Certifiably Robust Interpretation via Renyi Differential Privacy

TL;DR

This paper introduces a Renyi differential privacy-based method for interpreting CNNs that provides provable robustness against adversarial attacks, outperforming existing approaches in robustness and efficiency.

Contribution

It proposes the Renyi-Robust-Smooth method, offering certifiable top-k robustness, improved experimental robustness, and a tradeoff between robustness and computational efficiency.

Findings

Provable top-k robustness under input perturbations.

Approximately 10% better robustness than existing methods.

Top-k attributions are twice as robust under resource constraints.

Abstract

Motivated by the recent discovery that the interpretation maps of CNNs could easily be manipulated by adversarial attacks against network interpretability, we study the problem of interpretation robustness from a new perspective of \Renyi differential privacy (RDP). The advantages of our Renyi-Robust-Smooth (RDP-based interpretation method) are three-folds. First, it can offer provable and certifiable top-$k$ robustness. That is, the top-$k$ important attributions of the interpretation map are provably robust under any input perturbation with bounded $\ell_d$-norm (for any $d\geq 1$, including $d = \infty$). Second, our proposed method offers $\sim10\%$ better experimental robustness than existing approaches in terms of the top-$k$ attributions. Remarkably, the accuracy of Renyi-Robust-Smooth also outperforms existing approaches. Third, our method can provide a smooth tradeoff between robustness and computational efficiency. Experimentally, its top-$k$ attributions are {\em twice} more robust than existing approaches when the computational resources are highly constrained.