Verifiably Robust Conformal Prediction

TL;DR

This paper introduces VRCP, a novel conformal prediction framework that guarantees coverage under adversarial attacks for various perturbation norms and tasks, outperforming existing methods.

Contribution

VRCP leverages neural network verification to support arbitrary norm-bounded adversarial perturbations and regression, extending conformal prediction's robustness capabilities.

Findings

VRCP achieves above nominal coverage in experiments.

VRCP produces more efficient prediction regions than state-of-the-art methods.

Supports arbitrary norm-bounded adversarial perturbations and regression tasks.

Abstract

Conformal Prediction (CP) is a popular uncertainty quantification method that provides distribution-free, statistically valid prediction sets, assuming that training and test data are exchangeable. In such a case, CP's prediction sets are guaranteed to cover the (unknown) true test output with a user-specified probability. Nevertheless, this guarantee is violated when the data is subjected to adversarial attacks, which often result in a significant loss of coverage. Recently, several approaches have been put forward to recover CP guarantees in this setting. These approaches leverage variations of randomised smoothing to produce conservative sets which account for the effect of the adversarial perturbations. They are, however, limited in that they only support $\ell^2$-bounded perturbations and classification tasks. This paper introduces VRCP (Verifiably Robust Conformal Prediction), a new framework that leverages recent neural network verification methods to recover coverage guarantees under adversarial attacks. Our VRCP method is the first to support perturbations bounded by arbitrary norms including $\ell^1$, $\ell^2$, and $\ell^\infty$, as well as regression tasks. We evaluate and compare our approach on image classification tasks (CIFAR10, CIFAR100, and TinyImageNet) and regression tasks for deep reinforcement learning environments. In every case, VRCP achieves above nominal coverage and yields significantly more efficient and informative prediction regions than the SotA.