Robustness Certificates Against Adversarial Examples for ReLU Networks

TL;DR

This paper introduces attack-agnostic robustness certificates for ReLU neural networks that provide lower bounds on the distance to adversarial examples, leveraging the network's piece-wise linear structure for efficient computation.

Contribution

It proposes two novel lower bounds, the simplex and decision boundary certificates, which are faster and easier to compute than existing methods for assessing neural network robustness.

Findings

The simplex certificate has a closed-form expression and is differentiable.

The certificates are significantly faster to compute than prior methods.

Numerical results on MNIST demonstrate the effectiveness of the certificates.

Abstract

While neural networks have achieved high performance in different learning tasks, their accuracy drops significantly in the presence of small adversarial perturbations to inputs. Defenses based on regularization and adversarial training are often followed by new attacks to defeat them. In this paper, we propose attack-agnostic robustness certificates for a multi-label classification problem using a deep ReLU network. Although computing the exact distance of a given input sample to the classification decision boundary requires solving a non-convex optimization, we characterize two lower bounds for such distances, namely the simplex certificate and the decision boundary certificate. These robustness certificates leverage the piece-wise linear structure of ReLU networks and use the fact that in a polyhedron around a given sample, the prediction function is linear. In particular, the proposed simplex certificate has a closed-form, is differentiable and is an order of magnitude faster to compute than the existing methods even for deep networks. In addition to theoretical bounds, we provide numerical results for our certificates over MNIST and compare them with some existing upper bounds.