36:[["$","audio",null,{"id":"tts"}],["$","$L3b",null,{"paperID":"2003.00120","publisher":"arxiv","paperJSON":{"title":"Improving Certified Robustness via Statistical Learning with Logical Reasoning","paperID":"2003.00120","avgLineHeight":10.95,"imgScale":4,"sections":[{"heading":"Abstract","paragraphs":[[{"text":"Intensive algorithmic efforts have been made to enable the rapid improvements of certificated robustness for complex ML models recently. However, current robustness certification methods are only able to certify under a limited perturbation radius. Given that existing ","element":"span"},{"style":{"fontStyle":"italic"},"text":"pure data-driven ","element":"span"},{"text":"statistical approaches have reached a bottleneck, in this paper, we propose to integrate statistical ML models with knowledge (expressed as logical rules) as a ","element":"span"},{"style":{"fontStyle":"italic"},"text":"reasoning ","element":"span"},{"text":"component using Markov logic networks (MLN), so as to further improve the overall certified robustness. This opens new research questions about certifying the robustness of such a paradigm, especially the reasoning component (e.g., MLN). As the first step towards understanding these questions, we first prove that the computational complexity of certifying the robustness of MLN is ","element":"span"},{"text":"#P","element":"span"},{"text":"-hard. Guided by this hardness result, we then derive the first certified robustness bound for MLN by carefully analyzing different model regimes. Finally, we conduct extensive experiments on five datasets including both high-dimensional images and natural language texts, and we show that the certified robustness with knowledge-based logical reasoning indeed significantly outperforms that of the state-of-the-arts.","element":"span"}]]},{"heading":"1 Introduction","paragraphs":[[{"text":"Given extensive studies on adversarial attacks against ML models recently ","element":"span"},{"href":"#id-0","referenceIndex":3,"text":"[3, ","element":"a"},{"href":"#id-1","referenceIndex":13,"text":"13, ","element":"a"},{"href":"#id-2","referenceIndex":39,"text":"39, ","element":"a"},{"href":"#id-3","referenceIndex":24,"text":"24, ","element":"a"},{"href":"#id-4","referenceIndex":65,"text":"65, ","element":"a"},{"href":"#id-5","referenceIndex":23,"text":"23, ","element":"a"},{"href":"#id-6","referenceIndex":54,"text":"54]","element":"a"},{"text":", building models that are robust against such attacks is an important and emerging topic. Thus, a plethora of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"empirical defenses ","element":"span"},{"text":"have been proposed to improve the ML robustness ","element":"span"},{"href":"#id-7","referenceIndex":30,"text":"[30, ","element":"a"},{"href":"#id-8","referenceIndex":60,"text":"60, ","element":"a"},{"href":"#id-9","referenceIndex":22,"text":"22, ","element":"a"},{"href":"#id-10","referenceIndex":44,"text":"44, ","element":"a"},{"href":"#id-6","referenceIndex":54,"text":"54, ","element":"a"},{"href":"#id-11","referenceIndex":53,"text":"53]","element":"a"},{"text":"; however, most of these are attacked again by stronger adaptive attacks ","element":"span"},{"href":"#id-0","referenceIndex":3,"text":"[3, ","element":"a"},{"href":"#id-12","referenceIndex":1,"text":"1, ","element":"a"},{"href":"#id-13","referenceIndex":47,"text":"47]","element":"a"},{"text":". To end such repeated security cat-and-mouse games, there is a line of research focusing on developing ","element":"span"},{"style":{"fontStyle":"italic"},"text":"certified defenses ","element":"span"},{"text":"for DNNs under certain adversarial constraints ","element":"span"},{"href":"#id-14","referenceIndex":8,"text":"[8, ","element":"a"},{"href":"#id-15","referenceIndex":26,"text":"26, ","element":"a"},{"href":"#id-16","referenceIndex":25,"text":"25, ","element":"a"},{"href":"#id-17","referenceIndex":55,"text":"55, ","element":"a"},{"href":"#id-18","referenceIndex":28,"text":"28, ","element":"a"},{"href":"#id-19","referenceIndex":62,"text":"62, ","element":"a"},{"href":"#id-20","referenceIndex":27,"text":"27, ","element":"a"},{"href":"#id-21","referenceIndex":61,"text":"61, ","element":"a"},{"href":"#id-22","referenceIndex":59,"text":"59]","element":"a"},{"text":".","element":"span"}],[{"text":"Though promising, existing ","element":"span"},{"style":{"fontStyle":"italic"},"text":"certified defenses ","element":"span"},{"text":"are restricted to certifying the model robustness within a limited ","element":"span"},{"style":{"height":7.2},"width":33.6,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/1-0.png","element":"img","alt":" ℓp","inline":true,"padRight":true},{"text":"norm bounded perturbation radius ","element":"span"},{"href":"#id-23","referenceIndex":57,"text":"[57, ","element":"a"},{"href":"#id-14","referenceIndex":8,"text":"8]","element":"a"},{"text":". One potential reason for such limitations for existing robust learning approaches is inherent in the fact that most of them have been treating machine learning as a “pure data-driven\" technique that solely depends on a given training set, without interacting with the rich exogenous information such as domain knowledge (e.g., ","element":"span"},{"style":{"fontStyle":"italic"},"text":"a stop sign should be of the octagon shape","element":"span"},{"text":"); while we know human, who has knowledge and inference abilities, is resilient to such attacks. Indeed, a recent seminal work ","element":"span"},{"href":"#id-24","referenceIndex":17,"text":"[17] ","element":"a"},{"text":"illustrates that integrating knowledge rules can significantly improve the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"empirical ","element":"span"},{"text":"robustness of ML models, while leaving the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"certified robustness ","element":"span"},{"text":"completely unexplored.","element":"span"}],[{"text":"In this paper, we follow this promising ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"Learning+Reasoning ","element":"span"},{"text":"paradigm ","element":"span"},{"href":"#id-24","referenceIndex":17,"text":"[17] ","element":"a"},{"text":"and conduct, to our best knowledge, the first study on certified robustness for it. Actually, such a ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"Learning+Reasoning ","element":"span"},{"text":"paradigm has enabled a diverse range of applications ","element":"span"},{"href":"#id-25","referenceIndex":38,"text":"[38, ","element":"a"},{"href":"#id-26","referenceIndex":63,"text":"63, ","element":"a"},{"href":"#id-27","referenceIndex":2,"text":"2, ","element":"a"},{"href":"#id-28","referenceIndex":37,"text":"37, ","element":"a"},{"href":"#id-29","referenceIndex":32,"text":"32, ","element":"a"},{"href":"#id-30","referenceIndex":56,"text":"56, ","element":"a"},{"href":"#id-24","referenceIndex":17,"text":"17, ","element":"a"},{"href":"#id-31","referenceIndex":43,"text":"43] ","element":"a"},{"text":"including the ECCV’14 best paper ","element":"span"},{"href":"#id-32","referenceIndex":10,"text":"[10] ","element":"a"},{"text":"that encodes label relationships as a probabilistic graphical model and improves the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"empirical ","element":"span"},{"text":"performance of deep neural networks on ImageNet. In this work, we first provide a concrete ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Sensing-reasoning pipeline ","element":"span"},{"text":"following such paradigm to integrate statistical learning with logical reasoning as illustrated in Figure ","element":"span"},{"href":"#id-33","text":"1. ","element":"a"},{"text":"In particular, the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Sensing Component ","element":"span"},{"text":"contains a set of statistical ML models such as deep neural networks (DNNs) that output their predictions as a set of Boolean random variables; and the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Reasoning Component ","element":"span"},{"text":"takes this set of Boolean random variables as inputs for logical inference models such as Markov logic networks (MLN) ","element":"span"},{"href":"#id-34","referenceIndex":40,"text":"[40] ","element":"a"},{"text":"or Bayesian networks (BN) ","element":"span"},{"href":"#id-35","referenceIndex":36,"text":"[36] ","element":"a"},{"text":"to produce the final output. We then prove the hardness of certifying the robustness of such a pipeline with MLN for reasoning. Finally, we provide an algorithm to certify the robustness of sensing-reasoning pipeline and we evaluate it on five datasets including both image and text data.","element":"span"}],[{"id":"id-33","style":{"width":"99%"},"width":1574,"height":386,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/1-1.png","element":"img"}],[{"text":"Figure 1: ","element":"figcaption","subtype":"caption"},{"text":"The sensing-reasoning pipeline, i.e., a ","element":"figcaption","subtype":"caption"},{"style":{"fontStyle":"italic"},"text":"sensing component ","element":"figcaption","subtype":"caption"},{"text":"consists of DNNs and a ","element":"figcaption","subtype":"caption"},{"style":{"fontStyle":"italic"},"text":"reasoning component ","element":"figcaption","subtype":"caption"},{"text":"is constructed as MLN. The goal of this paper is to provide certified robustness for such a pipeline, espe-","element":"figcaption","subtype":"caption"}],[{"style":{"width":"78%"},"width":1249,"height":96,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/1-2.png","element":"img"}],[{"text":"Compared with previous efforts focusing on certified robustness of neural networks, the reasoning component brings its own challenges and opportunities. Different from a neural network whose inference can be executed in polynomial time, many reasoning models such as MLN can be ","element":"span"},{"text":"#P","element":"span"},{"text":"-complete for inference. However, as many reasoning models define a probability distribution in the exponential family, we have more functional structures that could potentially make the robustness optimization (which essentially solves a min-max problem) easier. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"In this paper, we provide the first treatment to this problem characterized by these unique challenges and opportunities.","element":"span"}],[{"text":"We focus on MLN as the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"reasoning component","element":"span"},{"text":", and explored three technical questions, each of which corresponds to a technical contribution of this work.","element":"span"}],[{"style":{"fontStyle":"italic"},"text":"1. Is certifying robustness for the reasoning component feasible when the inference of the reasoning component is ","element":"span"},{"style":{"fontStyle":"italic"},"text":"#P","element":"span"},{"style":{"fontStyle":"italic"},"text":"-hard? ","element":"span"},{"text":"(Section ","element":"span"},{"text":"3) ","element":"span"},{"text":"Before any concrete algorithm can be proposed, it is important to understand the computational complexity of the robustness certification. We first prove that the famous problem of counting in statistical inference ","element":"span"},{"href":"#id-36","referenceIndex":50,"text":"[50] ","element":"a"},{"text":"can be reduced to the problem of checking the certified robustness of general reasoning components and MLN. Therefore, checking certified robustness is no easier than counting on the same family of distribution. In other words, when the reasoning component is a graphical model such as MLN, checking certified robustness is no easier than calculating the partition function of the underlying graphical model, which is ","element":"span"},{"text":"#P","element":"span"},{"text":"-hard.","element":"span"}],[{"style":{"fontStyle":"italic"},"text":"2. Can we efficiently reason about the certified robustness for the reasoning component when given an oracle for statistical inference? ","element":"span"},{"text":"(Section ","element":"span"},{"href":"#id-37","text":"4.2) ","element":"a"},{"text":"Given the above hardness result, we focus on certifying the robustness given an inference oracle. However, even when statistical inference can be done by a given oracle ","element":"span"},{"href":"#id-38","referenceIndex":21,"text":"[21, ","element":"a"},{"href":"#id-39","referenceIndex":18,"text":"18]","element":"a"},{"text":", it is still challenging to certify the robustness of MLN. Our second technical contribution is to develop such an algorithm for MLN as the reasoning component. We prove that providing certified robustness for MLN is possible because of the structure inherent in the probabilistic graphical models and distributions in the exponential family, which could lead to monotonicity and convexity properties under certain conditions for solving the certification optimization.","element":"span"}],[{"style":{"fontStyle":"italic"},"text":"3. Can a reasoning component improve the certified robustness compared with the state-of-the-art certification methods? ","element":"span"},{"text":"(Section ","element":"span"},{"text":"5) ","element":"span"},{"text":"We test our algorithms on multiple sensing-reasoning pipelines, in which the sensing components contain the state-of-the-art ","element":"span"},{"style":{"fontStyle":"italic"},"text":"deep neural networks","element":"span"},{"text":". We construct these pipelines to cover a range of applications including image classification and natural language processing tasks. We show that based on our certification method on the reasoning component, the knowledge-enriched sensing-reasoning pipelines achieves significantly higher certified robustness than the state-of-the-art certification methods for DNNs.","element":"span"}],[{"text":"The rest of the paper is organized as follows. We