Robustness Certificates for Neural Networks against Adversarial Attacks

TL;DR

This paper presents a formal framework for certifying the robustness of neural networks against adversarial data poisoning and test-time attacks using control theory concepts, providing guarantees beyond empirical defenses.

Contribution

It introduces a novel certification method modeling training as a dynamical system and uses barrier certificates to guarantee robustness against worst-case poisoning.

Findings

Certifies non-trivial poisoning robustness radii on MNIST, SVHN, CIFAR-10.

Provides a unified framework for training and test-time attack certification.

Achieves model-agnostic guarantees without prior attack knowledge.

Abstract

The increasing use of machine learning in safety-critical domains amplifies the risk of adversarial threats, especially data poisoning attacks that corrupt training data to degrade performance or induce unsafe behavior. Most existing defenses lack formal guarantees or rely on restrictive assumptions about the model class, attack type, extent of poisoning, or point-wise certification, limiting their practical reliability. This paper introduces a principled formal robustness certification framework that models gradient-based training as a discrete-time dynamical system (dt-DS) and formulates poisoning robustness as a formal safety verification problem. By adapting the concept of barrier certificates (BCs) from control theory, we introduce sufficient conditions to certify a robust radius ensuring that the terminal model remains safe under worst-case ${\ell}_p$-norm based poisoning. To make this practical, we parameterize BCs as neural networks trained on finite sets of poisoned trajectories. We further derive probably approximately correct (PAC) bounds by solving a scenario convex program (SCP), which yields a confidence lower bound on the certified robustness radius generalizing beyond the training set. Importantly, our framework also extends to certification against test-time attacks, making it the first unified framework to provide formal guarantees in both training and test-time attack settings. Experiments on MNIST, SVHN, and CIFAR-10 show that our approach certifies non-trivial perturbation budgets while being model-agnostic and requiring no prior knowledge of the attack or contamination level.