Global Robustness Evaluation of Deep Neural Networks with Provable Guarantees for the $L_0$ Norm

TL;DR

This paper introduces an efficient, GPU-accelerated method with provable guarantees for estimating the robustness of deep neural networks against $L_0$ norm adversarial perturbations, applicable to large-scale models.

Contribution

It proposes an anytime, tensor-based approach to compute bounds on DNN robustness with convergence guarantees, addressing the NP-hardness of the problem.

Findings

The method provides tight robustness bounds for large-scale DNNs.

It enables effective evaluation of global and local robustness, as well as adversarial attack generation.

The approach is practical and scalable, demonstrated on ImageNet models.

Abstract

Deployment of deep neural networks (DNNs) in safety- or security-critical systems requires provable guarantees on their correct behaviour. A common requirement is robustness to adversarial perturbations in a neighbourhood around an input. In this paper we focus on the $L_0$ norm and aim to compute, for a trained DNN and an input, the maximal radius of a safe norm ball around the input within which there are no adversarial examples. Then we define global robustness as an expectation of the maximal safe radius over a test data set. We first show that the problem is NP-hard, and then propose an approximate approach to iteratively compute lower and upper bounds on the network's robustness. The approach is \emph{anytime}, i.e., it returns intermediate bounds and robustness estimates that are gradually, but strictly, improved as the computation proceeds; \emph{tensor-based}, i.e., the computation is conducted over a set of inputs simultaneously, instead of one by one, to enable efficient GPU computation; and has \emph{provable guarantees}, i.e., both the bounds and the robustness estimates can converge to their optimal values. Finally, we demonstrate the utility of the proposed approach in practice to compute tight bounds by applying and adapting the anytime algorithm to a set of challenging problems, including global robustness evaluation, competitive $L_0$ attacks, test case generation for DNNs, and local robustness evaluation on large-scale ImageNet DNNs. We release the code of all case studies via GitHub.