Cascading Robustness Verification: Toward Efficient Model-Agnostic Certification

TL;DR

This paper introduces Cascading Robustness Verification (CRV), a model-agnostic framework that combines multiple verifiers to efficiently and reliably certify neural network robustness against adversarial attacks, outperforming existing methods in accuracy and speed.

Contribution

CRV is a novel, model-agnostic verification framework that enhances reliability and efficiency by cascading multiple verifiers with a stepwise relaxation algorithm.

Findings

CRV certifies at least as many inputs as benchmark approaches.

CRV improves runtime efficiency by up to ~90%.

CRV achieves equal or higher verified accuracy than existing methods.

Abstract

Certifying neural network robustness against adversarial examples is challenging, as formal guarantees often require solving non-convex problems. Hence, incomplete verifiers are widely used because they scale efficiently and substantially reduce the cost of robustness verification compared to complete methods. However, relying on a single verifier can underestimate robustness because of loose approximations or misalignment with training methods. In this work, we propose Cascading Robustness Verification (CRV), which goes beyond an engineering improvement by exposing fundamental limitations of existing robustness metric and introducing a framework that enhances both reliability and efficiency. CRV is a model-agnostic verifier, meaning that its robustness guarantees are independent of the model's training process. The key insight behind the CRV framework is that, when using multiple verification methods, an input is certifiably robust if at least one method certifies it as robust. Rather than relying solely on a single verifier with a fixed constraint set, CRV progressively applies multiple verifiers to balance the tightness of the bound and computational cost. Starting with the least expensive method, CRV halts as soon as an input is certified as robust; otherwise, it proceeds to more expensive methods. For computationally expensive methods, we introduce a Stepwise Relaxation Algorithm (SR) that incrementally adds constraints and checks for certification at each step, thereby avoiding unnecessary computation. Our theoretical analysis demonstrates that CRV achieves equal or higher verified accuracy compared to powerful but computationally expensive incomplete verifiers in the cascade, while significantly reducing verification overhead. Empirical results confirm that CRV certifies at least as many inputs as benchmark approaches, while improving runtime efficiency by up to ~90%.