Improving the Tightness of Convex Relaxation Bounds for Training Certifiably Robust Classifiers

2020·arXiv

Abstract

Convex relaxations are effective for training and certifying neural networks against norm-bounded adversarial attacks, but they leave a large gap between certifiable and empirical robustness. In principle, convex relaxation can provide tight bounds if the solution to the relaxed problem is feasible for the original non-convex problem. We propose two regularizers that can be used to train neural networks that yield tighter convex relaxation bounds for robustness. In all of our experiments, the proposed regularizers result in higher certified accuracy than non-regularized baselines.

1. Introduction

Neural networks have achieved excellent performances on many computer vision tasks, but they are often vulnerable to small, adversarially chosen perturbations that are barely perceptible to humans while having a catastrophic impact on model performance (Szegedy et al., 2013; Goodfellow et al., 2014). Making classifiers robust to these adversarial perturbations is of great interest, especially when neural networks are applied to safety-critical applications. Several heuristic methods exist for obtaining robust classifiers, however powerful adversarial examples can be found against most of these defenses (Carlini & Wagner , 2017; Uesato et al., 2018).

Recent studies focus on verifying or enforcing the certified accuracy of deep classifiers, especially for networks with ReLU activations. They provide guarantees of a network’s robustness to any perturbation with norm bounded by ∥δ∥p ≤ ϵ ( Wong & Kolter , 2017; Wong et al., 2018; Raghu- nathan et al., 2018; Dvijotham et al., 2018b; Zhang et al., 2018; Salman et al., 2019). Formal verification methods can find the exact minimum adversarial distortions needed to fool a classifier (Ehlers , 2017; Katz et al., 2017; Tjeng et al., 2017), but require solving an NP-hard problem. To make verification efficient and scalable, convex relaxations are adopted, resulting in a lower bound on the norm of adversarial perturbations (Zhang et al., 2018; Weng et al., 2018), or an upper bound on the robust error (Dvijotham et al., 2018b; Gehr et al., 2018; Singh et al., 2018). Linear programming (LP) relaxations (Wong et al., 2018) are efficient enough to estimate the lower bound of the margin in each iteration for training certifiably robust networks. However, due to the relaxation of the underlying problem, a wide gap remains between the optimal values from the original and relaxed problems (Salman et al., 2019).

In this paper, we focus on improving the certified robustness of neural networks trained with convex relaxation bounds. To achieve this, we first give a more interpretable explanation for the bounds achieved in (Weng et al., 2018; Wong et al., 2018). Namely, the constraints of the relaxed problem are defined by a simple linear network with adversaries injecting bounded perturbations to both the input of the network and the pre-activations of intermediate layers. The optimal solution of the relaxed problem can be written as a forward pass of the clean image through the linear network, plus the cumulative adversarial effects of all the perturbations added to the linear transforms, which makes it easier to identify the optimality conditions and serves as a bridge between the relaxed problem and the original non-convex problem. We further identify conditions for the bound to be tight, and we propose two indicators for the gap between the original non-convex problem and the relaxed problem. Adding the proposed indicators into the loss function results in classifiers with better certified accuracy.

2. Background and Related Work

Adversarial defenses roughly fall into two categories: heuristic defenses and verifiable defenses. The heuristic defenses either try to identify adversarial examples and remove adversarial perturbations from images, or make the network invariant to small perturbations through training (Papernot & McDaniel , 2018; Shan et al., 2019; Samangouei et al., 2018; Hwang et al., 2019). In addition, adversarial training uses adversarial examples as opposed to clean examples during training, so that the network can learn how to classify

adversarial examples directly (Madry et al., 2017; Shafahi et al., 2019; Zhang et al., 2019).

In response, a line of works have proposed to verify the robustness of neural nets. Exact methods obtain the perturbation with minimum ∥δ∥p such that f(x) ̸= f(x + δ) , where f is a classifier and x is the data point. Nevertheless, the problem itself is NP-hard and the methods can hardly scale (Cheng et al., 2017; Lomuscio & Maganti , 2017 ; Dutta et al., 2018; Fischetti & Jo , 2017; Tjeng et al., 2017; Scheibler et al., 2015; Katz et al., 2017; Carlini et al., 2017; Ehlers , 2017).

A body of work focuses on relaxing the non-linearities in the original problem into linear inequality constraints (Singh et al., 2018; Gehr et al., 2018; Zhang et al., 2018; Mirman et al., 2018), sometimes using the dual of the relaxed problem (Wong & Kolter , 2017; Wong et al., 2018; Dvijotham et al., 2018b). Recently, (Salman et al., 2019) unified the primal and dual views into a common convex relaxation framework, and suggested there is an inherent gap between the actual and the lower bound of robustness given by ver-ifiers based on LP relaxations, which they called a convex relaxation barrier.

Some defense approaches integrate the verification methods into the training of a network to minimize robust loss directly. (Hein & Andriushchenko , 2017) uses a local lipschitz regularization to improve certified robustness. In addition, a bound based on semi-definite programming (SDP) relaxation was developed and minimized as the objective (Raghu- nathan et al., 2018). (Wong & Kolter , 2017) presents an upper bound on the robust loss caused by norm-bounded perturbation via LP relaxation, and minimizes this upper bound during training. (Wong et al., 2018) further extend this method to much more general network structures with skip connections and general non-linearities, and provide a memory-friendly training strategy using random projections. Since LP relaxation is adopted, the aforementioned convex relaxation barrier exists for their methods.

While another line of work (IBP) have shown that an intuitively looser interval bound can be used to train much more robust networks than convex relaxation for large perturbations (Gowal et al., 2018; Zhang et al., 2020), it is still important to study convex relaxation bounds since it can provide better certificates against a broader class of adversaries that IBP struggles to certify in some cases, such as adversaries for convolutional networks. We discuss these motivations in more detail in Appendix F.

We seek to enforce the tightness of the convex relaxation certificate during training. We reduce the optimality gap between the original and the relaxed problem by using various tightness indicators as regularizers during training. Compared with previous approaches, we have the following contributions: First, based upon the same relaxation in (Weng et al., 2018), we illustrate a more intuitive view for the bounds on intermediate ReLU activations achieved by (Wong et al., 2018), which can be viewed as a linear network facing adversaries adding that make bounded perturbations to both the input and the intermediate layers. Second, starting from this view, we identify conditions where the bound from the relaxed problem is tight for the original non-convex problem. Third, based on the conditions, we propose regularizers that encourage the bound to be tight for the obtained network, which improves the certificate on both MNIST and CIFAR-10.