will first introduce the design of the sensing-reasoning pipeline in Section ","element":"span"},{"href":"#id-40","text":"2.1, ","element":"a"},{"text":"followed by concrete illustrations taking the Markov Logic Networks as an example of the reasoning component in Section ","element":"span"},{"href":"#id-41","text":"2.2. ","element":"a"},{"text":"Next, to certify the robustness of the sensing-reasoning pipeline, especially for the reasoning component, we first prove that certifying the robustness of the reasoning component itself is ","element":"span"},{"text":"#P","element":"span"},{"text":"-complete (Section ","element":"span"},{"text":"3)","element":"span"},{"text":", and therefore we propose a certification algorithm to upper/lower bound the certification in Section ","element":"span"},{"text":"4, ","element":"span"},{"text":"We provide the evaluation of our robustness certification considering different tasks in Section ","element":"span"},{"text":"5.","element":"span"}]]},{"heading":"2 Robust Statistical Learning with Logical Reasoning","paragraphs":[[{"text":"In this section, we first provide a sensing-reasoning pipeline and then formally defined its certified robustness, and particularly links it to certifying the robustness for the reasoning component.","element":"span"}],[{"id":"id-40","style":{"fontWeight":"bold"},"text":"2.1 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Sensing-Reasoning Pipeline","element":"span"}],[{"id":"id-42","style":{"width":"50%"},"width":807,"height":402,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/2-0.png","element":"img"}],[{"text":"Figure 2: ","element":"figcaption","subtype":"caption"},{"text":"A sensing-reasoning pipeline with MLN as","element":"figcaption","subtype":"caption"}],[{"text":"A sensing-reasoning pipeline contains a set of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"n ","element":"span"},{"text":"sensors ","element":"span"},{"style":{"height":17.68},"width":148.02,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/2-1.png","element":"img","alt":" {Si}i∈[n]","inline":true,"padRight":true},{"text":"and a reasoning component ","element":"span"},{"style":{"fontStyle":"italic"},"text":"R","element":"span"},{"text":". Each sensor is a binary classifier (for multi-class classifier it corresponds to a group of sensors) — given an input data example ","element":"span"},{"style":{"fontStyle":"italic"},"text":"X","element":"span"},{"text":", each of the sensor ","element":"span"},{"style":{"height":13.19},"width":35.44,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/2-2.png","element":"img","alt":" Si","inline":true,"padRight":true},{"text":"outputs a probability ","element":"span"},{"style":{"height":16},"width":320.21,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/2-3.png","element":"img","alt":" pi(X) (i.e., if Si is a","inline":true,"padRight":true},{"text":"neural network, ","element":"span"},{"style":{"height":16},"width":100.96,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/2-4.png","element":"img","alt":" pi(X)","inline":true,"padRight":true},{"text":"represents its output after the final softmax layer). The reasoning component takes the outputs of all sensing models as its inputs, and outputs a new Boolean random","element":"span"}],[{"text":"variable ","element":"span"},{"style":{"height":17.68},"width":284.35,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/2-5.png","element":"img","alt":" R({pi(X)}i∈[n]).","inline":true}],[{"text":"One natural choice of the reasoning component is to use a probabilistic graphical model (PGM). In the following subsection, we will make the reasoning component ","element":"span"},{"style":{"fontStyle":"italic"},"text":"R ","element":"span"},{"text":"more concrete by instantiating it as a Markov logic network (MLN). The output of a sensing-reasoning pipeline on the input data example ","element":"span"},{"style":{"fontStyle":"italic"},"text":"X ","element":"span"},{"text":"is the expectation of the output of reasoning component ","element":"span"},{"style":{"height":17.68},"width":387.05,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/2-6.png","element":"img","alt":" R: E[R({pi(X)}i∈[n])].","inline":true,"padRight":true},{"style":{"fontWeight":"bold"},"text":"Example. ","element":"span"},{"text":"A sensing-reasoning pipeline provides a generic, principled way of integrating domain knowledge with the output of statistical predictive models such as neural networks. One such example is ","element":"span"},{"href":"#id-32","referenceIndex":10,"text":"[10] ","element":"a"},{"text":"the task of ImageNet classification. Here each sensing model corresponds to the classifier for one specific class in ImageNet, e.g., ","element":"span"},{"style":{"height":16.79},"width":142.94,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/2-7.png","element":"img","alt":" Sdog(X)","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":16},"width":198.13,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/2-8.png","element":"img","alt":" Sanimal(X)","inline":true},{"text":". The reasoning component then encodes domain knowledge such that “","element":"span"},{"style":{"fontStyle":"italic"},"text":"If an image is classified as a dog then it must also be classified as an animal","element":"span"},{"text":"” using a PGM. There is no prior work considering the certified robustness of such a knowledge-enabled ML pipeline. Figure ","element":"span"},{"href":"#id-42","text":"2 ","element":"a"},{"text":"illustrates a concrete sensing-reasoning pipeline, in which the reasoning component is implemented as an MLN.","element":"span"}],[{"id":"id-41","style":{"fontWeight":"bold"},"text":"2.2 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Reasoning Component as Markov Logic Networks","element":"span"}],[{"text":"Given the generic definition of a sensing-reasoning pipeline, one can use different models to implement the reasoning components. In this paper, we focus on Markov logic networks (MLN), which is a popular way to define a probabilistic graphical model using first-order logic ","element":"span"},{"href":"#id-43","referenceIndex":41,"text":"[41]","element":"a"},{"text":". Concretely, we define the reasoning component implemented as an MLN, which contains a set of weighted first-order ","element":"span"},{"text":"logic rules, as illustrated in Figure ","element":"span"},{"href":"#id-42","text":"2(","element":"a"},{"text":"b). After grounding, an MLN defines a joint probabilistic distribution among a collection of random variables, as illustrated in Figure ","element":"span"},{"href":"#id-42","text":"2(","element":"a"},{"text":"c). We adapt the standard MLN semantics to a sensing-reasoning pipeline and use a slightly more general variant compared with the original MLN ","element":"span"},{"href":"#id-43","referenceIndex":41,"text":"[41]","element":"a"},{"text":". Each MLN program corresponds to a factor graph — Due to the space limitation, we will not discuss the grounding part and point the readers to ","element":"span"},{"href":"#id-43","referenceIndex":41,"text":"[41]","element":"a"},{"text":". We focus on defining the result after grounding, i.e., the factor graph.","element":"span"}],[{"text":"Specifically, a grounded MLN is a factor graph ","element":"span"},{"style":{"fontStyle":"italic"},"text":"G ","element":"span"},{"text":"= (","element":"span"},{"style":{"fontStyle":"italic"},"text":"V","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"style":{"fontStyle":"italic"},"text":"F","element":"span"},{"text":")","element":"span"},{"text":", where ","element":"span"},{"style":{"fontStyle":"italic"},"text":"V ","element":"span"},{"text":"is a set of Boolean random variables. Specific to a sensing-reasoning pipeline, there are two types of random variables ","element":"span"},{"style":{"height":12.8},"width":184.89,"height":32,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-0.png","element":"img","alt":" V = X ∪Y:","inline":true}],[{"text":"1. ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Interface Variables ","element":"span"},{"style":{"height":17.68},"width":249.62,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-1.png","element":"img","alt":" X = {xi}i∈[n]:","inline":true,"padRight":true},{"text":"Each sensing model ","element":"span"},{"style":{"height":13.19},"width":35.44,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-2.png","element":"img","alt":" Si","inline":true,"padRight":true},{"text":"corresponds to one interface variable ","element":"span"},{"style":{"height":9.19},"width":33.78,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-3.png","element":"img","alt":" xi","inline":true,"padRight":true},{"text":"in the grounded factor graph;","element":"span"}],[{"text":"2. ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Interior variables ","element":"span"},{"style":{"height":17.68},"width":234.75,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-4.png","element":"img","alt":" Y = {yi}i∈[m]","inline":true,"padRight":true},{"text":"are other variables introduced by the MLN model.","element":"span"}],[{"text":"Each factor ","element":"span"},{"style":{"height":12},"width":113.89,"height":30,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-5.png","element":"img","alt":" F ∈ F","inline":true,"padRight":true},{"text":"contains a weight ","element":"span"},{"style":{"height":9.59},"width":52.52,"height":23.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-6.png","element":"img","alt":" wF","inline":true,"padRight":true},{"text":"and a factor function ","element":"span"},{"style":{"height":14},"width":43.51,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-7.png","element":"img","alt":" fF","inline":true,"padRight":true},{"text":"defined over a subset of variables ","element":"span"},{"style":{"height":16},"width":432.31,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-8.png","element":"img","alt":"¯vF ⊆ V that returns {0, 1}","inline":true},{"text":". There are two sets of factors ","element":"span"},{"style":{"height":13.2},"width":201.12,"height":33,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-9.png","element":"img","alt":" F = G ∪ H:","inline":true}],[{"text":"1. ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Interface Factors ","element":"span"},{"style":{"fontStyle":"italic"},"text":"G","element":"span"},{"style":{"fontWeight":"bold"},"text":": ","element":"span"},{"text":"For each interface variable ","element":"span"},{"style":{"height":9.19},"width":33.78,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-10.png","element":"img","alt":" xi","inline":true},{"text":", we create one interface factor ","element":"span"},{"style":{"height":13.59},"width":124.97,"height":33.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-11.png","element":"img","alt":" Gi with","inline":true,"padRight":true},{"text":"weight ","element":"span"},{"style":{"height":16},"width":527.13,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-12.png","element":"img","alt":" wGi = log[pi(X)/(1 − pi(X))]","inline":true,"padRight":true},{"text":"and factor function ","element":"span"},{"style":{"height":16},"width":322.17,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-13.png","element":"img","alt":" fGi(a) = I[a = 1]","inline":true,"padRight":true},{"text":"defined over ","element":"span"},{"style":{"height":18.56},"width":216.56,"height":46.4,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-14.png","element":"img","alt":" ¯vfGi = {xi}.","inline":true}],[{"text":"2. ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Interior Factors ","element":"span"},{"style":{"fontStyle":"italic"},"text":"H ","element":"span"},{"text":"are other factors introduced by the MLN program.","element":"span"}],[{"style":{"fontStyle":"italic"},"text":"Remarks: MLN-specific Structure. ","element":"span"},{"text":"Our result applies to a more general family of factor graphs and are not necessarily specific to those grounded by MLN. Moreover, MLN provides an intuitive way of grounding such a factor graph with domain knowledge, and factor graphs grounded by MLN have certain properties that we will use later, e.g., all factors only return non-negative values, and there are no unusual weight sharing structures.","element":"span"}],[{"text":"The above factor graph defines a joint probability distribution among all variables ","element":"span"},{"style":{"fontStyle":"italic"},"text":"V","element":"span"},{"text":". We define a ","element":"span"},{"style":{"fontStyle":"italic"},"text":"possible world ","element":"span"},{"text":"as a function ","element":"span"},{"style":{"height":16},"width":244.6,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-15.png","element":"img","alt":" σ : V �→ {0, 1}","inline":true,"padRight":true},{"text":"that corresponds to one possible assignment of values to each random variable. Let ","element":"span"},{"style":{"height":10.8},"width":29,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-16.png","element":"img","alt":" Σ","inline":true,"padRight":true},{"text":"denote the set of all (exponentially many) possible worlds.","element":"span"}],[{"text":"The ","element":"span"},{"style":{"fontStyle":"italic"},"text":"statistical inference ","element":"span"},{"text":"process of a reasoning component implemented using MLNs ","element":"span"},{"href":"#id-43","referenceIndex":41,"text":"[41] ","element":"a"},{"text":"computes the marginal probability of a given variable ","element":"span"},{"style":{"height":11.6},"width":108.15,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-17.png","element":"img","alt":" v ∈ V:","inline":true}],[{"style":{"width":"80%"},"width":1279,"height":44,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-18.png","element":"img"}],[{"text":"where the partition functions ","element":"span"},{"style":{"height":13.59},"width":165.76,"height":33.