Unlocking Deterministic Robustness Certification on ImageNet
Kai Hu, Andy Zou, Zifan Wang, Klas Leino, Matt Fredrikson
TL;DR
This paper introduces a new residual network architecture and a novel loss function to improve deterministic robustness certification for large-scale image models, achieving state-of-the-art results on multiple datasets including ImageNet.
Contribution
The paper proposes the Linear ResNet architecture and EMMA loss function, enabling scalable deterministic robustness certification on large models like ResNet and ViT for ImageNet.
Findings
Achieved state-of-the-art robust accuracy on CIFAR-10/100 and Tiny-ImageNet.
First demonstration of scalable robustness certification on ImageNet.
Developed efficient Lipschitz bound estimation for residual blocks.
Abstract
Despite the promise of Lipschitz-based methods for provably-robust deep learning with deterministic guarantees, current state-of-the-art results are limited to feed-forward Convolutional Networks (ConvNets) on low-dimensional data, such as CIFAR-10. This paper investigates strategies for expanding certifiably robust training to larger, deeper models. A key challenge in certifying deep networks is efficient calculation of the Lipschitz bound for residual blocks found in ResNet and ViT architectures. We show that fast ways of bounding the Lipschitz constant for conventional ResNets are loose, and show how to address this by designing a new residual block, leading to the \emph{Linear ResNet} (LiResNet) architecture. We then introduce \emph{Efficient Margin MAximization} (EMMA), a loss function that stabilizes robust training by simultaneously penalizing worst-case adversarial examples from…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Advanced Neural Network Applications