3. Problem Formulation

In general, to train an adversarially robust network, we solve a constrained minimax problem where the adversary tries to maximize the loss given the norm constraint, and the parameters of the network are trained to minimize this maximal loss. Due to nonconvexity and the complexity of neural networks, it is expensive to solve the inner max problem exactly. To obtain certified robustness, like many related works (Wong et al., 2018; Gowal et al., 2018), we minimize an upper bound of the inner max problem, which is a cross entropy loss on the negation of the lower bounds of margins over each other class, as shown in Eq. 3. Without loss of generality, in this section we analyze the original and relaxed problems for minimizing the margin between the ground truth class y and some other class t under norm-bounded adversaries, which can be adapted directly to compute the loss in Eq. 3.

The original nonconvex constrained optimization problem for finding the norm-bounded adversary that minimizes the margin can be formulated as

where ct = ey − et, ey and are one-hot vectors corresponding to the label y and some other class t, σ(·) is the ReLU activation, and is one functional block of the neural network. This can be a linear layer ( fi(zi) = Wizi + bi ), or even a residual block. We use fi(σ(fi−1(· · · f1(x)))) to denote the ReLU network up to the i-th layer, and p∗O to denote the optimal solution to O.

3.1. Efficient Convex Relaxations

Grouping of ReLU Activations The nonconvexity of O stems from the nonconvex feasible set given by the ReLU activations. Since the network is a continuous function, the pre-activations have lower and upper bounds and ¯xi when the input z1 ∈ Bp,ϵ(x) . If a certain pre-activation

Figure 1. The feasible sets (blue regions/lines) given by the bounded ReLU constraints (Eq. O), convex hull ( convij ) and the relaxation (Fast-Lin) discussed in this paper (specific choice for Eq. C) for j ∈ Ii . The red lines and dots are the intersections between the boundaries of the convex feasible sets and the ReLU constraints.

xij has xij < 0 < ¯xij , its corresponding ReLU constraint zi+1,j = σ(xij) gives rise to a non-convex feasible set as shown in the left of Figure 1, making Eq. O a non-convex optimization problem. On the other hand, if ¯xij ≤ 0 or xij ≥ 0 , the constraints degenerate into linear constraints zi+1,j = 0 and zi+1,j = xij respectively, which do not affect convexity. Based on and ¯xi , we divide the ReLU activations into three disjoint subsets

If j ∈ Ii , we call the corresponding ReLU activation an unstable neuron.

Convex relaxation expands the non-convex feasible sets into convex ones and solves a convex optimization problem C. The feasible set of O is a subset of the feasible set of C, so the optimal value of C lower bounds the optimal value of Eq. O. Moreover, we want problem C to be solved efficiently, better with a closed form solution, so that it can be integrated into the training process.

Computational Challenge for the “optimal” Relaxation As pointed out by (Salman et al., 2019), the optimal layer-wise convex relaxation, i.e., the optimal convex relaxation for the nonlinear constraint zi+1 = σ(xi) of a single layer, can be obtained independently for each neuron. For each j ∈ Ii in a ReLU network, the optimal layer-wise convex relaxation is the closed convex hull convij of Sij =

xij} , which is just convij = {(xij, zi+1,j)| max(0, xij) ≤ zi+1,j ≤ xijxij−xij (xij − xij)} , corresponding to the triangle region in the middle of Figure 1. Despite being relatively tight, there is no closed-form solution to this relaxed problem. LP solvers are typically adopted to solve a linear programming problem for each neuron. Therefore, such a relaxation is hardly scalable to verify larger networks without any additional trick (like (Xiao et al., 2018)). (Weng et al., 2018) find it to be 34 to 1523 times slower than FastLin, and it has difficulty verifying MLPs with more than 3 layers on MNIST. In (Salman et al., 2019), it takes 10,000 CPU cores to parallelize the LP solvers for bounding the activations of every neuron in a two-hidden-layer MLP with 100 neurons per layer. Since solving LP problems for all neurons are usually impractical, it is even more difficult to optimize the network to maximize the lower bounds of margin found by solving this relaxation problem, as differentiating through the LP optimization process is even more expensive.

Computationally Efficient Relaxations In the layer-wise convex relaxation, instead of using a boundary nonlinear in xij , (Zhang et al., 2018) has shown that for any nonlinearity, when both the lower and upper boundaries are linear in xij , there exist closed-form solutions to the relaxed problem, which avoids using LP solvers and improves ef-ficiency. Specifically, the following relaxation of O has closed-form solutions:

where denotes element-wise product, and for simplicity, we have only considered networks with no skip connections, and represent both Full Connected and Convolutional Layers as a linear transform fi(zi) = Wizi + bi.

Before we can solve C to get the lower bound of margin, we need to know the range [xi, ¯xi] for the pre-activations xi. As in ( Wong & Kolter , 2017; Weng et al., 2018; Zhang et al., 2018), we can solve the same optimization problem for each neuron xij starting from layer 1 to L, by replacing ct with ej or −ej for xij or ¯xij respectively.1

The most efficient approach in this category is FastLin (Weng et al., 2018), which sets aij = ¯aij , as shown in the right of Figure 1. A tighter choice is CROWN (Zhang et al., 2018), which chooses different aij and ¯aij such that the convex feasible set is minimized. However, CROWN has much higher complexity than Fast-Lin due to its varying slopes. We give detailed analysis of the closed-form solutions of both bounds and their complexities in Appendix D. Recently, CROWN-IBP (Zhang et al., 2020) has been proposed to provide a better initialization to IBP, which uses IBP to estimate range [xi, ¯xi] for CROWN. In this case, both CROWN and Fast-Lin have the same complexity and CROWN is a better choice.

Figure 2. Illustration of the data distribution and the decision boundary of the network h2(z1) , where Fast-Lin gives the exact lower bound of the margin for every sample in . We assume x0 is uniformly distributed in S0 ∪ S1, where S0 = {x0|x02 ≤ |x01| −

0 < b < 1. The ground-truth label for x0 ∈ S0 and x0 ∈ S1 are 0, 1 respectively. In this case, b = 0.3, ϵ = 0.2, x0 = [0.1, 0.42]T .

4. Tighter Bounds via Regularization

Despite being relatively efficient to compute, Fast-Lin and CROWN are not even the tightest layer-wise convex relaxation. Using tighter bounds to train the networks could potentially lead to higher certified robustness by preventing such bounds from over-regularizing the networks.

Nevertheless, there exist certain parameters and inputs such that the seemingly looser Fast-Lin is tight for O, i.e., the optimal value of Fast-Lin is the same as O. The immediate trivial case on can think of is where no unstable neuron exists for the samples inside the allowed perturbation interval.