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-19.png","element":"img","alt":" Z1 and Z2","inline":true,"padRight":true},{"text":"are defined as","element":"span"}],[{"style":{"width":"75%"},"width":1197,"height":259,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-20.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Why ","element":"span"},{"style":{"height":16},"width":535.16,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-21.png","element":"img","alt":" wGi = log[pi(X)/(1 − pi(X))]?","inline":true,"padRight":true},{"text":"When the MLN does not introduce any interior variables and","element":"span"}],[{"text":"interior factors, it is easy to see that setting ","element":"span"},{"style":{"height":16},"width":510.35,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-22.png","element":"img","alt":" wGi = log[pi(X)/(1 − pi(X))]","inline":true,"padRight":true},{"text":"ensures that the marginal probability of each interface variable equals to the output of the original sensing model ","element":"span"},{"style":{"height":16},"width":193.94,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/3-23.png","element":"img","alt":" pi(X). This","inline":true,"padRight":true},{"text":"means that if we do not have additional knowledge in the reasoning component, the pipeline outputs the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"same ","element":"span"},{"text":"distribution as the original sensing component.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Learning Weights for Interior Factors? ","element":"span"},{"text":"In this paper, we view all weights for interior factors as","element":"span"}],[{"text":"hyperparameters. These weights can be learned by maximizing the likelihood with weight learning algorithms for MLNs ","element":"span"},{"href":"#id-44","referenceIndex":29,"text":"[29]","element":"a"},{"text":".","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Beyond Marginal Probability for a Single Variable. ","element":"span"},{"text":"We have assumed that the output of a sensing-","element":"span"}],[{"text":"reasoning pipeline is the marginal probability distribution of a given random variable in the grounded factor graph. However, our result can be more general — given a function over possible worlds and outputs ","element":"span"},{"style":{"fontStyle":"italic"},"text":"{","element":"span"},{"text":"0","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"text":"1","element":"span"},{"style":{"fontStyle":"italic"},"text":"}","element":"span"},{"text":", the output of a pipeline can be the marginal probability of such a function. This will not change the algorithm that we propose later.","element":"span"}]]},{"heading":"3 Hardness of Certifying Reasoning Robustness","paragraphs":[[{"style":{"fontStyle":"italic"},"text":"Given a reasoning component ","element":"span"},{"style":{"fontStyle":"italic"},"text":"R","element":"span"},{"style":{"fontStyle":"italic"},"text":", how hard is it to reason about its robustness? ","element":"span"},{"text":"In this section, we aim at understanding this fundamental question. In order to provide the certified robustness of the ","element":"span"},{"text":"reasoning component, which is defined as the lower bound of model predictions for inputs considering an adversarial perturbation with bounded magnitude ","element":"span"},{"href":"#id-14","referenceIndex":8,"text":"[8]","element":"a"},{"text":", we need to analyze the hardness of this certification problem first. Specifically, we present the hardness results of determining the robustness of the reasoning component defined above, before we can provide our certification algorithm in Section ","element":"span"},{"href":"#id-37","text":"4.2. ","element":"a"},{"text":"We start by defining the counting ","element":"span"},{"href":"#id-36","referenceIndex":50,"text":"[50] ","element":"a"},{"text":"and robustness problems on general distribution. We prove that counting can be reduced to checking for reasoning robustness, and hence the latter is at least as hard; We then prove the complexities of reasoning with MLN.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"3.1 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Harness of Certifying General Reasoning Model","element":"span"}],[{"text":"Let ","element":"span"},{"style":{"height":16},"width":361.24,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-0.png","element":"img","alt":" X = {x1, x2, . . . , xn}","inline":true,"padRight":true},{"text":"be a set of variables. Let ","element":"span"},{"style":{"height":9.19},"width":43.71,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-1.png","element":"img","alt":" πα","inline":true,"padRight":true},{"text":"be a distribution over ","element":"span"},{"style":{"height":14.19},"width":71.82,"height":35.47,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-2.png","element":"img","alt":" D[n]","inline":true,"padRight":true},{"text":"defined by a set of parameters ","element":"span"},{"style":{"height":14.98},"width":152.79,"height":37.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-3.png","element":"img","alt":" α ∈ P [m]","inline":true},{"text":", where ","element":"span"},{"style":{"fontStyle":"italic"},"text":"D ","element":"span"},{"text":"is the domain of variables, either discrete or continuous, and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"P ","element":"span"},{"text":"is the domain of parameters. We call ","element":"span"},{"style":{"height":6.8},"width":23,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-4.png","element":"img","alt":" π","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"accessible ","element":"span"},{"text":"if for any ","element":"span"},{"style":{"height":18.18},"width":463.52,"height":45.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-5.png","element":"img","alt":" σ ∈ D[n], πα(σ) ∝ w(σ; α)","inline":true},{"text":", where ","element":"span"},{"style":{"height":18.98},"width":399.18,"height":47.44,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-6.png","element":"img","alt":"w : D[n] × P [m] → R≥0","inline":true,"padRight":true},{"text":"is a polynomial-time computable function. We will restrict our attention to accessible distributions only. We use ","element":"span"},{"style":{"height":18.19},"width":304.25,"height":45.47,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-7.png","element":"img","alt":" Q : D[n] → {0, 1}","inline":true,"padRight":true},{"text":"to denote a Boolean query, which is a polynomial-time computable function. We define the following two oracles:","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Definition 1 ","element":"span"},{"text":"(C","element":"span"},{"text":"OUNTING","element":"span"},{"text":")","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"text":"Given input polynomial-time computable weight function ","element":"span"},{"style":{"height":16},"width":235.27,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-8.png","element":"img","alt":" w(·) and query","inline":true,"padRight":true},{"text":"function ","element":"span"},{"style":{"height":16},"width":74.07,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-9.png","element":"img","alt":" Q(·)","inline":true},{"text":", parameters ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-10.png","element":"img","alt":" α","inline":true},{"text":", a real number ","element":"span"},{"style":{"height":13.2},"width":320.31,"height":33,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-11.png","element":"img","alt":" ϵ > 0, a COUNTING","inline":true,"padRight":true},{"text":"oracle outputs a real number ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Z ","element":"span"},{"text":"that","element":"span"}],[{"style":{"width":"32%"},"width":508,"height":81,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-12.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Definition 2 ","element":"span"},{"text":"(R","element":"span"},{"text":"OBUSTNESS","element":"span"},{"text":")","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"text":"Given input polynomial-time computable weight function ","element":"span"},{"style":{"height":16},"width":72.17,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-13.png","element":"img","alt":" w(·)","inline":true,"padRight":true},{"text":"and query function ","element":"span"},{"style":{"height":16},"width":74.07,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-14.png","element":"img","alt":" Q(·)","inline":true},{"text":", parameters ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-15.png","element":"img","alt":" α","inline":true},{"text":", two real numbers ","element":"span"},{"style":{"height":11.6},"width":101.2,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-16.png","element":"img","alt":" ϵ > 0","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":12.4},"width":104.24,"height":31,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-17.png","element":"img","alt":" δ > 0","inline":true},{"text":", a R","element":"span"},{"text":"OBUSTNESS ","element":"span"},{"text":"oracle decides, for any ","element":"span"},{"style":{"height":18.97},"width":585.58,"height":47.42,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-18.png","element":"img","alt":" α′ ∈ P [m] such that ∥α − α′∥∞ ≤ ϵ","inline":true},{"text":", whether the following is true:","element":"span"}],[{"style":{"width":"42%"},"width":672,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-19.png","element":"img"}],[{"text":"We can prove that R","element":"span"},{"text":"OBUSTNESS ","element":"span"},{"text":"is at least as hard as C","element":"span"},{"text":"OUNTING ","element":"span"},{"text":"by a reduction argument.","element":"span"}],[{"id":"id-45","style":{"fontWeight":"bold"},"text":"Theorem 1 ","element":"span"},{"text":"(C","element":"span"},{"text":"OUNTING ","element":"span"},{"style":{"height":12.8},"width":287.85,"height":32,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-20.png","element":"img","alt":" ≤t ROBUSTNESS","inline":true},{"text":")","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Given polynomial-time computable weight function ","element":"span"},{"style":{"height":16},"width":72.16,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-21.png","element":"img","alt":"w(·)","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"and query function ","element":"span"},{"style":{"height":16},"width":74.07,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-22.png","element":"img","alt":" Q(·)","inline":true},{"style":{"fontStyle":"italic"},"text":", parameters ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-23.png","element":"img","alt":" α","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"and real number ","element":"span"},{"style":{"height":11.6},"width":94.79,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-24.png","element":"img","alt":" ϵ > 0","inline":true},{"style":{"fontStyle":"italic"},"text":", the instance of ","element":"span"},{"text":"C","element":"span"},{"text":"OUNTING","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"style":{"height":16},"width":187.56,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-25.png","element":"img","alt":"(w, Q, α, ϵ)","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"can be determined by up to ","element":"span"},{"style":{"height":17.38},"width":139.31,"height":43.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-26.png","element":"img","alt":" O(1/ε2c)","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"queries of the ","element":"span"},{"text":"R","element":"span"},{"text":"OBUSTNESS ","element":"span"},{"style":{"fontStyle":"italic"},"text":"oracle with input ","element":"span"},{"style":{"fontStyle":"italic"},"text":"perturbation ","element":"span"},{"style":{"height":16},"width":176.62,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-27.png","element":"img","alt":" ϵ = O(εc).","inline":true}],[{"style":{"fontStyle":"italic"},"text":"Proof-sketch. ","element":"span"},{"text":"We define the partition function ","element":"span"},{"style":{"height":19.58},"width":424.73,"height":48.96,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-28.png","element":"img","alt":" Zi := �σ:Q(σ)=i w(σ; α)","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":16},"width":310.76,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-29.png","element":"img","alt":" E[σ ∼ πα]Q(σ) =","inline":true},{"style":{"height":16},"width":235.39,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-30.png","element":"img","alt":"Z1/(Z0 + Z1)","inline":true},{"text":". We then construct a new weight function ","element":"span"},{"style":{"height":16},"width":515.7,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-31.png","element":"img","alt":" t(σ; α) := w(σ; α) exp(βQ(σ))","inline":true,"padRight":true},{"text":"by introducing an additional parameter ","element":"span"},{"style":{"height":14.4},"width":23,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-32.png","element":"img","alt":" β","inline":true},{"text":", such that ","element":"span"},{"style":{"height":16.79},"width":272.54,"height":41.