Provable Certificates for Adversarial Examples: Fitting a Ball in the Union of Polytopes

TL;DR

This paper introduces GeoCert, an efficient algorithm for exactly computing the robustness of deep neural networks against adversarial perturbations within convex norms, providing tighter bounds than previous methods.

Contribution

The paper presents GeoCert, a novel algorithm that computes exact pointwise robustness for ReLU networks by relating it to polyhedral complex analysis, improving robustness bounds.

Findings

GeoCert produces tighter robustness bounds than prior methods.

The algorithm efficiently computes the largest inscribed $oldsymbol{ extit{ ext{ell}}}_p$ ball within a network's decision region.

Empirical results demonstrate the effectiveness of GeoCert under moderate computational constraints.

Abstract

We propose a novel method for computing exact pointwise robustness of deep neural networks for all convex $\ell_p$ norms. Our algorithm, GeoCert, finds the largest $\ell_p$ ball centered at an input point $x_0$, within which the output class of a given neural network with ReLU nonlinearities remains unchanged. We relate the problem of computing pointwise robustness of these networks to that of computing the maximum norm ball with a fixed center that can be contained in a non-convex polytope. This is a challenging problem in general, however we show that there exists an efficient algorithm to compute this for polyhedral complices. Further we show that piecewise linear neural networks partition the input space into a polyhedral complex. Our algorithm has the ability to almost immediately output a nontrivial lower bound to the pointwise robustness which is iteratively improved until it ultimately becomes tight. We empirically show that our approach generates distance lower bounds that are tighter compared to prior work, under moderate time constraints.