In fact, even when unstable neurons exist, the optimal solution to the relaxed problem can still be a feasible solution to the original non-convex problem for a significant portion of input samples . We give an illustrative example where Fast-Lin is tight for a significant portion of the samples even when unstable neurons exist, as shown in Figure 2. In this figure, Fast-Lin is tight at every sample of for the network h1(z2) . Please refer to Appendix E for more details of this example.

It is therefore interesting to check the conditions for Fast-Lin or CROWN to be tight for O, and enforcing such conditions during training so that the network can be better verified by efficient verifiers like Fast-Lin, CROWN, and even IBP.

4.1. Conditions for Tightness

Here we look into conditions that make the optimal value p∗C of the convex problem C to be equal to p∗O. Let {zi, xi}Li=1 be some feasible solution of C, from which the objective value of C can be determined as pC = c⊤t xL. Let {z′i, x′i}Li=1 be some feasible solution of O computed by passing z′1 through the ReLU sub-networks hi(z′1) defined in O, and denote the resulting feasible objective value as p′O = c⊤t x′L.

Generally, for a given network with the set of weights {Wi, bi}Li=1 , as long as the optimal solution {z∗i , x∗i }Li=1 of C is equal to a feasible solution {z′i, x′i}Li=1 of O, we will have p∗O = p∗C , since any feasible p′O of O satisfies p′O ≥ p∗O , and by the nature of relaxation p∗C ≤ p∗O.

Therefore, for a given network and input x, to check the tightness of the convex relaxation, we can check whether its optimal solution {z∗i , x∗i }Li=1 is feasible for O. This can be achieved by passing z∗1 through the ReLU network, and either directly check the resultant objective value p′O , or compare with the resultant feasible solution {z′i, x′i}Li=1 . Further, we can encourage such conditions to happen during the training process to improve the tightness of the bound. Based on such mechanisms, we propose two regularizers to enforce the tightness. Notice such regularizers are different from the RS Loss (Xiao et al., 2018) introduced to reduce the number of unstable neurons, since we have shown with Appendix E that C can be tight even when unstable neurons exist.

4.2. A Intuitive Indicator of Tightness: Difference in Output Bounds

The observation above motivates us to consider the non-negative value

as an indicator of the difference between {z∗i , x∗i }Li=1 and {z′i, x′i}Li=1 , where p′O(x, δ∗0) = c⊤t hL(x + δ∗0) is the mar- gin over class t computed by passing the optimal perturbation δ∗0 for C through the original network. δ∗0 can be computed efficiently from the optimality condition of FastLin or CROWN, as demonstrated in Eq. 8. For example, when p = ∞ , the optimal input perturbation δ∗0 of C is δ∗0 = −ϵsign(c⊤t WL:1) , which corresponds to sending z′1 = z∗1 = x − ϵsign(c⊤t WL:1) through the ReLU network;

when p = 2, δ∗0 = −ϵ c⊤t WL:1∥c⊤t WL:1∥2 , which corresponds to sending z′1 = z∗1 = x − ϵ c⊤t WL:1∥c⊤t WL:1∥2 .

The larger d(x, δ∗0, W, b) is, the more relaxed C is, and the higher p∗O − p∗C could be. Therefore, we can regularize the network to minimize during training and maximize the lower-bound of the margin p∗C , so that we can obtain a network where p∗C is a better estimate of p∗O and

the robustness is better represented by p∗C . Such an indicator avoids comparing the intermediate variables, which gives more flexibility for adjustment. It bears some similarities to knowledge distillation (Hinton et al., 2015), in that it encourages learning a network whose relaxed lower bound gives similar outputs of the corresponding ReLU network. It is worth noting that minimizing d(x, δ∗0, W, b) does not necessarily lead to decreasing p′O(x, δ∗0) or increasing p∗C . In fact, both p′O(x, δ∗0) and p∗C can be increased or decreased at the same time with their difference decreasing.

The tightest indicator should give the minimum gap p∗O−p∗C, where we need to find the optimal perturbation for O. However, the minimum gap cannot be found in polynomial time, due to the non-convex nature of O. (Weng et al., 2018) also proved that there is no polynomial time algorithm to find the minimum -norm adversarial distortion with 0.99 ln n approximation ratio unless NP=P, a problem equivalent to finding the minimum margin here.

4.3. A Better Indicator for Regularization: Difference in Optimal Pre-activations

Despite being intuitive and is able to achieve improvements, Eq. 2 which enforces similarity between objective values does not work as good as enforcing similarity between the solutions {z∗i , x∗i }Li=1 and {z′i, x′i}Li=1 in practice, an ap- proach we will elaborate below. For both CROWN and Fast-Lin, unless d(x, δ∗0, W, b) = 0, {z∗i , x∗i }Li=1 may devi- ate a lot from and does not correspond to any ReLU network, even if may seem small. For example, it is possible that z∗ij < 0 for a given z∗1 , but a ReLU network will always have z′ij ≥ 0.

We find an alternative regularizer more effective at improving verifiable accuracy. The regularizer encourages the feasible solution {z′i, x′i}Li=1 of O to exactly match the feasible optimal solution {z∗i , x∗i }Li=1 of C. Since we are adopting the layer-wise convex relaxation, the optimal solutions of the unstable neurons can be considered independently.

Here we derive a sufficient condition for tightness for FastLin, which also serves as a sufficient condition for CROWN. For linear programming, the optimal solution occurs on the boundaries of the feasible set. Since Fast-Lin is a layer-wise convex relaxation, the solution to each of its neurons in can be considered independently, and therefore for a specific layer i and j ∈ Ii , the pair of optimal solutions (x∗ij, z∗i+1,j) should occur on the boundary in the right of Figure 1. It follows that the only 3 optimal solutions of C that are also feasible for O are (xij, 0), (xij, xij) and (0, 0). Notice they are also in the intersection between the boundary of CROWN and O.

In practice, out of efficiency concerns, both Fast-Lin and CROWN identify the boundaries that the optimal solution lies on and computes the optimal value by accumulating the contribution of each layer in a backward pass, without explicitly computing {z∗i , x∗i }Li=1 for each layer with a forward pass (see Appendix D for more details). It is therefore beneficial to link the feasible solutions of O to the parameters of the boundaries. Specifically, let δ∗ij ∈ {bij,¯bij} be the intercept of the line that the optimal solution (x∗ij, z∗i+1,j) lies on. We want to find a rule based on {δ∗i }Li=1 to determine whether the bound is tight from the values of {x′i}Li=1 . For both Fast-Lin and CROWN, bij = 0,¯bij = −xijxijxij−xij . For Fast-Lin, when δ∗ij = ¯bij , only (x∗ij, z∗i+1,j) = (xij, 0) or (xij, xij) are fesible for O; when δ∗ij = bij, only (x∗ij, z∗i+1,j) = (0, 0) is feasible for O. Meanwhile, z′i+1,j = max(x′ij, 0) is deterministic if x′ij is given. Therefore, when the bound is tight for Fast-Lin, if , then x′ij = 0 . Otherwise, if δ∗ij = ¯bij , and x′ij = xij or xij . For CROWN, this condition is also fea- sible, though it could be either x′ij ≤ 0 or x′ij ≥ 0 when δ∗ij = 0 , depending on the optimal slope D(L)ij .