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-33.png","element":"img","alt":" τβ(σ) ∝ t(σ; β)","inline":true},{"text":", and ","element":"span"},{"style":{"height":24.64},"width":466.59,"height":61.6,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-34.png","element":"img","alt":" E[σ ∼ τβ]Q(σ) = eβZ1Z0+eβZ1","inline":true,"padRight":true},{"text":". ","element":"span"},{"text":"Then we consider the perturbation ","element":"span"},{"style":{"height":14.4},"width":229.04,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-35.png","element":"img","alt":" β′ = β ± ϵ","inline":true},{"text":", with ","element":"span"},{"style":{"height":16},"width":200.51,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-36.png","element":"img","alt":" ϵ = O(εc)","inline":true,"padRight":true},{"text":"and query the R","element":"span"},{"text":"OBUST","element":"span"},{"text":"- ","element":"span"},{"text":"NESS ","element":"span"},{"text":"oracle with input ","element":"span"},{"style":{"height":16},"width":208.28,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-37.png","element":"img","alt":" (t, Q, β, ϵ, δ)","inline":true,"padRight":true},{"text":"multiple times to perform a binary search in ","element":"span"},{"style":{"height":11.6},"width":19,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-38.png","element":"img","alt":" δ","inline":true,"padRight":true},{"text":"to estimate ","element":"span"},{"style":{"height":16.79},"width":595.46,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-39.png","element":"img","alt":" |E[σ ∼ πβ]Q(σ) − E[σ ∼ πβ′]Q(σ)|","inline":true},{"text":". Perform a further “outer\" binary search to find the ","element":"span"},{"style":{"height":14.4},"width":23,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-40.png","element":"img","alt":"β","inline":true,"padRight":true},{"text":"which maximizes the perturbation. This yields a good estimator for ","element":"span"},{"style":{"height":21.23},"width":98.61,"height":53.07,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-41.png","element":"img","alt":" log Z0Z1","inline":true,"padRight":true},{"text":"which in turn gives ","element":"span"},{"style":{"height":16},"width":381.53,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-42.png","element":"img","alt":"E[σ ∼ πα]Q(σ) with εc","inline":true,"padRight":true},{"text":"multiplicative error. We leave detailed proof to Appendix ","element":"span"},{"text":"A.","element":"span"}],[{"id":"id-51","style":{"fontWeight":"bold"},"text":"3.2 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Hardness of Certifying Markov Logic Networks","element":"span"}],[{"text":"Given Theorem ","element":"span"},{"href":"#id-45","text":"1, ","element":"a"},{"text":"we can now state the following result specifically for MLNs:","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Theorem 2 ","element":"span"},{"text":"(MLN Hardness)","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Given an MLN whose grounded factor graph is ","element":"span"},{"style":{"fontStyle":"italic"},"text":"G ","element":"span"},{"text":"= (","element":"span"},{"style":{"fontStyle":"italic"},"text":"V","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"style":{"fontStyle":"italic"},"text":"F","element":"span"},{"text":") ","element":"span"},{"style":{"fontStyle":"italic"},"text":"in which the weights for interface factors are ","element":"span"},{"style":{"height":16},"width":500.28,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-43.png","element":"img","alt":" wGi = log pi(X)/(1 − pi(X))","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"and constant thresholds ","element":"span"},{"style":{"height":17.68},"width":186.79,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-44.png","element":"img","alt":"δ, {Ci}i∈[n]","inline":true},{"style":{"fontStyle":"italic"},"text":", deciding whether","element":"span"}],[{"style":{"width":"90%"},"width":1427,"height":46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-45.png","element":"img"}],[{"style":{"fontStyle":"italic"},"text":"is as hard as estimating ","element":"span"},{"style":{"height":17.68},"width":519.4,"height":44.19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-46.png","element":"img","alt":" ERMLN({pi(X)}i∈[n]) up to εc","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"multiplicative error, with ","element":"span"},{"style":{"height":16},"width":189.89,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-47.png","element":"img","alt":" ϵi = O(εc).","inline":true}],[{"style":{"fontStyle":"italic"},"text":"Proof. ","element":"span"},{"text":"Let ","element":"span"},{"style":{"height":16},"width":214.22,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-48.png","element":"img","alt":" α = [pi(X)]","inline":true},{"text":", query function ","element":"span"},{"style":{"height":16},"width":297.91,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-49.png","element":"img","alt":" Q(.) = RMLN(.)","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":9.19},"width":43.72,"height":22.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-50.png","element":"img","alt":" πα","inline":true,"padRight":true},{"text":"defined by the marginal distribution over interior variables of MLN. Theorem ","element":"span"},{"href":"#id-45","text":"1 ","element":"a"},{"text":"directly implies that ","element":"span"},{"style":{"height":17.39},"width":139.31,"height":43.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-51.png","element":"img","alt":" O(1/ε2c)","inline":true,"padRight":true},{"text":"queries of a ","element":"span"},{"text":"R","element":"span"},{"text":"OBUSTNESS ","element":"span"},{"text":"oracle can be used to efficiently estimate ","element":"span"},{"style":{"height":17.68},"width":396.08,"height":44.19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/4-52.png","element":"img","alt":" ERMLN({pi(X)}i∈[n]).","inline":true}],[{"text":"In general, statistical inference in MLNs is ","element":"span"},{"text":"#P","element":"span"},{"text":"-complete, and checking robustness for general MLNs is also ","element":"span"},{"text":"#P","element":"span"},{"text":"-hard.","element":"span"}]]},{"heading":"4 Certifying the Robustness of Sensing-Reasoning Pipeline","paragraphs":[[{"text":"Given a sensing-reasoning pipeline with ","element":"span"},{"style":{"height":17.68},"width":308.87,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-0.png","element":"img","alt":" n sensors {Si}i∈[n]","inline":true,"padRight":true},{"text":"and a reasoning component ","element":"span"},{"style":{"fontStyle":"italic"},"text":"R","element":"span"},{"text":", we will first formally define its end-to-end certified robustness and then its connection to the robustness of each component. In particular, based on the above hardness result for ","element":"span"},{"style":{"fontStyle":"italic"},"text":"certifying the robustness of the reasoning component ","element":"span"},{"text":"in Section ","element":"span"},{"text":"3, ","element":"span"},{"text":"we will provide an effective certification method to upper/lower bound the certification, taking ","element":"span"},{"style":{"fontStyle":"italic"},"text":"any ","element":"span"},{"text":"oracle for the inference of the reasoning component into account. With the certification of the reasoning component, we will finally provide the robustness certification for the sensing-reasoning pipeline by combining the certification of sensing and reasoning components. ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Definition 3 ","element":"span"},{"text":"(","element":"span"},{"style":{"height":16},"width":189.14,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-1.png","element":"img","alt":"(CI, CE, p)","inline":true},{"text":"-robustness)","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"text":"A sensing-reasoning pipeline with ","element":"span"},{"style":{"height":17.68},"width":404.38,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-2.png","element":"img","alt":" n sensors {Si}i∈[n] and a","inline":true,"padRight":true},{"text":"reasoning component ","element":"span"},{"style":{"height":16},"width":265.32,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-3.png","element":"img","alt":" R is (CI, CE, p)","inline":true},{"text":"-robust on the input ","element":"span"},{"style":{"fontStyle":"italic"},"text":"X","element":"span"},{"text":", if for input perturbation ","element":"span"},{"style":{"height":16.79},"width":219.46,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-4.png","element":"img","alt":" η, ||η||p ≤ CI","inline":true}],[{"style":{"width":"56%"},"width":903,"height":50,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-5.png","element":"img"}],[{"text":"I.e., a perturbation ","element":"span"},{"style":{"height":16.79},"width":180.53,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-6.png","element":"img","alt":" ||η||p < CI","inline":true,"padRight":true},{"text":"on the input only changes the final pipeline output by at most ","element":"span"},{"style":{"height":13.19},"width":65.4,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-7.png","element":"img","alt":" CE.","inline":true}],[{"style":{"fontWeight":"bold"},"text":"Sensing Robustness and Reasoning Robustness. ","element":"span"},{"text":"We decompose the end-to-end certified robustness of the pipeline into two components. The first component, which we call the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"sensing robustness","element":"span"},{"text":", has been studied by the research community recently ","element":"span"},{"href":"#id-46","referenceIndex":20,"text":"[20, ","element":"a"},{"href":"#id-47","referenceIndex":46,"text":"46, ","element":"a"},{"href":"#id-14","referenceIndex":8,"text":"8] ","element":"a"},{"text":"— given a perturbation ","element":"span"},{"style":{"height":16.79},"width":233.82,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-8.png","element":"img","alt":" ||η||p < CI on","inline":true,"padRight":true},{"text":"the input ","element":"span"},{"style":{"fontStyle":"italic"},"text":"X","element":"span"},{"text":", we say each sensor ","element":"span"},{"style":{"height":21.36},"width":436.09,"height":53.41,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-9.png","element":"img","alt":" Si is (CI, C(i)S , p)-robust if","inline":true}],[{"style":{"width":"51%"},"width":813,"height":49,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-10.png","element":"img"}],[{"text":"The robustness of the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"reasoning component ","element":"span"},{"text":"R is defined as: Given a perturbation ","element":"span"},{"style":{"height":21.36},"width":282.61,"height":53.41,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-11.png","element":"img","alt":" |ϵi| < C(i)S on the","inline":true,"padRight":true},{"text":"output of each sensor ","element":"span"},{"style":{"height":16},"width":105.34,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-12.png","element":"img","alt":" Si(X)","inline":true},{"text":", we say the reasoning component ","element":"span"},{"style":{"height":28.8},"width":528.77,"height":72,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-13.png","element":"img","alt":" R is�{C(i)S }i∈[n], CE�-robust if","inline":true}],[{"style":{"width":"92%"},"width":1467,"height":58,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-14.png","element":"img"}],[{"text":"It is easy to see that when the sensing component is","element":"span"},{"style":{"height":28.8},"width":331.89,"height":72,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-15.png","element":"img","alt":"�CI, {C(i)S }i∈[n], p�","inline":true},{"text":"-robust and the reasoning component is","element":"span"},{"style":{"height":28.8},"width":508.62,"height":72,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-16.png","element":"img","alt":"�{C(i)S }i∈[n], CE�-robust on X","inline":true},{"text":", the sensing-reasoning pipeline is ","element":"span"},{"style":{"height":16},"width":310.18,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-17.png","element":"img","alt":" (CI, CE, p)-robust.","inline":true,"padRight":true},{"text":"Since the sensing robustness has been intensively studied by previous work, in this paper, we mainly focus on the reasoning robustness and therefore analyze the robustness of the pipeline.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"4.1 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Certifying Sensing Robustness","element":"span"}],[{"text":"There are several existing ways to certify the robustness of sensing models, such as Interval Bound Propagation (IBP) ","element":"span"},{"href":"#id-48","referenceIndex":16,"text":"[16]","element":"a"},{"text":", Randomized Smoothing ","element":"span"},{"href":"#id-14","referenceIndex":8,"text":"[8]","element":"a"},{"text":", and others ","element":"span"},{"href":"#id-49","referenceIndex":64,"text":"[64, ","element":"a"},{"href":"#id-50","referenceIndex":52,"text":"52]","element":"a"},{"text":". Here we will leverage randomized smoothing to provide an example for certifying the robustness of sensing components.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Corollary 1. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Given a sensing model ","element":"span"},{"style":{"height":13.19},"width":35.44,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-18.png","element":"img","alt":" Si","inline":true},{"style":{"fontStyle":"italic"},"text":", we construct a smoothed sensing model ","element":"span"},{"style":{"height":16},"width":194.13,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-19.png","element":"img","alt":" gi(X; ˆσ) =","inline":true},{"style":{"height":17.68},"width":353.42,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-20.png","element":"img","alt":"Eξ∼N (0,ˆσ2)pi(X + ξ)","inline":true},{"style":{"fontStyle":"italic"},"text":". With input perturbation ","element":"span"},{"style":{"height":16},"width":179.99,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-21.png","element":"img","alt":" ||η||2 ≤ CI","inline":true},{"style":{"fontStyle":"italic"},"text":", the smoothed sensing model satisfies","element":"span"}],[{"style":{"width":"75%"},"width":1198,"height":45,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-22.png","element":"img"}],[{"style":{"fontStyle":"italic"},"text":"where ","element":"span"},{"style":{"height":10.8},"width":29,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-23.png","element":"img","alt":" Φ","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"is the Gaussian CDF and ","element":"span"},{"style":{"height":13.38},"width":69.69,"height":33.