Understanding Certified Training with Interval Bound Propagation
Yuhao Mao, Mark Niklas M\"uller, Marc Fischer, Martin Vechev
TL;DR
This paper investigates why interval bound propagation (IBP) methods outperform more precise bounds in certifiable neural network training, revealing mechanisms, trade-offs, and conditions that influence robustness and accuracy.
Contribution
The study provides a theoretical and empirical analysis of IBP's success, introduces a new metric for bound tightness, and explores conditions for exact bounds and their regularization effects.
Findings
Wider networks improve IBP-based robustness.
High IBP bound tightness correlates with robustness but is not necessary for it.
Theoretical conditions for exact bounds reveal strong regularization effects.
Abstract
As robustness verification methods are becoming more precise, training certifiably robust neural networks is becoming ever more relevant. To this end, certified training methods compute and then optimize an upper bound on the worst-case loss over a robustness specification. Curiously, training methods based on the imprecise interval bound propagation (IBP) consistently outperform those leveraging more precise bounding methods. Still, we lack an understanding of the mechanisms making IBP so successful. In this work, we thoroughly investigate these mechanisms by leveraging a novel metric measuring the tightness of IBP bounds. We first show theoretically that, for deep linear models, tightness decreases with width and depth at initialization, but improves with IBP training, given sufficient network width. We, then, derive sufficient and necessary conditions on weight matrices for IBP…
Peer Reviews
Decision·ICLR 2024 poster
1. The paper gives a definition of the global and local propagation tightness which is new in the literature. 2. Theorem 3.9 gives a pretty interesting result that IBP improves tightness by proving the alignment between gradients.
1. Some analysis in Section 4.1 is not clear, please see the questions below. 2. What can be the potential improvement for certified training methods from your analysis? 3. Some missing related works: - [1] has a relevant conclusion on the diminishing improvement with increasing width in IBP training. [1] On the Convergence of Certified Robust Training with Interval Bound Propagation
- The motivation of the work makes sense to me and the theory is sound, especially I like the formulation of tightness in terms of optimal box and layerwise box. - The paper is generally well-written and easy to read, and there are some easy examples to help the audience follow. - The experiments are comprehensive, which mostly validates the theory part and gives many interesting insights for certified training.
- Although there are some examples in the introduction and formulation, the theory details lack some intuitive insights or explanations, e.g. Theorem 3.9 needs more insights to make it intuitive as it is one of the core theorems in this work. - The details of the experiments are not given in the main text; specifically, the datasets and models used in Fig. 3 are not clear. It is better to re-organize experiments part by adding a setup subsection for these necessary details. - Why is the certifi
1. The topic of the paper is relevant, and it is an open challenge. We still don’t understand certified training very well, and this paper is a great attempt to bring in some new understanding. 2. Some novel theoretical insights are given, such as on the tightness of bound propagation and propagation invariance. Also, the growth of the bounds under initialization and its relation with model width may be a useful result to guide practical training. 3. The bound propagation invariance condition
1. The theoretical results have strong assumptions such as linear neural networks, and neural network weights under Gaussian distribution. This is generally not a big concern if the authors can demonstrate that these theoretical insights can lead to great practical improvements, 2. but here the theoretical results developed do not lead to a better model that can outperform existing approaches, and some evaluations are quite weak (e.g., on a single MNIST model only). Since only a few models and
Code & Models
Videos
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Advanced Neural Network Applications · Explainable Artificial Intelligence (XAI)