversarial attacks.

Demonstrates effectiveness on complex network architectures.

Abstract

High sensitivity of neural networks against malicious perturbations on inputs causes security concerns. To take a steady step towards robust classifiers, we aim to create neural network models provably defended from perturbations. Prior certification work requires strong assumptions on network structures and massive computational costs, and thus the range of their applications was limited. From the relationship between the Lipschitz constants and prediction margins, we present a computationally efficient calculation technique to lower-bound the size of adversarial perturbations that can deceive networks, and that is widely applicable to various complicated networks. Moreover, we propose an efficient training procedure that robustifies networks and significantly improves the provably guarded areas around data points. In experimental evaluations, our method showed its ability to provide a non-trivial guarantee and enhance robustness for even large networks.