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-24.png","element":"img","alt":" Φ−1 ","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"as its inverse.","element":"span"}],[{"text":"Thus, the output probability of smoothed sensing model can be bounded given input perturbations. Note that the specific ways of certifying sensing robustness is orthogonal to certifying reasoning robustness, and one can plug in different sensing certification strategies.","element":"span"}],[{"id":"id-37","style":{"fontWeight":"bold"},"text":"4.2 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Certifying Reasoning Robustness","element":"span"}],[{"text":"Given the hardness results for certifying reasoning robustness in Section ","element":"span"},{"href":"#id-51","text":"3.2, ","element":"a"},{"text":"in this paper, we assume that we have access to an oracle for statistical inference, and provide a novel algorithm to certify the reasoning robustness. I.e., we assume that we are able to calculate the two partition functions ","element":"span"},{"style":{"height":17.68},"width":665.2,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-25.png","element":"img","alt":"Z1({pi(X)}i∈[n]) and Z2({pi(X)}i∈[n]).","inline":true}],[{"id":"id-73","style":{"fontWeight":"bold"},"text":"Lemma 4.1 ","element":"span"},{"text":"(MLN Robustness)","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Given access to partition functions ","element":"span"},{"style":{"height":17.68},"width":289.37,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-26.png","element":"img","alt":" Z1({pi(X)}i∈[n])","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"and ","element":"span"},{"style":{"height":17.68},"width":289.37,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-27.png","element":"img","alt":"Z2({pi(X)}i∈[n])","inline":true},{"style":{"fontStyle":"italic"},"text":", and maximum perturbations ","element":"span"},{"style":{"height":17.68},"width":340.3,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-28.png","element":"img","alt":" {Ci}i∈[n], ∀ϵ1, ..., ϵn","inline":true},{"style":{"fontStyle":"italic"},"text":", if ","element":"span"},{"style":{"height":16},"width":220.25,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-29.png","element":"img","alt":" ∀i. |ϵi| < Ci","inline":true},{"style":{"fontStyle":"italic"},"text":", we have that ","element":"span"},{"style":{"height":14},"width":265.32,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-30.png","element":"img","alt":" ∀λ1, ..., λn ∈ R,","inline":true}],[{"style":{"width":"87%"},"width":1391,"height":72,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/5-31.png","element":"img"}],[{"style":{"width":"93%"},"width":1480,"height":198,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-0.png","element":"img"}],[{"text":"We leave the proof to the Appendix ","element":"span"},{"text":"B. ","element":"span"},{"text":"The high-level proof idea is to decouple ","element":"span"},{"style":{"height":16},"width":105.99,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-1.png","element":"img","alt":" Z1/Z2","inline":true,"padRight":true},{"text":"into two sub-problems via a collection of Lagrangian multipliers, i.e., ","element":"span"},{"style":{"height":16},"width":76.44,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-2.png","element":"img","alt":" {λi}","inline":true},{"text":". For any assignment of ","element":"span"},{"style":{"height":16},"width":143.12,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-3.png","element":"img","alt":" {λi}, we","inline":true,"padRight":true},{"text":"obtain a valid upper/lower bound, which reduces the certification process to the process of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"searching ","element":"span"},{"text":"for an assignment of these multipliers that minimize the upper bound (maximize the lower bound). To efficiently search for the optimal assignment of ","element":"span"},{"style":{"height":16},"width":76.44,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-4.png","element":"img","alt":" {λi}","inline":true},{"text":", it is crucial to consider the interactions between these ","element":"span"},{"style":{"height":16},"width":76.43,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-5.png","element":"img","alt":" {λi}","inline":true,"padRight":true},{"text":"and the corresponding solution of ","element":"span"},{"style":{"height":13.19},"width":42.2,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-6.png","element":"img","alt":"�Zr","inline":true},{"text":", which hinges on the structure of MLN. In particular, we can prove the following (Detailed proofs and discussions in Appendix ","element":"span"},{"text":"C)","element":"span"},{"text":":","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Proposition 1 ","element":"span"},{"text":"(Monotonicity)","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"style":{"fontStyle":"italic"},"text":"When ","element":"span"},{"style":{"height":17.68},"width":347.5,"height":44.19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-7.png","element":"img","alt":" λi ≥ 0, �Zr({ϵi}i∈[n])","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"monotonically increases w.r.t. ","element":"span"},{"style":{"height":13.59},"width":142.38,"height":33.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-8.png","element":"img","alt":" ϵi; When","inline":true},{"style":{"height":17.68},"width":378.62,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-9.png","element":"img","alt":"λi ≤ −1, �Zr({ϵi}i∈[n])","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"monotonically decreases w.r.t. ","element":"span"},{"style":{"height":7.2},"width":39.44,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-10.png","element":"img","alt":" ϵi.","inline":true}],[{"style":{"fontWeight":"bold"},"text":"Proposition 2 ","element":"span"},{"text":"(Convexity)","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"style":{"height":17.68},"width":218.12,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-11.png","element":"img","alt":"�Zr({˜ϵi}i∈[n])","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"is a convex function in ","element":"span"},{"style":{"height":14.4},"width":161.72,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-12.png","element":"img","alt":" ˜ϵi, ∀i with","inline":true}],[{"style":{"width":"50%"},"width":806,"height":141,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-13.png","element":"img"}],[{"style":{"fontStyle":"italic"},"text":"Implication. ","element":"span"},{"text":"Given the monotonicity region, the maximal and minimal of ","element":"span"},{"style":{"height":13.19},"width":42.2,"height":32.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-14.png","element":"img","alt":"�Zr","inline":true,"padRight":true},{"text":"are achieved at either ","element":"span"},{"style":{"height":13.19},"width":165.59,"height":32.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-15.png","element":"img","alt":" ϵi = −Ci","inline":true,"padRight":true},{"text":"or ","element":"span"},{"style":{"height":13.19},"width":134.6,"height":32.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-16.png","element":"img","alt":" ϵi = Ci","inline":true,"padRight":true},{"text":"respectively. Given the convexity region, the maximal is achieved at ","element":"span"},{"style":{"height":16},"width":269.35,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-17.png","element":"img","alt":" ϵi ∈ {−Ci, Ci}","inline":true},{"text":", and the minimal is achieved at ","element":"span"},{"style":{"height":16},"width":269.35,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-18.png","element":"img","alt":" ϵi ∈ {−Ci, Ci}","inline":true,"padRight":true},{"text":"or at the zero gradient of","element":"span"}],[{"style":{"height":17.68},"width":218.13,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-19.png","element":"img","alt":"Zr({˜ϵi}i∈[n])","inline":true},{"text":". As a result, our analysis leads to the following certification algorithm.","element":"span"}],[{"id":"id-52","style":{"width":"55%"},"width":874,"height":849,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-20.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Algorithm of Certifying Reasoning Robustness. ","element":"span"},{"text":"Algorithm ","element":"span"},{"href":"#id-52","text":"1 ","element":"a"},{"text":"illustrates the detailed algorithm based on the above result to upper bound the robustness of MLN. The main step is to explore different regimes of the ","element":"span"},{"style":{"height":16},"width":76.44,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-21.png","element":"img","alt":" {λi}","inline":true},{"text":". In this paper, we only explore regimes where ","element":"span"},{"style":{"height":16},"width":427.18,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-22.png","element":"img","alt":" λ ∈ (−∞, −1] ∪ [0, +∞)","inline":true,"padRight":true},{"text":"as this already provides reasonable solutions in our experiments. ","element":"span"},{"text":"The function ","element":"span"},{"style":{"height":16},"width":233.36,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-23.png","element":"img","alt":"update({λi})","inline":true,"padRight":true},{"text":"defines the exploration strategy — Depending on the scale of the problem, one can explore ","element":"span"},{"style":{"height":16},"width":76.44,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/6-24.png","element":"img","alt":" {λi}","inline":true,"padRight":true},{"text":"using grid search, random sampling, or even gradientbased methods. For experiments in this paper, we use either grid search or random sampling. It is an exciting future direction to understand other efficient exploration and search strategies. We leave the detailed explanation of the algorithm to Appendix ","element":"span"},{"text":"C.","element":"span"}]]},{"heading":"5 Experiments","paragraphs":[[{"text":"We conduct intensive experiments on five datasets to evaluate the certified robustness of the sensing-reasoning pipeline. We focus on two tasks with different modalities: ","element":"span"},{"style":{"fontStyle":"italic"},"text":"image classification ","element":"span"},{"text":"task on Road Sign dataset created based on GTSRB dataset ","element":"span"},{"href":"#id-53","referenceIndex":45,"text":"[45] ","element":"a"},{"text":"following the standard setting as ","element":"span"},{"href":"#id-24","referenceIndex":17,"text":"[17]","element":"a"},{"text":"; and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"information extraction ","element":"span"},{"text":"task with stocks news on text data. We also report additional results on two other image classification tasks (Word50 ","element":"span"},{"href":"#id-54","referenceIndex":6,"text":"[6] ","element":"a"},{"text":"and PrimateNet, which is a subset of ImageNet ILSVRC2012 ","element":"span"},{"href":"#id-55","referenceIndex":9,"text":"[9]","element":"a"},{"text":") with natural knowledge rules in Appendix ","element":"span"},{"text":"G ","element":"span"},{"text":"and Appendix ","element":"span"},{"text":"F. ","element":"span"},{"text":"We also report results on standard image benchmarks (MNIST and CIFAR10) with manually constructed knowledge rules in Appendix ","element":"span"},{"text":"H. ","element":"span"},{"text":"The code is provided at ","element":"span"},{"href":"https://github.com/Sensing-Reasoning/Sensing-Reasoning-Pipeline","style":{"fontFamily":"monospace"},"text":"https://github.com/Sensing-Reasoning/ ","element":"a"},{"href":"https://github.com/Sensing-Reasoning/Sensing-Reasoning-Pipeline","style":{"fontFamily":"monospace"},"text":"Sensing-Reasoning-Pipeline","element":"a"},{"text":".","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"5.1 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Experimental Setup","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Datasets and Tasks. ","element":"span"},{"text":"For the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"road sign classification ","element":"span"},{"text":"task, we follow ","element":"span"},{"href":"#id-24","referenceIndex":17,"text":"[17] ","element":"a"},{"text":"and use the same dataset GTSRB ","element":"span"},{"href":"#id-53","referenceIndex":45,"text":"[45]","element":"a"},{"text":", which contains 12 types of German road signs {\"Stop”, \"Priority Road”, \"Yield”, \"Construction Area”, \"Keep Right”, \"Turn Left”, \"Do not Enter”, \"No Vihicles”, \"Speed Limit 20”, \"Speed Limit 50”, \"Speed Limit 120”, \"End of Previous Limitation”}. It consists of 14880 training samples, 972 validation samples, and 3888 testing samples. We also include 13 additional detectors for knowledge integration, detecting attributes such as whether the border has an octagon shape (See Appendix ","element":"span"},{"text":"D ","element":"span"},{"text":"for a full list).","element":"span"}],[{"text":"For the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"information extraction ","element":"span"},{"text":"task, we use the HighTech dataset which consists of both daily closing asset price and financial news from ","element":"span"},{"style":{"fontStyle":"italic"},"text":"2006 ","element":"span"},{"text":"to ","element":"span"},{"style":{"fontStyle":"italic"},"text":"2013 ","element":"span"},{"href":"#id-56","referenceIndex":12,"text":"[12]","element":"a"},{"text":". We choose 9 companies with the most news, resulting in 4810 articles related to 9 stocks filtered by company name. We split the dataset into training and testing days chronologically. We define three information extraction tasks as our sensing models: ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"StockPrice(Day, Company, Price)","element":"span"},{"text":", ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"StockPriceChange(Day, Company, Percent)","element":"span"},{"text":", ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"StockPriceGain(Day, Company)","element":"span"},{"text":". The domain knowledge that we integrate depicts the relationships between these relations (See Appendix ","element":"span"},{"text":"E ","element":"span"},{"text":"for more details).","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Knowledge Rules. ","element":"span"},{"text":"We integrate different types of knowledge rules for these two applications. We provide the full list of knowledge rules in the Appendix ","element":"span"},{"text":"D.","element":"span"}],[{"text":"For ","element":"span"},{"style":{"fontStyle":"italic"},"text":"road sign classification","element":"span"},{"text":", we follow ","element":"span"},{"href":"#id-24","referenceIndex":17,"text":"[17]","element":"a"},{"text":", which includes two different types of knowledge rules — ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Indication rules ","element":"span"},{"text":"(road sign class ","element":"span"},{"style":{"fontStyle":"italic"},"text":"u ","element":"span"},{"text":"indicates attribute ","element":"span"},{"style":{"fontStyle":"italic"},"text":"v","element":"span"},{"text":") and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Exclusion rules ","element":"span"},{"text":"(attribute classes ","element":"span"},{"style":{"fontStyle":"italic"},"text":"u ","element":"span"},{"text":"and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"v ","element":"span"},{"text":"with the same general type such as \"Shape”, \"Color”, \"Digit” or \"Content” are naturally exclusive).","element":"span"}],[{"text":"For ","element":"span"},{"style":{"fontStyle":"italic"},"text":"information extraction","element":"span"},{"text":", we integrate knowledge about the relationships between the sensing models (e.g., ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"StockPrice","element":"span"},{"text":", ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"StockPriceChange","element":"span"},{"text":", ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"StockPriceGain","element":"span"},{"text":"). For example, the stock prices of two consecutive days, ","element":"span"},{"style":{"height":16},"width":524.27,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-0.png","element":"img","alt":" StockPrice(d1, Company, p1)","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":16},"width":524.27,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-1.png","element":"img","alt":" StockPrice(d2, Company, p2)","inline":true},{"text":", should be consistent with ","element":"span"},{"style":{"height":16},"width":1016.53,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-2.png","element":"img","alt":" StockPriceChange(d2, Company, p), i.e., p = (p2 − p1)/p1.","inline":true}],[{"style":{"fontWeight":"bold"},"text":"Implementation Details. ","element":"span"},{"text":"Throughout the road sign classification experiment, we implement all sensing models using the GTSRB-CNN ","element":"span"},{"href":"#id-1","referenceIndex":13,"text":"[13] ","element":"a"},{"text":"architecture. During training, we train all sensors with Isotropic Gaussian ","element":"span"},{"style":{"height":17.38},"width":255.19,"height":43.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-3.png","element":"img","alt":" ϵ ∼ N(0, ˆσ2Id)","inline":true,"padRight":true},{"text":"augmented data with 50000 training iterations until converge and tune the training parameters on the validation set, following ","element":"span"},{"href":"#id-14","referenceIndex":8,"text":"[8]","element":"a"},{"text":". We use the SGD-momentum with the initial learning rate as ","element":"span"},{"text":"0","element":"span"},{"style":{"fontStyle":"italic"},"text":".","element":"span"},{"text":"01 ","element":"span"},{"text":"and the weight decay parameter as ","element":"span"},{"style":{"height":13.38},"width":80.76,"height":33.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-4.png","element":"img","alt":" 10−4","inline":true,"padRight":true},{"text":"to train all the sensors for 50000 iterations with ","element":"span"},{"text":"200 ","element":"span"},{"text":"as the batch size, following ","element":"span"},{"href":"#id-24","referenceIndex":17,"text":"[17]","element":"a"},{"text":". During certification, we adopt the same smoothing parameter for training to construct the smoothed model based on Monte-Carlo sampling.","element":"span"}],[{"text":"For information extraction, we use BERT as our model architecture. During training, we use the final hidden state of the first token [CLS] from BERT as the representation of the whole input and apply dropout with probability ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p ","element":"span"},{"text":"= 0","element":"span"},{"style":{"fontStyle":"italic"},"text":".","element":"span"},{"text":"5 ","element":"span"},{"text":"on this final hidden state. Additionally, there is a fully connected layer added on top of BERT for classification. To fine-tune the BERT classifiers for three information tasks, we use the Adam optimizer with the initial learning rate as ","element":"span"},{"style":{"height":13.78},"width":80.76,"height":34.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-5.png","element":"img","alt":" 10−5","inline":true,"padRight":true},{"text":"and the weight decay parameter as ","element":"span"},{"style":{"height":13.38},"width":80.76,"height":33.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-6.png","element":"img","alt":" 10−4","inline":true},{"text":". We train all the sensors for 30 epochs, and the batch size ","element":"span"},{"text":"32","element":"span"},{"text":".","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Evaluation Metrics. ","element":"span"},{"text":"We adopt the standard ","element":"span"},{"style":{"fontStyle":"italic"},"text":"certified accuracy ","element":"span"},{"text":"as our evaluation metric, defined by the percentage of instances that can be certified under certain ","element":"span"},{"style":{"height":7.2},"width":33.6,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-7.png","element":"img","alt":" ℓp","inline":true},{"text":"-norm bounded perturbations. Specifically, given the input ","element":"span"},{"style":{"fontStyle":"italic"},"text":"x ","element":"span"},{"text":"with ground-truth label ","element":"span"},{"style":{"fontStyle":"italic"},"text":"y","element":"span"},{"text":", once we can certify the bound of the model’s output confidence on predicting label ","element":"span"},{"style":{"fontStyle":"italic"},"text":"y ","element":"span"},{"text":"under the norm-bounded perturbation as ","element":"span"},{"text":"[","element":"span"},{"style":{"fontStyle":"italic"},"text":"L","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"style":{"fontStyle":"italic"},"text":"U","element":"span"},{"text":"]","element":"span"},{"text":", the certified accuracy can be defined by: ","element":"span"},{"style":{"height":21.43},"width":365.18,"height":53.59,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-8.png","element":"img","alt":"1N�Ni=1 I([Li > 0.5])","inline":true,"padRight":true},{"text":"where ","element":"span"},{"style":{"height":19.94},"width":72.71,"height":49.85,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-9.png","element":"img","alt":" I(·)","inline":true,"padRight":true},{"text":"denotes the indicator ","element":"span"},{"text":"function. Since each sensing component’s certification is performed by randomized smoothing, which yields the failure probability characterized by ","element":"span"},{"style":{"height":14},"width":33.44,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-10.png","element":"img","alt":" ζ0","inline":true},{"text":", we will control the failure probability ","element":"span"},{"style":{"height":14},"width":19,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-11.png","element":"img","alt":" ζ","inline":true,"padRight":true},{"text":"for the whole sensing-reasoning pipeline pipeline with ","element":"span"},{"style":{"fontStyle":"italic"},"text":"n ","element":"span"},{"text":"sensing models as ","element":"span"},{"style":{"height":18.19},"width":320.18,"height":45.47,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-12.png","element":"img","alt":" ζ0 = 1 − (1 − ζ)1/n ","inline":true,"padRight":true},{"text":"by applying the union bound. Throughout all the experiments, ","element":"span"},{"style":{"height":14},"width":19,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-13.png","element":"img","alt":" ζ","inline":true,"padRight":true},{"text":"is kept to ","element":"span"},{"text":"0","element":"span"},{"style":{"fontStyle":"italic"},"text":".","element":"span"},{"text":"001 ","element":"span"},{"text":"so our end-to-end certification is guaranteed to be correct with at least ","element":"span"},{"text":"99","element":"span"},{"style":{"fontStyle":"italic"},"text":".","element":"span"},{"text":"9% ","element":"span"},{"text":"confidence.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"5.2 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Results of ","element":"span"},{"style":{"fontStyle":"italic","fontWeight":"bold"},"text":"Road Sign Classification","element":"span"}],[{"text":"In this section, we evaluate the certified robustness of our sensing-reasoning pipeline under the ","element":"span"},{"style":{"height":7.6},"width":32.6,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-14.png","element":"img","alt":"ℓ2","inline":true},{"text":"-norm bounded perturbation. We first report the ","element":"span"},{"style":{"height":7.6},"width":32.6,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/7-15.png","element":"img","alt":" ℓ2","inline":true,"padRight":true},{"text":"certified accuracy of our sensing-reasoning pipeline and compare it to a strong baseline as a vanilla randomized smoothing trained model (without knowledge). Note that it is flexible to replace the sensing component with other robust training","element":"span"}],[{"id":"id-57","text":"Table 1: ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"(Road sign classification) ","element":"figcaption","subtype":"caption"},{"style":{"fontStyle":"italic"},"text":"Certified accuracy ","element":"figcaption","subtype":"caption"},{"text":"under different input perturbation magnitudes (","element":"figcaption","subtype":"caption"},{"style":{"height":12.8},"width":64.43,"height":32,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-0.png","element":"img","alt":"CI).","inline":true,"padRight":true},{"text":"Models are smoothed with different Gaussian noises ","element":"figcaption","subtype":"caption"},{"style":{"height":16.09},"width":592.58,"height":40.24,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-1.png","element":"img","alt":" ϵ ∼ N(0, ˆσ2Id), ˆσ ∈ {0.12, 0.25, 0.50}","inline":true},{"text":". Rows with ","element":"figcaption","subtype":"caption"},{"style":{"height":6.8},"width":18,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-2.png","element":"img","alt":" ∗","inline":true,"padRight":true},{"text":"denote the best certified accuracy among all the smoothing parameters for each method. The bold numbers show the higher certified accuracy under the same ","element":"figcaption","subtype":"caption"},{"style":{"height":14.4},"width":110.33,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-3.png","element":"img","alt":" (CI, ˆσ)","inline":true,"padRight":true},{"text":"setting and the numbers with underline show the highest certified accuracy for each ","element":"figcaption","subtype":"caption"},{"style":{"height":11.59},"width":40.31,"height":28.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-4.png","element":"img","alt":" CI","inline":true,"padRight":true},{"text":"among different smoothing parameters. (All certificates hold with ","element":"figcaption","subtype":"caption"},{"style":{"fontStyle":"italic"},"text":"p ","element":"figcaption","subtype":"caption"},{"text":"= 99","element":"figcaption","subtype":"caption"},{"style":{"fontStyle":"italic"},"text":".","element":"figcaption","subtype":"caption"},{"text":"9%","element":"figcaption","subtype":"caption"},{"text":")","element":"figcaption","subtype":"caption"}],[{"style":{"width":"84%"},"width":1347,"height":379,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-5.png","element":"img"}],[{"text":"algorithms. We conduct our evaluation under different smoothing parameters ","element":"span"},{"style":{"height":16},"width":365.33,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-6.png","element":"img","alt":" ˆσ = {0.12, 0.25, 0.50}","inline":true,"padRight":true},{"text":"and various ","element":"span"},{"style":{"height":7.6},"width":32.6,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-7.png","element":"img","alt":" ℓ2","inline":true,"padRight":true},{"text":"perturbation magnitudes on the input image ","element":"span"},{"style":{"height":16},"width":476.35,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-8.png","element":"img","alt":" CI = {0.12, 0.25, 0.50, 1.00}","inline":true,"padRight":true},{"text":"(Table ","element":"span"},{"href":"#id-57","text":"1)","element":"a"},{"text":". During certification, we evaluate our certification time per sample with 25 sensors as 5.39s, which shows that the overall certification time is generally acceptable.","element":"span"}],[{"text":"As shown in Table ","element":"span"},{"href":"#id-57","text":"1, ","element":"a"},{"text":"we can see that with knowledge integration, sensing-reasoning pipeline achieves consistently higher certified accuracy compared to the baseline smoothed ML model without knowledge under all the perturbation magnitudes ","element":"span"},{"style":{"height":13.19},"width":43.48,"height":32.