Tight Robustness Certification Through the Convex Hull of $\ell_0$ Attacks

TL;DR

This paper introduces a novel convex hull approach for certifying robustness against few-pixel attacks, significantly improving the scalability and tightness of existing verifiers for $ ext{l}_0$ perturbations.

Contribution

It characterizes the convex hull of $ ext{l}_0$-balls and develops a linear bound propagation method that yields tighter robustness bounds for $ ext{l}_0$ attacks.

Findings

The convex hull of an $ ext{l}_0$-ball is the intersection of a bounding box and an $ ext{l}_1$-like polytope.

The proposed bound propagation method is significantly tighter than previous methods.

The new verifier scales the state-of-the-art $ ext{l}_0$ verifier by up to 7.07 times on challenging benchmarks.

Abstract

Few-pixel attacks mislead a classifier by modifying a few pixels of an image. Their perturbation space is an $\ell_0$-ball, which is not convex, unlike $\ell_p$-balls for $p\geq1$. However, existing local robustness verifiers typically scale by relying on linear bound propagation, which captures convex perturbation spaces. We show that the convex hull of an $\ell_0$-ball is the intersection of its bounding box and an asymmetrically scaled $\ell_1$-like polytope. The volumes of the convex hull and this polytope are nearly equal as the input dimension increases. We then show a linear bound propagation that precisely computes bounds over the convex hull and is significantly tighter than bound propagations over the bounding box or our $\ell_1$-like polytope. This bound propagation scales the state-of-the-art $\ell_0$ verifier on its most challenging robustness benchmarks by 1.24x-7.07x, with a geometric mean of 3.16.