Provable Defense Against Geometric Transformations

TL;DR

This paper introduces a fast, provable defense framework that certifies neural networks against geometric transformations like scaling and rotation, significantly improving robustness and accuracy in real-world applications such as autonomous driving.

Contribution

The paper presents the first GPU-optimized verifier enabling deterministic certified robustness training against geometric transformations, achieving state-of-the-art results.

Findings

Verifier is 60x to 42,600x faster than previous methods.

Networks trained with this framework attain top certified robustness and accuracy.

Successfully verified robustness in autonomous driving scenarios.

Abstract

Geometric image transformations that arise in the real world, such as scaling and rotation, have been shown to easily deceive deep neural networks (DNNs). Hence, training DNNs to be certifiably robust to these perturbations is critical. However, no prior work has been able to incorporate the objective of deterministic certified robustness against geometric transformations into the training procedure, as existing verifiers are exceedingly slow. To address these challenges, we propose the first provable defense for deterministic certified geometric robustness. Our framework leverages a novel GPU-optimized verifier that can certify images between 60$\times$ to 42,600$\times$ faster than existing geometric robustness verifiers, and thus unlike existing works, is fast enough for use in training. Across multiple datasets, our results show that networks trained via our framework consistently achieve state-of-the-art deterministic certified geometric robustness and clean accuracy. Furthermore, for the first time, we verify the geometric robustness of a neural network for the challenging, real-world setting of autonomous driving.