Adversarial robustness via robust low rank representations

TL;DR

This paper introduces a method leveraging low rank data representations to enhance certified adversarial robustness guarantees for neural networks against both $ ext{L}_2$ and $ ext{L}_ ext{infinity}$ perturbations, outperforming existing approaches.

Contribution

The work provides novel certified robustness guarantees using low rank representations for $ ext{L}_2$ and $ ext{L}_ ext{infinity}$ norms, with improved algorithms for matrix norm bounds.

Findings

Improved robustness guarantees over state-of-the-art methods on CIFAR datasets.

Empirical evidence of inherent robustness properties in low rank representations.

A fast algorithm with provable guarantees for matrix norm bounds, enhancing certification.

Abstract

Adversarial robustness measures the susceptibility of a classifier to imperceptible perturbations made to the inputs at test time. In this work we highlight the benefits of natural low rank representations that often exist for real data such as images, for training neural networks with certified robustness guarantees. Our first contribution is for certified robustness to perturbations measured in $\ell_2$ norm. We exploit low rank data representations to provide improved guarantees over state-of-the-art randomized smoothing-based approaches on standard benchmark datasets such as CIFAR-10 and CIFAR-100. Our second contribution is for the more challenging setting of certified robustness to perturbations measured in $\ell_\infty$ norm. We demonstrate empirically that natural low rank representations have inherent robustness properties, that can be leveraged to provide significantly better guarantees for certified robustness to $\ell_\infty$ perturbations in those representations. Our certificate of $\ell_\infty$ robustness relies on a natural quantity involving the $\infty \to 2$ matrix operator norm associated with the representation, to translate robustness guarantees from $\ell_2$ to $\ell_\infty$ perturbations. A key technical ingredient for our certification guarantees is a fast algorithm with provable guarantees based on the multiplicative weights update method to provide upper bounds on the above matrix norm. Our algorithmic guarantees improve upon the state of the art for this problem, and may be of independent interest.