Indeed, we achieve optimal tightness ( p∗C = p∗O ) for both Fast-Lin and CROWN if x′ij satisfy these conditions at all unstable neurons. Specifically,

Proposition 1. Assume {z′i, x′i}Li=1 is obtained by the ReLU network with input z′1, and {δ∗i }L−1i=0 is the optimal solu- tion of Fast-Lin or CROWN. If z′1 = x+δ∗0, and x′ij ∈ S(δ∗ij) for all i = 1, ..., L − 1, j ∈ Ii , then is an opti- mal solution of O, Fast-Lin and CROWN. Here

We provide the proof of this simple proposition in the Appendix.

It remains to be discussed how to best enforce the similarity between the optimal solutions of O and Fast-Lin or CROWN. Like before, we choose to enforce the similarity between {x′i}Li=1 and the closest optimal solution of Fast- Lin, where is constructed by setting x′1 = x∗1 = W1(x + δ∗0) + b1 and pass x′1 through the ReLU network to obtain x′i = hi(x + δ∗0) . By Proposition 1, the distance can be computed by considering the values of the intercepts

where the first term corresponds to δ∗ij = 0 and the con- dition x′ij ∈ {0} , and the second term corresponds to δ∗ij = −xijxijxij−xij and the condition x′ij ∈ {xij, xij} . To minimize the second term, the original ReLU network only needs to be optimized towards the nearest feasible optimal solution. It is easy to see from Proposition 1 that if r(x, δ∗0, W, b) = 0 , then p∗O = p∗C , where C could be both Fast-Lin or CROWN.

Compared with d(x, δ∗0, W, b), r(x, δ∗0, W, b) puts more con- straints on the parameters W, b , since it requires all unstable neurons of the ReLU network to match the optimal solutions of Fast-Lin, instead of only matching the objective values p′O and p∗C . In this way, it provides stronger guidance to- wards a network whose optimal solution for O and Fast-Lin or CROWN agree. However, again, this is not equivalent to trying to kill all unstable neurons, since Fast-Lin can be tight even when unstable neurons exist.

4.4. Certified Robust Training in Practice

In practice, for classification problems with more than two classes, we will compute the lower bound of the margins with respect to multiple classes. Denote p∗C and p∗O as the concatenated vector of lower bounds of the relaxed problem and original problem for multiple classes, and dt, rt as the regularizers for the margins with respect to class t.

Together with the regularizers, we optimize the following objective

where LCE(−p∗C, y) is the cross entropy loss with label y, as adopted by many related works (Wong et al., 2018; Gowal et al., 2018), and we have implicitly abbreviated the inner maximization problem w.r.t. {δi}L−1i=0 into the optimal values p∗C and solution δ∗0 . More details for computing the intermediate and output bounds can be found in Algorithm 1, where we have used ∥·∥1,row to denote row-wise norm, and (·):,j for taking the j-th column.

One major challenge of the convex relaxation approach is the high memory consumption. To compute the bounds xi, xi , we need to pass an identity matrix with the same number of diagonal entries as the total dimensions of the input images, which can make the batch size thousands of times larger than usual. To mitigate this, one can adopt the random projection from (Wong et al., 2018), which projects identity matrices into lower dimensions as Wi:1R to estimate the norm of Wi:1 . Such projections add noise/variance to xi, xi , and the regularizers are affected as well.

5. Experiments

We evaluate the proposed regularizer on two datasets (MNIST and CIFAR10) with two different each. We consider only adversaries. Our implementation is based on the code released by (Wong et al., 2018) for Convex Outer Adversarial Polytope (CP), and (Zhang et al., 2020) for CROWN-IBP, so when λ = γ = 0 , we obtain the same results as CP or CROWN-IBP. We use up to 4 GTX 1080Ti or 2080Ti for all our experiments.

Architectures: We experiment with a variety of different network structures, including a MLP (2x100) with two 100-neuron hidden layers as (Salman et al., 2019), two Conv Nets (Small and Large) that are the same as (Wong et al., 2018), a family of 10 small conv nets and a family of 8 larger conv nets, all the same as (Zhang et al., 2020), and also the same 5-layer convolutional network (XLarge) as in the latest version of CROWN-IBP (Zhang et al., 2020).

Table 1. Results on MNIST, and CIFAR10 with small networks, large networks, and different coefficients of d(x, δ∗0, W, b), r(x, δ∗0, W, b). All entries with positive λ or γ are using our regularizers. For all models not marked as “Exact”, we have projected the input dimension of Wi:1 to 50, the same as (Wong et al., 2018). For values with ∗, larger ϵ is used for training. ϵ = 0.3, 2/255, 8/255 correspond to using ϵ = 0.4, 2.2/255, 8.8/255 for training respectively. For the methods: 1: ( Dvijotham et al., 2018a); 2: ( Xiao et al., 2018); 3: (Mirman et al., 2018); 4 ( Gowal et al., 2018).

The Small convnet has two convolutional layers of 16, 32 output channels each and two FC layers with 100 hidden neurons. The Large convnet has four Conv layers with 32, 32, 64 and 64 output channels each, plus three FC layers of 512 neurons. The XLarge convnet has five conv lyaers with 64, 64, 128, 128, 128 output channels each, with two FC layers of 512 neurons.

Hyper-parameters: For experiments on CP, we use Adam (Kingma & Ba , 2014) with a learning rate of 10−3 and no weight decay. Like (Wong et al., 2018), we train the models for 80 epochs, where in the first 20 epochs the learning rate is fixed but the increases from 0.01/0.001 to its maximum value for MNIST/CIFAR10, and in the following epochs, we reduce learning rate by half every 10 epochs. Unless labelled with “Exact” in the model names of Table 1, we use random projection as in (Wong et al., 2018) for CP experiments to reduce the memory consumption. Due to the noisy estimation of the optimal solutions from these random projections, we also adopt a warm-up schedule for the regularizers in all CP experiments to prevent over-regularization, where λ, γ increases form 0 to the preset values in the first 20 epochs.

For CROWN-IBP, we use the updated expensive training schedule as (Zhang et al., 2020), which uses 200 epochs with batch size 256 for MNIST and 3200 epochs with batch size 1024 for CIFAR10. We also use the afore-mentioned warm up schedule for λ, γ.

