MIBP-Cert: Certified Training against Data Perturbations with Mixed-Integer Bilinear Programs

TL;DR

MIBP-Cert introduces a provable certification method using mixed-integer bilinear programming to ensure robustness of AI models against complex data perturbations and attacks, providing deterministic bounds on model parameters.

Contribution

The paper presents MIBP-Cert, a novel certification framework that computes sound, deterministic robustness bounds for models under complex data perturbations using mixed-integer bilinear programming.

Findings

Applicable to continuous and discrete data.

Handles complex threat models previously out of reach.

Provides provable robustness guarantees.

Abstract

Data errors, corruptions, and poisoning attacks during training pose a major threat to the reliability of modern AI systems. While extensive effort has gone into empirical mitigations, the evolving nature of attacks and the complexity of data require a more principled, provable approach to robustly learn on such data - and to understand how perturbations influence the final model. Hence, we introduce MIBP-Cert, a novel certification method based on mixed-integer bilinear programming (MIBP) that computes sound, deterministic bounds to provide provable robustness even under complex threat models. By computing the set of parameters reachable through perturbed or manipulated data, we can predict all possible outcomes and guarantee robustness. To make solving this optimization problem tractable, we propose a novel relaxation scheme that bounds each training step without sacrificing soundness. We demonstrate the applicability of our approach to continuous and discrete data, as well as different threat models - including complex ones that were previously out of reach.