5.1. Improving Convex Outer Adversarial Polytope

Table 1 shows comparisons with various approaches. All of our baseline implementations of CP have already improved upon (Wong et al., 2018). After adding the proposed regular-

Table 2. Mean and standard deviation of the family of 10small models on MNIST with ϵ = 0.3 . Here we use a cheaper training schedule with a total of 100 epochs, all in the same setting as the IBP baseline results of (Zhang et al., 2020). Baseline is CROWN-IBP with epoch=140 and lr decay step=20. Like in CROWN-IBP, we run each model 5 times to compute the mean and standard deviation. “Copied” are results from (Zhang et al., 2020).

izers, the certified robust accuracy is further improved upon our baseline in all cases. We also provide results against a 100-step PGD adversary for our CP models. Since both PGD errors and standard errors are reduced in most cases, the regularizer should have improved not only the certified upper bound, but also improved the actual robust error.

Despite the fact that we start from a stronger baseline, the relative improvement on 2x100 with our regularizer (10.3%/8.7%) are comparable to the improvements (5.9%/10.0%) under the same setting from (Salman et al., 2019), which solves for the lower and upper bounds of all intermediate layers via the tightest layer-wise LP relaxation (Figure 1). This indicates that the improvement brought by using our regularizer during training and efficient verifiers (Fast-Lin in this case) for verification is comparable with using the expensive and unstable optimal layer-wise convex relaxation.

Our results with Small are better than the best results of (Dvijotham et al., 2018a; Xiao et al., 2018) on MNIST with ϵ = 0.1 , though not as good as the best of (Mirman et al., 2018), which uses a larger model. When applying the same model on CIFAR10, we achieve better robust error than (Mirman et al., 2018).

The relative improvements in certified robust error for ϵ = 0.1 and 0.3 are 18%/3.4% for the small exact model on MNIST, compared with 0.03%/3.13% for the random projection counterparts. This is mainly because in the exact models, we have better estimates of xi, xi . Still, these consistent improvements validate that our proposed regularizers improve the performance.

We also give ablation studies of the two regularizers in Appendix B and Table 3.

5.2. Improving CROWN-IBP

In its first stage of training, CROWN-IBP (Zhang et al., 2020) trains the network with CROWN (Zhang et al., 2018) to compute the bounds of the final outputs based on the interval bounds of intermediate activations, and in its second stage, CROWN-IBP uses only IBP. We apply our regularizer to the first stage of CROWN-IBP, using interval bounds to over-approximate and ¯xi required by our second regularizer on the optimal pre-activations, to obtain a better intialization for its second stage, and demonstrate improvements in Table 1.

Methods based on interval bounds, including IBP, CROWNIBP and DAI (Mirman et al., 2018), tend to behave not as good as CP when is small. Our regularizers are able to further improve CP on CIFAR10 ( ϵ = 2/255 ), and demonstrate the best result among all approaches compared in this setting, as shown in Table 1. To our knowledge, these are the best results for CIFAR10 () reported on comparable sized models. By using our regularizers on CROWN-IBP to provide a better initialization for the later training stage of pure IBP, our method also achieves the best certified accuracy on MNIST ( ϵ = 0.3 ) and CIFAR10 ( ϵ = 8/255).

To verify the significance of the regularizers, Table 2 shows the mean and variance of the results with the family smaller models on MNIST, demonstrating consistent improvements of our model, while Table 4 (in the appendix) gives the best, median and worst case results with the large models on the MNIST dataset and compares with both IBP and CROWN-IBP.

6. Conclusions

We propose two regularizers based on the convex relaxation bounds for training robust neural networks that can be better verified by efficient verifiers including Fast-Lin and IBP for certifiable robustness. Extensive experiments validate that the regularizers improve robust accuracy over non-regularized baselines, and outperform state-of-the-art approaches. This work is a step towards closing the gap between certified and empirical robustness. Future directions include methods to improve computational efficiency for LP relaxations (and certified methods in general), and better ways to leverage random projections for acceleration.

References

Carlini, N. and Wagner, D. Adversarial examples are not easily detected: Bypassing ten detection methods. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp. 3–14. ACM, 2017.

Carlini, N., Katz, G., Barrett, C., and Dill, D. L. Provably minimally-distorted adversarial examples. arXiv preprint arXiv:1709.10207, 2017.

Cheng, C.-H., N¨uhrenberg, G., and Ruess, H. Maximum resilience of artificial neural networks. In International Symposium on Automated Technology for Verification and Analysis, pp. 251–268. Springer, 2017.

Cohen, J. M., Rosenfeld, E., and Kolter, J. Z. Certified adversarial robustness via randomized smoothing. arXiv preprint arXiv:1902.02918, 2019.

Dutta, S., Jha, S., Sankaranarayanan, S., and Tiwari, A. Output range analysis for deep feedforward neural networks. In NASA Formal Methods Symposium, pp. 121– 138. Springer, 2018.

Dvijotham, K., Gowal, S., Stanforth, R., Arandjelovic, R., O’Donoghue, B., Uesato, J., and Kohli, P. Training verified learners with learned verifiers. arXiv preprint arXiv:1805.10265, 2018a.

Dvijotham, K., Stanforth, R., Gowal, S., Mann, T., and Kohli, P. A dual approach to scalable verification of deep networks. arXiv preprint arXiv:1803.06567, 104, 2018b.

Ehlers, R. Formal verification of piece-wise linear feed- forward neural networks. In International Symposium on Automated Technology for Verification and Analysis, pp. 269–286. Springer, 2017.

Fischetti, M. and Jo, J. Deep neural networks as 0-1 mixed integer linear programs: A feasibility study. arXiv preprint arXiv:1712.06174, 2017.

Gehr, T., Mirman, M., Drachsler-Cohen, D., Tsankov, P., Chaudhuri, S., and Vechev, M. Ai2: Safety and robustness certification of neural networks with abstract interpretation. In 2018 IEEE Symposium on Security and Privacy (SP), pp. 3–18. IEEE, 2018.

Goodfellow, I. J., Shlens, J., and Szegedy, C. Explain- ing and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.

Gowal, S., Dvijotham, K., Stanforth, R., Bunel, R., Qin, C., Uesato, J., Mann, T., and Kohli, P. On the effectiveness of interval bound propagation for training verifiably robust models. arXiv preprint arXiv:1810.12715, 2018.

Hein, M. and Andriushchenko, M. Formal guarantees on the robustness of a classifier against adversarial manipulation. In Advances in Neural Information Processing Systems, pp. 2266–2276, 2017.

Hinton, G., Vinyals, O., and Dean, J. Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531, 2015.

Hwang, U., Park, J., Jang, H., Yoon, S., and Cho, N. I. Puvae: A variational autoencoder to purify adversarial examples. arXiv preprint arXiv:1903.00585, 2019.

Katz, G., Barrett, C., Dill, D. L., Julian, K., and Kochender- fer, M. J. Reluplex: An efficient smt solver for verifying deep neural networks. In International Conference on Computer Aided Verification, pp. 97–117. Springer, 2017.

Kingma, D. P. and Ba, J. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980, 2014.

Lomuscio, A. and Maganti, L. An approach to reachability analysis for feed-forward relu neural networks. arXiv preprint arXiv:1706.07351, 2017.

Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.

Mirman, M., Gehr, T., and Vechev, M. Differentiable ab- stract interpretation for provably robust neural networks. In International Conference on Machine Learning, pp. 3575–3583, 2018.

Papernot, N. and McDaniel, P. Deep k-nearest neighbors: Towards confident, interpretable and robust deep learning. arXiv preprint arXiv:1803.04765, 2018.

Raghunathan, A., Steinhardt, J., and Liang, P. Certified defenses against adversarial examples. arXiv preprint arXiv:1801.09344, 2018.

Salman, H., Yang, G., Zhang, H., Hsieh, C.-J., and Zhang, P. A convex relaxation barrier to tight robust verification of neural networks. NeurIPS, 2019.

Samangouei, P., Kabkab, M., and Chellappa, R. Defense- gan: Protecting classifiers against adversarial attacks using generative models. arXiv preprint arXiv:1805.06605, 2018.

Scheibler, K., Winterer, L., Wimmer, R., and Becker, B. Towards verification of artificial neural networks. In MBMV, pp. 30–40, 2015.

Shafahi, A., Najibi, M., Ghiasi, A., Xu, Z., Dickerson, J., Studer, C., Davis, L. S., Taylor, G., and Goldstein, T. Adversarial training for free! arXiv preprint arXiv:1904.12843, 2019.

Shan, S., Willson, E., Wang, B., Li, B., Zheng, H., and Zhao, B. Y. Gotta catch ’em all: Using concealed trapdoors to detect adversarial attacks on neural networks, 2019.

Singh, G., Gehr, T., Mirman, M., P¨uschel, M., and Vechev, M. Fast and effective robustness certification. In Advances in Neural Information Processing Systems, pp. 10802–10813, 2018.

Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.

Tjeng, V., Xiao, K., and Tedrake, R. Evaluating robust- ness of neural networks with mixed integer programming. arXiv preprint arXiv:1711.07356, 2017.

Uesato, J., O’Donoghue, B., Oord, A. v. d., and Kohli, P. Adversarial risk and the dangers of evaluating against weak attacks. arXiv preprint arXiv:1802.05666, 2018.

Weng, T.-W., Zhang, H., Chen, H., Song, Z., Hsieh, C.- J., Boning, D., Dhillon, I. S., and Daniel, L. Towards fast computation of certified robustness for relu networks. ICML, 2018.

Wong, E. and Kolter, J. Z. Provable defenses against adver- sarial examples via the convex outer adversarial polytope. arXiv preprint arXiv:1711.00851, 2017.

Wong, E., Schmidt, F., Metzen, J. H., and Kolter, J. Z. Scaling provable adversarial defenses. In Advances in Neural Information Processing Systems, pp. 8400–8409, 2018.

Xiao, K. Y., Tjeng, V., Shafiullah, N. M., and Madry, A. Training for faster adversarial robustness verification via inducing relu stability. arXiv preprint arXiv:1809.03008, 2018.

Zhang, D., Zhang, T., Lu, Y., Zhu, Z., and Dong, B. You only propagate once: Painless adversarial training using maximal principle. arXiv preprint arXiv:1905.00877, 2019.

Zhang, H., Weng, T.-W., Chen, P.-Y., Hsieh, C.-J., and Daniel, L. Efficient neural network robustness certifica-tion with general activation functions. In Advances in Neural Information Processing Systems, pp. 4939–4948, 2018.

Zhang, H., Chen, H., Xiao, C., Li, B., Boning, D., and Hsieh, C.-J. Towards stable and efficient training of verifiably robust neural networks. International Conference on Learning Representations, 2020.

A. Proof of Proposition 1

Proof. We only need to prove {z′i, x′i}Li=1 is an optimal solu- tion of both Fast-Lin and CROWN. After that, both a lower bound and feasible solution of O, and therefore is the optimal solution of O.

Here we define x∗i = Wiz∗i + bi for i = 1, ..., L, z∗i+1 = D(L)i x∗i + δ∗i for i = 1, ..., L − 1 , and z∗1 = x + δ∗0 . By definition, {x∗i , z∗i }Li=1 is an optimal solution of Fast-Lin or CROWN. Also, since z∗1 = z′1, we have x′1 = W1z∗1 + b1 = x∗1 . Next, we will prove if the assumption holds, we will have z′2 = z∗2 for both Fast-Lin and CROWN.

For j ∈ I−1 , again, by definition, D(L)1j = 0 , and x∗1j ≤ ¯x1j < 0 , so x′1j = x∗1j < 0, z∗2j = D(L)1j x∗1j = 0 = max(x′1j, 0) = z′2j.

For j ∈ I1:

• If δ∗1j = 0 and x′1j = 0 as assumed in the conditions, since z∗1 = z′1, we know

where W1j is the j-th row of W1 . No matter what value D(L)1j is, z∗2,j = D(L)1j x∗1j = 0, z′2j = max(x′1j, 0) = 0, the equality still holds.

• If δ∗1,j = −¯x1jx1j¯x1j−x1j , for both Fast-Lin and CROWN, z∗2j = −¯x1jx1j¯x1j−x1j (x∗1j − x1j) . Further, if x′1j ∈ {x1j, ¯x1j} as assumed: if x∗1j = x′1j = x1j , then

Now we have proved z′2 = z∗2 for both Fast-Lin and CROWN if the assumption is satisfied. Starting from this layer, using the same argument as above, we can prove z′3 = z∗3 ,..., z′L−1 = z∗L−1 for both Fast-Lin and CROWN. As a result, x′L = x∗L and cTt x′L = cTt x∗L = p∗C , where C can be both Fast-lin and CROWN. Therefore, {z′i, x′i}Li=1 is an optimal solution of C.

B. Ablation Studies of the Two Regularizers

In this section, we give the detailed results with either λ or γ set to 0, i.e., we use only one regularizer in each experiment, in order to compare the effectiveness of the two regularizers. All the results are with the small model on CIFAR10 with ϵ = 2/255 . The best results are achieved with r(x, δ∗0, W, b). We reasoned in 4.2 that d(x, δ∗0, W, b) may not perform well when random projection is adopted. As shown in the supplementary, the best robust error achieved under the same setting when fixing is higher than when fixing λ = 0, which means is more resistant to the noise introduced by random projection. Still, random projections offer a huge efficiency boost when they are used. How to improve the bounds while maintaining efficiency is an important future work.

C. Additional Results on MNIST

See Table 4.

D. Solutions to the Relaxed Problems

In this section, we give more details about the optimal solutions of Fast-Lin (Weng et al., 2018) and CROWN (Zhang et al., 2018), to make this paper self-contained. Recall that for layer-wise convex relaxations, each neuron in the activation layer are independent. {aij, bij, aij, bij} are cho- sen to bound the activations assuming the lower bound xij and upper bound ¯xij of the preactivation xij is known. For

Table 3. Ablation results on CIFAR10 with the small model, where ϵ = 2/255.

Table 4. Our results on the MNIST dataset, with CROWN-IBP. Here we use a cheaper training schedule with a total of 100 epochs, all in the same setting as the IBP baseline results of (Zhang et al., 2020). CI Orig are results copied from the paper, CI ReImp are results of our implementation of CROWN-IBP, and CI Reg is with regularizer r.

aijxij + bij ; for j ∈ I+i , aij = aij = aij = bij = 1 ; for j ∈ I−i , aij = aij = bij = bij = 0.

Optimal Solutions of Fast-Lin In Fast-Lin (Weng et al., 2018), for j ∈ Ii, aij = aij = xijxij−xij , bij = 0, bij =

To compute the lower and upper bound xij and xij for xij , we just need to replace the objective of Eq. C with c⊤ijxi , where cij is a one-hot vector with the same number of entries as xi and the j -th entry being 1 for xij and -1 for xij (an extra negation is applied to the minimum to get xij).

Such constraints allow each intermediate ReLU activation to reach their upper or lower bounds independently. As a result, each intermediate unstable neuron can be seen as an adversary adding a perturbation δij in the range [0, −xijxijxij−xij ] to

a linear transform, represented as zij = xijxij−xij xij + δij . Such a point of view gives rise to a more interpretable explanation for Fast-Lin. If we construct a network from the relaxed constraints, then the problem becomes how to choose the perturbations for both the input and intermediate unstable neurons to minimize c⊤t xL of a multi-layer linear network. Such a linear network under the perturbations is defined as

z i+1 = Dixi+δi, xi = Wizi+bi, for i = 1 , ..., L, z 1 = x+δ0,

(4) where is a diagonal matrix and is a vector. The input perturbation satisfies ∥δ0∥p ≤ ϵ . The j-th diagonal entry

Dij and the j-th entry δij for i > 0 is defined as

With such an observation, we can further unfold the objective in Eq. C 4 into a more interpretable form as

where the first term of RHS is a forward pass of the clean image x through a linear network interleaving between a linear layer x = Wiz + bi and a scaling layer z = Dix, and the second term is the sum of the i-th perturbation passing through all the weight matrices of the linear operation layers and scaling layers Di after it.

Therefore, under such a relaxation, only the second term is affected by the variables {δi}L−1i=0 for optimizing Eq. C. Denote the linear network up to the i-th layer as gi(x), and Wi:i′ = Wi�i−1k=i′ DkWk . We can transform Eq. C with aij = aij = xijxij−xij , bij = 0, bij = −

following constrained optimization problem

where ∥·∥∗ is the dual norm of the p norm. In this way, the optimal value p∗C pC of the relaxed problem (Eq. 7) can be found efficiently without any gradient step. The optimal value can be achieved by just treating the input perturbations and intermediate relaxed ReLU activations as adversaries against a linear network after them.The resulting expression for the lower-bound is

Though starting from different points of view, it can be easily proved that the objective derived from a dual view in (Wong et al., 2018) is the same as Fast-Lin.

Optimal Solution of CROWN The only difference between CROWN and Fast-Lin is in the choice of aij for j ∈ Ii . For ReLU activations, CROWN chooses aij = 1 if ¯xij ≥ −xij , or aij = 0 otherwise. This makes the relaxation tighter than Fast-Lin, but also introduces extra complexity due to the varying . In Fast-Lin, is a constant once the upper and lower bounds ¯xi and are given. For CROWN, since 0 < ¯aij < 1, ¯aij ̸= aij, Di now changes with the optimality condition of , which depends on the layer l and the index k of the neuron/logit of interest. Specifically, for adversaries, the optimality condition of is determined by c⊤lkWl:i , so now we have to apply extra index to the slope as D(l,k)i , as well as the equivalent linear operator as W(l,k)l:1 . As a result, the optimal solution is now

This drastically increase the number of computations, especially when computing the intermediate bounds and ¯xi , where we can no longer just compute a single Wl:1 to get the bound, but have to compute number-of-neuron copies of it for the different values of D(l,k)i in the intermediate layers.

Practical Implementations of the Bounds In practice, the final output bound (also the intermediate bounds) is computed in a backward pass, since we need to determine the value (c⊤lkW(l,k)l:i+1)j to choose the optimal δ∗ij , which is the multiplication of all linear operators after layer i. Computing in a backward pass avoids repeated computation. It proceeds as

E. A Toy Example for Tight Relaxation

Figure 3. Illustration of the data distribution and the decision boundary of the network. In this case, b = 0.3, ϵ = 0.2, x0 = [0.1, 0.42]T .

We give an illustrative example where the optimal solution to the relaxed problem is a feasible solution to the original non-convex problem for certain input samples even when unstable neurons exist. It is a binary clas-sification problem for samples x0 = [x01, x02]T ∈ R2 . We assume is uniformly distributed in S0 ∪ S1 , where

|x01| + b, ∥x0∥∞ ≤ 1} , and 0 < b < 1. The ground-truth label for x0 ∈ S0 and x0 ∈ S1 are 0, 1 respectively. The maximal-margin classifier for such data distribution is 1{z12≥|z12|}, where z1 is the input to the classifier. The data distribution and the associated maximal-margin classifier is shown in Figure 3.

This maximal-margin classifier can be represented by a ReLU network with single hidden layer as 1{h2(z1)≥0} , where h2(z1) = W2σ(W1z1), and

Claim 1 (Convex relaxation can be tight when unstable neurons exist). The solution to the relaxed problem 7 is feasible for the original non-convex problem O of the aforementioned ReLU network h2(x0 + δ0) = W2σ(W1(x0 + δ0)) for any x0 ∈ S1 under any perturbation δ0 ∈ {δ|∥δ∥∞ ≤ ϵ, 0 < ϵ < b}.

Proof. Both the network and are symmetric in x01, there- fore it is sufficient to prove the result for x01 ≥ 0.

(1) If x01 ≥ ϵ , since x01 ∈ S1, x02 ≥ b + ϵ . The 4 neurons in x1 = W1(x0 + δ0) are either non-negative or non-positive for any δ0 ∈ {δ|∥δ∥∞ ≤ ϵ, 0 < ϵ < b} and the convex relaxation is tight.

(2) If x01 < ϵ , for any input sample x0 ∈ {x|x = [a, c]T , 0 < a < b < b + a ≤ c} ⊆ S1 , the optimal perturbation δ∗O ∈ {δ|∥δ∥∞ ≤ ϵ, 0 < a < ϵ < b} can be inferred from Figure 3 as [ϵ, −ϵ]T . The corresponding ReLU activations and the optimal solution are

Meanwhile, for the relaxed problem, the lower and upper bounds of the hidden neurons x1 = W1z1 are

Therefore, the first 2 hidden neurons are unstable neurons, and the convex relaxation we are using will relax the ReLU operation z2 = σ(x1) into z2 = D1x1 + δ1 , where is a diagonal matrix, and are slack variables bounded by 0 ≤ δ1 ≤ ¯δ1 . The diagonal entries of and the upper bounds ¯δ1 are defined by Eq. 5 as

i.e., δ13 and δ14 are always 0. The relaxed linear network, as defined by the constraints in Eq. C with our spe-cific relaxation, is now determined as x2 = h2(z1) = W2(D1W1(x + δ0) + δ1) . It can be written into the same

form as Eq. 6 as

z ∗2 = D1W1(x+δ∗0)+δ∗1 = [a+ϵ, 0, c−ϵ, 0]T , x∗2 = c−a−2ϵ,

the same as the optimal solution of the original non-convex problem given in Eq. 14. This shows both of the regularizers, in this case instantiated as

are able to reach 0 for certain networks and samples when non-stable neurons exist.

It might seem that adding d(x, δ∗0, W, b) = p′O(x, δ∗0) − p∗C as a regularizer into the loss function will undesirably minimize the margin for the ReLU network. The- oretically, however, it is not the case, since min p′O − p∗C is a different optimization problem from neither nor max p∗C . In fact, the non-negative d(x, δ∗0, W, b) could be minimized to 0 with both p′O and p∗C taking large val- ues. In the illustrative example, it is easy to see that for any x0 ∈ {x|x = [a, c]T , 0 < a < b < b + a ≤ c} , d(x, δ∗0, W, b) = ct(x′2 − x∗2) = 0 , but p′O = p∗C = c − a − 2ϵ > 0 when ϵ < b2.

Moreover, since we are maximizing p∗C via the robust cross entropy loss2 while minimizing the non-negative difference p′O − p∗C , the overall objective tends to converge to a state where both p′O and p∗C are large.

F. Difﬁculties in Adapting IBP for ℓ2 Adversary

The Inverval Bound Propagation (IBP) method discussed here is defined in the same way as (Gowal et al., 2018), where the bound of the margins are computed layer-wise from the input layer to the final layer, and the bound of each neuron is considered independently for both bounding that neuron and using its inverval to bound other neurons.

It is natural to apply IBP against adversaries, since each neurons are allowed to change independently in its interval, which is similar to the ball. One way to generalize IBP to other norms is to modify the bound propagation in the first layer, such that any of its output neuron (i) is bounded by an interval centered at x1i = W1,ix + b1,i with a radius of ϵp∥W1,i∥p∗, where x1i the clean image x’s response, and W1,i is the first layer’s linear transform corresponding to the neuron, and ∥·∥p∗ is the dual norm of ∥·∥p, with 1p + 1p∗ = 1. We refer to this approach IBP( ℓp, ϵp ). Here by the example of norm, we show such an adaptation may not be able to obtain a robust convolutional neural network compared with established results, such as reaching 61% certified accuracy on CIFAR10 with Cohen et al., 2019).

Specifically, for adversaries within the -ball B2,ϵ2(x) , IBP( ℓ2, ϵ2 ) computes the upper and lower bounds as

By comparison, for some adversary within the -ball B∞,ϵ∞(x) , IBP( ℓ∞, ϵ∞ ) computes the upper and lower bounds as

Since the two approaches are identical in the following layers, to analyze the best-case results of IBP( ℓ2, ϵ2) based on established results of IBP( ℓ∞, ϵ∞ ), it suffices to compare the results of IBP( ℓ∞, ϵ∞) with ϵ∞ set to some value such that the range ¯x∞1 − x∞1 of Eq. 18 is majorized by the range ¯x21 − x21 of Eq. 17. In this way, we are assuming a weaker adversary for IBP() than the original IBP( ℓ2, ϵ2 ), so its certified accuracy is an upper bound of IBP(). Therefore, it suffices to let

For any W1,i ∈ Rd , we have ∥W1,i∥1 ≤√d∥W1,i∥2 . To make Eq. 19 hold for any , we can set

In general, d is equal to the data dimension, such as 3072 for the CIFAR10 dataset. However, for convolutional neural networks, the first layer is usually convolutional layers and W1,i is a 3072-dimensional sparse vector with at most k × k × 3 non-zero entries at fixed positions for convolution kernels with size k and input images with 3 channels. In (Zhang et al., 2020; Gowal et al., 2018; Wong et al., 2018), k = 3 for their major results. In this case,

Under such assumptions, for ϵ2 = 0.25 , the certified accuracy of IBP(, 0.25) on CIFAR10 should be upper bounded by IBP(, 0.04811), unless changing the first layer bounds into norm based bounds significantly harms the performance.3 The best available results of certified accuracies are 33.06% for IBP(, 0.03137) and 23.20% for IBP( ℓ∞, 0.06275) (Zhang et al., 2020). Comparing with the established results from (Cohen et al., 2019) (61%), we can conclude the certified accuracy of IBP(, 0.25) is at least 27.93% to 37.80% lower than the best available results, since we are assuming a weaker adversary.

IBP( ℓ2, ϵ2 ) is also not as good as the results with convex relaxation from (Wong et al., 2018), where the best singlemodel (with projection as approximation) certified accuracy with ϵ2 = 36/255 is 51.09%. For IBP, this adversary is no weaker than ϵ∞ = 6.9282/255 . The best available results for IBP(, 2/255) and IBP(, 8/255) are 50.02% (Gowal et al., 2018) and 33.06% (Zhang et al., 2020) respectively, which indicates the certified accuracy of IBP(, 36/255) is at least 1.07% to 18.03% worse (much loser to 18.03%) than the approximated version of convex relaxation under the same adversary.

Designed for Accessibility and to further Open Science