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-9.png","element":"img","alt":" CI","inline":true,"padRight":true},{"text":"and smoothing parameter ","element":"span"},{"style":{"height":10.8},"width":23,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-10.png","element":"img","alt":" ˆσ","inline":true,"padRight":true},{"text":"settings. Under the small perturbation magnitude cases, our improvement is very significant (around ","element":"span"},{"text":"5%","element":"span"},{"text":"). More interestingly, given large ","element":"span"},{"style":{"height":13.19},"width":43.48,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-11.png","element":"img","alt":" CI","inline":true,"padRight":true},{"text":"but small smoothing parameter ","element":"span"},{"style":{"height":10.8},"width":23,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-12.png","element":"img","alt":" ˆσ","inline":true},{"text":", vanilla randomized smoothing-based certification directly fails (","element":"span"},{"text":"0% ","element":"span"},{"text":"certified accuracy) due to the looseness of the hypothesis testing bound, while the sensing-reasoning pipeline could still achieve reasonable certified robustness (over ","element":"span"},{"text":"71% ","element":"span"},{"text":"on ","element":"span"},{"style":{"height":14.4},"width":493.95,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-13.png","element":"img","alt":"CI = 0.50, 49% on CI = 1.00","inline":true},{"text":") under the same ","element":"span"},{"style":{"height":16},"width":120.18,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-14.png","element":"img","alt":" (CI, ˆσ)","inline":true,"padRight":true},{"text":"settings. This indicates a very realistic case: we always ","element":"span"},{"style":{"fontStyle":"italic","fontWeight":"bold"},"text":"under-estimate ","element":"span"},{"text":"the attacker’s ability easily under the real-world setting – in this case, the sensing-reasoning pipeline could remain robust even provide reasonable certified accuracy with a conservative smoothing parameter.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"5.3 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Results of ","element":"span"},{"style":{"fontStyle":"italic","fontWeight":"bold"},"text":"Information Extraction","element":"span"}],[{"text":"In this section, we conduct the certified robustness evaluation on the information extraction task on text data. ","element":"span"},{"text":"Since there is no good certification method on discrete NLP data for sensing models, we directly assume the maximal perturbation on the output of sensors (","element":"span"},{"style":{"height":13.19},"width":48.48,"height":32.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-15.png","element":"img","alt":"CS","inline":true},{"text":").","element":"span"}],[{"id":"id-58","text":"Table 2: ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"(Information extraction) ","element":"figcaption","subtype":"caption"},{"style":{"fontStyle":"italic"},"text":"Certified accuracy ","element":"figcaption","subtype":"caption"},{"text":"under different perturbation magnitudes (","element":"figcaption","subtype":"caption"},{"style":{"height":12.8},"width":59.66,"height":32,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-16.png","element":"img","alt":"CS)","inline":true,"padRight":true},{"text":"based on the sensing models’ output uncertainty. (All","element":"figcaption","subtype":"caption"}],[{"text":"Table ","element":"span"},{"href":"#id-58","text":"2 ","element":"a"},{"text":"shows the certified accuracy on the final outputs of the reasoning component. We see that the sensing-reasoning pipeline provides signifi-cantly higher certified robustness, and even under a high perturbation magnitude on all sensing models’ output confidence (","element":"span"},{"style":{"height":13.59},"width":155.69,"height":33.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/8-17.png","element":"img","alt":"CS = 0.5","inline":true},{"text":"), which means the sensing-reasoning pipeline can still leverage the knowledge to help enhance the robustness given strong attacker. To further illustrate intu-","element":"span"}],[{"text":"itively why such knowledge-based reasoning helps, Figure ","element":"span"},{"href":"#id-59","text":"3 ","element":"a"},{"text":"shows the “margin” — the probability of the ground truth class minus the probability of the wrong class — with or without knowledge integration. We see that, with knowledge integration, we can significantly increase the number of examples with a large “margin” under adversarial perturbations. This explains the improvement of certified robustness, which highly relies on such prediction confident margin.","element":"span"}],[{"text":"We also conduct experiments on PrimateNet, Word50, MNIST, CIFAR10 datasets for the image classification tasks in Appendix ","element":"span"},{"text":"F- ","element":"span"},{"text":"Appendix ","element":"span"},{"text":"H. ","element":"span"},{"text":"We observe similar results that knowledge integration significantly boosts the certified robustness.","element":"span"}]]},{"heading":"6 Related Work","paragraphs":[[{"style":{"fontWeight":"bold"},"text":"Robustness for Single ML model and ML Ensemble. ","element":"span"},{"text":"Lots of efforts have been made to improve the robustness of single ML or ensemble models. Adversarial training ","element":"span"},{"href":"#id-60","referenceIndex":15,"text":"[15]","element":"a"},{"text":", and its variations ","element":"span"},{"href":"#id-61","referenceIndex":48,"text":"[48,","element":"a"}],[{"id":"id-59","style":{"width":"95%"},"width":1516,"height":320,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/9-0.png","element":"img"}],[{"text":"Figure 3: ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"(Information extraction) ","element":"figcaption","subtype":"caption"},{"text":"Histogram of the ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"robustness margin ","element":"figcaption","subtype":"caption"},{"text":"(the difference between the probability of the correct class (lower bound) and the top wrong class (upper bound)) under perturbations. If such a difference is positive, it means that the classifier makes the right prediction under perturbations.","element":"figcaption","subtype":"caption"}],[{"href":"#id-62","referenceIndex":31,"text":"31, ","element":"a"},{"href":"#id-6","referenceIndex":54,"text":"54] ","element":"a"},{"text":"have generally been more successful in practice, but usually come at the cost of accuracy and increased training time ","element":"span"},{"href":"#id-63","referenceIndex":49,"text":"[49, ","element":"a"},{"href":"#id-6","referenceIndex":54,"text":"54]","element":"a"},{"text":". To further provide certifiable robustness guarantees for ML models, various certifiable defenses and robustness verification approaches have been proposed ","element":"span"},{"href":"#id-46","referenceIndex":20,"text":"[20, ","element":"a"},{"href":"#id-47","referenceIndex":46,"text":"46, ","element":"a"},{"href":"#id-14","referenceIndex":8,"text":"8, ","element":"a"},{"href":"#id-20","referenceIndex":27,"text":"27, ","element":"a"},{"href":"#id-16","referenceIndex":25,"text":"25]","element":"a"},{"text":". Among these strategies, randomized smoothing ","element":"span"},{"href":"#id-14","referenceIndex":8,"text":"[8] ","element":"a"},{"text":"has achieved scalable performance. With improvements in training, including pretraining and adversarial training, the certified robustness bound can be further improved ","element":"span"},{"href":"#id-64","referenceIndex":4,"text":"[4, ","element":"a"},{"href":"#id-65","referenceIndex":42,"text":"42]","element":"a"},{"text":". In addition to the single ML model, some work proposed to promote the diversity of classifiers and therefore develop a robust ML ensemble ","element":"span"},{"href":"#id-66","referenceIndex":34,"text":"[34, ","element":"a"},{"href":"#id-8","referenceIndex":60,"text":"60, ","element":"a"},{"href":"#id-67","referenceIndex":58,"text":"58, ","element":"a"},{"href":"#id-22","referenceIndex":59,"text":"59]","element":"a"},{"text":". Although promising, these defense approaches, either empirical or theoretical, can only improve the robustness of a single ML or ensemble model. Certifying or improving the robustness of such single or pure ensemble models is very challenging, given that there is no additional information that can be utilized. In addition, the ML learning process usually favors a pipeline that is able to incorporate different sensing components as well as domain knowledge in practice. Thus, certifying the robustness of such pipelines is of great importance.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Robustness of End-to-end ML Systems. ","element":"span"},{"text":"There have been intensive studies on joint inference between multiple models, and the predictions based on joint inference can help to further improve the clean accuracy of ML pipelines ","element":"span"},{"href":"#id-30","referenceIndex":56,"text":"[56, ","element":"a"},{"href":"#id-32","referenceIndex":10,"text":"10, ","element":"a"},{"href":"#id-25","referenceIndex":38,"text":"38, ","element":"a"},{"href":"#id-68","referenceIndex":33,"text":"33, ","element":"a"},{"href":"#id-69","referenceIndex":7,"text":"7, ","element":"a"},{"href":"#id-70","referenceIndex":5,"text":"5]","element":"a"},{"text":", which have been applied to a range of real-world applications ","element":"span"},{"href":"#id-27","referenceIndex":2,"text":"[2, ","element":"a"},{"href":"#id-28","referenceIndex":37,"text":"37, ","element":"a"},{"href":"#id-29","referenceIndex":32,"text":"32]","element":"a"},{"text":". Often, these approaches use different statistical inference models such as factor graphs ","element":"span"},{"href":"#id-71","referenceIndex":51,"text":"[51]","element":"a"},{"text":", Markov logic networks ","element":"span"},{"href":"#id-43","referenceIndex":41,"text":"[41]","element":"a"},{"text":", and Bayesian networks ","element":"span"},{"href":"#id-72","referenceIndex":35,"text":"[35] ","element":"a"},{"text":"as a way to integrate domain knowledge. In this paper, we take a different perspective on this problem — instead of treating joint inference as a way to improve the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"clean accuracy","element":"span"},{"text":", we explore the possibility of using it as exogenous information to improve the end-to-end ","element":"span"},{"style":{"fontStyle":"italic"},"text":"certified robustness ","element":"span"},{"text":"of ML pipelines. A recent work ","element":"span"},{"href":"#id-24","referenceIndex":17,"text":"[17] ","element":"a"},{"text":"explores the empirical robustness improvement via knowledge integration, while there is no robustness guarantee provided. As we show in this paper, by integrating domain knowledge, we are able to improve the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"certified robustness ","element":"span"},{"text":"of the ML pipelines significantly.","element":"span"}]]},{"heading":"7 Conclusions","paragraphs":[[{"text":"We provide the first certifiably robust sensing-reasoning pipeline with knowledge-based logical reasoning. We theoretically prove the certified robustness of such ML pipelines, and provide complexity analysis for certifying the reasoning component. Our extensive empirical results demonstrate the certified robustness of sensing-reasoning pipeline, and we believe our work would shed light on future research towards improving and certifying robustness for general ML frameworks as well as different ways to integrate logical reasoning with statistical learning.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Acknowledgements ","element":"span"},{"text":"This work is partially supported by the NSF grant No.1910100, NSF CNS No.2046726, C3 AI, and the Alfred P. Sloan Foundation. CZ and the DS3Lab gratefully acknowledge the support from the Swiss State Secretariat for Education, Research and Innovation (SERI) under contract number MB22.00036 (for European Research Council (ERC) Starting Grant TRIDENT 101042665), the Swiss National Science Foundation (Project Number 200021_184628, and 197485), Innosuisse/SNF BRIDGE Discovery (Project Number 40B2-0_187132), European Union Horizon 2020 Research and Innovation Programme (DAPHNE, 957407), Botnar Research Centre for Child Health, Swiss Data Science Center, Alibaba, Cisco, eBay, Google Focused Research Awards, Kuaishou Inc., Oracle Labs, Zurich Insurance, and the Department of Computer Science at ETH Zurich. HG has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No. 947778).","element":"span"}]]},{"heading":"References","paragraphs":[[{"id":"id-12","text":"[1] ","element":"span"},{"text":"Anish Athalye, Nicholas Carlini, and David Wagner. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"International Conference on Machine Learning","element":"span"},{"text":", pages 274–283, 2018.","element":"span"}],[{"id":"id-27","text":"[2] ","element":"span"},{"text":"Marenglen Biba, Stefano Ferilli, and Floriana Esposito. Protein fold recognition using markov logic networks. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Mathematical Approaches to Polymer Sequence Analysis and Related Problems","element":"span"},{"text":", pages 69–85. Springer, 2011.","element":"span"}],[{"id":"id-0","text":"[3] ","element":"span"},{"text":"Nicholas Carlini and David Wagner. Towards evaluating the robustness of neural networks. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"2017 ieee symposium on security and privacy (sp)","element":"span"},{"text":", pages 39–57. IEEE, 2017.","element":"span"}],[{"id":"id-64","text":"[4] ","element":"span"},{"text":"Yair Carmon, Aditi Raghunathan, Ludwig Schmidt, Percy Liang, and John C Duchi. Unlabeled data improves adversarial robustness. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1905.13736","element":"span"},{"text":", 2019.","element":"span"}],[{"id":"id-70","text":"[5] ","element":"span"},{"text":"Deepayan Chakrabarti, Stanislav Funiak, Jonathan Chang, and Sofus A Macskassy. Joint inference of multiple label types in large networks. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1401.7709","element":"span"},{"text":", 2014.","element":"span"}],[{"id":"id-54","text":"[6] ","element":"span"},{"text":"Liang-Chieh Chen, Alexander Schwing, Alan Yuille, and Raquel Urtasun. Learning deep structured models. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"International Conference on Machine Learning","element":"span"},{"text":", pages 1785–1794. PMLR, 2015.","element":"span"}],[{"id":"id-69","text":"[7] ","element":"span"},{"text":"Liwei Chen, Yansong Feng, Jinghui Mo, Songfang Huang, and Dongyan Zhao. Joint inference for knowledge base population. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP)","element":"span"},{"text":", pages 1912–1923, Doha, Qatar, October 2014. Association for Computational Linguistics.","element":"span"}],[{"id":"id-14","text":"[8] ","element":"span"},{"text":"Jeremy M Cohen, Elan Rosenfeld, and J Zico Kolter. Certified adversarial robustness via randomized smoothing. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1902.02918","element":"span"},{"text":", 2019.","element":"span"}],[{"id":"id-55","text":"[9] ","element":"span"},{"text":"J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei. ImageNet: A Large-Scale Hierarchical Image Database. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"CVPR09","element":"span"},{"text":", 2009.","element":"span"}],[{"id":"id-32","text":"[10] ","element":"span"},{"text":"Jia Deng, Nan Ding, Yangqing Jia, Andrea Frome, Kevin Murphy, Samy Bengio, Yuan Li, Hartmut Neven, and Hartwig Adam. Large-scale object classification using label relation graphs. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"European conference on computer vision","element":"span"},{"text":", pages 48–64. Springer, 2014.","element":"span"}],[{"id":"id-74","text":"[11] ","element":"span"},{"text":"Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. BERT: pre-training of deep bidirectional transformers for language understanding. In Jill Burstein, Christy Doran, and Thamar Solorio, editors, ","element":"span"},{"style":{"fontStyle":"italic"},"text":"NAACL-HLT","element":"span"},{"text":", pages 4171–4186. Association for Computational Linguistics, 2019.","element":"span"}],[{"id":"id-56","text":"[12] ","element":"span"},{"text":"Xiao Ding, Yue Zhang, Ting Liu, and Junwen Duan. Using structured events to predict stock price movement: An empirical investigation. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP)","element":"span"},{"text":", pages 1415–1425, 2014.","element":"span"}],[{"id":"id-1","text":"[13] Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Chaowei Xiao, Atul ","element":"span"},{"text":"Prakash, Tadayoshi Kohno, and Dawn Song. Robust physical-world attacks on deep learning visual classification. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition","element":"span"},{"text":", pages 1625–1634, 2018.","element":"span"}],[{"id":"id-75","text":"[14] Christiane Fellbaum. Wordnet. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"The encyclopedia of applied linguistics","element":"span"},{"text":", 2012.","element":"span"}],[{"id":"id-60","text":"[15] ","element":"span"},{"text":"Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"ICLR","element":"span"},{"text":", 2015.","element":"span"}],[{"id":"id-48","text":"[16] ","element":"span"},{"text":"Sven Gowal, Krishnamurthy Dvijotham, Robert Stanforth, Rudy Bunel, Chongli Qin, Jonathan Uesato, Relja Arandjelovic, Timothy Mann, and Pushmeet Kohli. On the effectiveness of interval bound propagation for training verifiably robust models. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1810.12715","element":"span"},{"text":", 2018.","element":"span"}],[{"id":"id-24","text":"[17] ","element":"span"},{"text":"Nezihe Merve Gürel, Xiangyu Qi, Luka Rimanic, Ce Zhang, and Bo Li. Knowledge enhanced machine learning pipeline against diverse adversarial attacks. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"ICML","element":"span"},{"text":", 2021.","element":"span"}],[{"id":"id-39","text":"[18] ","element":"span"},{"text":"Tuyen N Huynh and Raymond J Mooney. Max-margin weight learning for markov logic networks. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Joint European Conference on Machine Learning and Knowledge Discovery in Databases","element":"span"},{"text":", pages 564–579. Springer, 2009.","element":"span"}],[{"id":"id-82","text":"[19] ","element":"span"},{"text":"Jongheon Jeong and Jinwoo Shin. ","element":"span"},{"text":"Consistency regularization for certified robustness of smoothed classifiers. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Advances in Neural Information Processing Systems","element":"span"},{"text":", 33:10558–10570, 2020.","element":"span"}],[{"id":"id-46","text":"[20] ","element":"span"},{"text":"J Zico Kolter and Eric Wong. Provable defenses against adversarial examples via the convex outer adversarial polytope. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1711.00851","element":"span"},{"text":", 2017.","element":"span"}],[{"id":"id-38","text":"[21] ","element":"span"},{"text":"Ondrej Kuzelka. Complex markov logic networks: Expressivity and liftability. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Conference on Uncertainty in Artificial Intelligence","element":"span"},{"text":", pages 729–738. PMLR, 2020.","element":"span"}],[{"id":"id-9","text":"[22] ","element":"span"},{"text":"Bo Li and Yevgeniy Vorobeychik. Feature cross-substitution in adversarial classification. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Advances in neural information processing systems","element":"span"},{"text":", pages 2087–2095, 2014.","element":"span"}],[{"id":"id-5","text":"[23] ","element":"span"},{"text":"Huichen Li, Linyi Li, Xiaojun Xu, Xiaolu Zhang, Shuang Yang, and Bo Li. Nonlinear gradient estimation for query efficient blackbox attack. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"International Conference on Artificial Intelligence and Statistics (AISTATS 2021)","element":"span"},{"text":", Proceedings of Machine Learning Research. PMLR, 13–15 Apr 2021.","element":"span"}],[{"id":"id-3","text":"[24] ","element":"span"},{"text":"Huichen Li, Xiaojun Xu, Xiaolu Zhang, Shuang Yang, and Bo Li. Qeba: Query-efficient boundary-based blackbox attack. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition","element":"span"},{"text":", pages 1221–1230, 2020.","element":"span"}],[{"id":"id-16","text":"[25] ","element":"span"},{"text":"Linyi Li, Xiangyu Qi, Tao Xie, and Bo Li. Sok: Certified robustness for deep neural networks. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv","element":"span"},{"text":", abs/2009.04131, 2020.","element":"span"}],[{"id":"id-15","text":"[26] ","element":"span"},{"text":"Linyi Li, Maurice Weber, Xiaojun Xu, Luka Rimanic, Bhavya Kailkhura, Tao Xie, Ce Zhang, and Bo Li. Tss: Transformation-specific smoothing for robustness certification. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"ACM Conference on Computer and Communications Security (CCS 2021)","element":"span"},{"text":", 2021.","element":"span"}],[{"id":"id-20","text":"[27] ","element":"span"},{"text":"Linyi Li, Jiawei Zhang, Tao Xie, and Bo Li. Double sampling randomized smoothing. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"International Conference on Machine Learning","element":"span"},{"text":", 2022.","element":"span"}],[{"id":"id-18","text":"[28] ","element":"span"},{"text":"Linyi Li, Zexuan Zhong, Bo Li, and Tao Xie. Robustra: training provable robust neural networks over reference adversarial space. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Proceedings of the 28th International Joint Conference on Artificial Intelligence","element":"span"},{"text":", pages 4711–4717. AAAI Press, 2019.","element":"span"}],[{"id":"id-44","text":"[29] ","element":"span"},{"text":"Daniel Lowd and Pedro Domingos. Efficient weight learning for markov logic networks. In Joost N. Kok, Jacek Koronacki, Ramon Lopez de Mantaras, Stan Matwin, Dunja Mladeniˇc, and Andrzej Skowron, editors, ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Knowledge Discovery in Databases: PKDD 2007","element":"span"},{"text":", pages 200–211, Berlin, Heidelberg, 2007. Springer Berlin Heidelberg.","element":"span"}],[{"id":"id-7","text":"[30] ","element":"span"},{"text":"Xingjun Ma, Bo Li, Yisen Wang, Sarah M Erfani, Sudanthi Wijewickrema, Grant Schoenebeck, Dawn Song, Michael E Houle, and James Bailey. Characterizing adversarial subspaces using local intrinsic dimensionality. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1801.02613","element":"span"},{"text":", 2018.","element":"span"}],[{"id":"id-62","text":"[31] ","element":"span"},{"text":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1706.06083","element":"span"},{"text":", 2017.","element":"span"}],[{"id":"id-29","text":"[32] ","element":"span"},{"text":"Emily K. Mallory, Ce Zhang, Christopher Ré, and Russ B. Altman. Large-scale extraction of gene interactions from full-text literature using DeepDive. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Bioinformatics","element":"span"},{"text":", 32(1):106–113, 09 2015.","element":"span"}],[{"id":"id-68","text":"[33] ","element":"span"},{"text":"Andrew McCallum. Joint inference for natural language processing. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Proceedings of the Thirteenth Conference on Computational Natural Language Learning (CoNLL-2009)","element":"span"},{"text":", page 1, Boulder, Colorado, June 2009. Association for Computational Linguistics.","element":"span"}],[{"id":"id-66","text":"[34] ","element":"span"},{"text":"Tianyu Pang, Kun Xu, Chao Du, Ning Chen, and Jun Zhu. Improving adversarial robustness via promoting ensemble diversity. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1901.08846","element":"span"},{"text":", 2019.","element":"span"}],[{"id":"id-72","text":"[35] ","element":"span"},{"text":"Judea Pearl. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Causality: Models, Reasoning, and Inference","element":"span"},{"text":". Cambridge University Press, USA, 2000.","element":"span"}],[{"id":"id-35","text":"[36] Judea Pearl. Bayesian networks. 2011.","element":"span"}],[{"id":"id-28","text":"[37] ","element":"span"},{"text":"Shanan E. Peters, Ce Zhang, Miron Livny, and Christopher Ré. A machine reading system for assembling synthetic paleontological databases. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"PLOS ONE","element":"span"},{"text":", 9(12):1–22, 12 2014.","element":"span"}],[{"id":"id-25","text":"[38] ","element":"span"},{"text":"Hoifung Poon and Pedro Domingos. Joint inference in information extraction. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"AAAI","element":"span"},{"text":", volume 7, pages 913–918, 2007.","element":"span"}],[{"id":"id-2","text":"[39] ","element":"span"},{"text":"Haonan Qiu, Chaowei Xiao, Lei Yang, Xinchen Yan, Honglak Lee, and Bo Li. Semanticadv: Generating adversarial examples via attribute-conditioned image editing. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"European Conference on Computer Vision","element":"span"},{"text":", pages 19–37. Springer, 2020.","element":"span"}],[{"id":"id-34","text":"[40] ","element":"span"},{"text":"Matthew Richardson and Pedro Domingos. Markov logic networks. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Machine learning","element":"span"},{"text":", 62(1-2):107–136, 2006.","element":"span"}],[{"id":"id-43","text":"[41] ","element":"span"},{"text":"Matthew Richardson and Pedro Domingos. Markov logic networks. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Machine Learning","element":"span"},{"text":", 62(1-2):107–136, 2006.","element":"span"}],[{"id":"id-65","text":"[42] ","element":"span"},{"text":"Hadi Salman, Jerry Li, Ilya Razenshteyn, Pengchuan Zhang, Huan Zhang, Sebastien Bubeck, and Greg Yang. Provably robust deep learning via adversarially trained smoothed classifiers. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Advances in Neural Information Processing Systems","element":"span"},{"text":", pages 11289–11300, 2019.","element":"span"}],[{"id":"id-31","text":"[43] ","element":"span"},{"text":"Shibani Santurkar, Dimitris Tsipras, Mahalaxmi Elango, David Bau, Antonio Torralba, and Aleksander Madry. Editing a classifier by rewriting its prediction rules. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Advances in Neural Information Processing Systems","element":"span"},{"text":", 34:23359–23373, 2021.","element":"span"}],[{"id":"id-10","text":"[44] ","element":"span"},{"text":"Ali Shafahi, Mahyar Najibi, Amin Ghiasi, Zheng Xu, John Dickerson, Christoph Studer, Larry S Davis, Gavin Taylor, and Tom Goldstein. Adversarial training for free! ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1904.12843","element":"span"},{"text":", 2019.","element":"span"}],[{"id":"id-53","text":"[45] ","element":"span"},{"text":"Johannes Stallkamp, Marc Schlipsing, Jan Salmen, and Christian Igel. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Neural networks","element":"span"},{"text":", 32:323–332, 2012.","element":"span"}],[{"id":"id-47","text":"[46] ","element":"span"},{"text":"Vincent Tjeng, Kai Xiao, and Russ Tedrake. Evaluating robustness of neural networks with mixed integer programming. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1711.07356","element":"span"},{"text":", 2017.","element":"span"}],[{"id":"id-13","text":"[47] ","element":"span"},{"text":"Florian Tramer, Nicholas Carlini, Wieland Brendel, and Aleksander Madry. On adaptive attacks to adversarial example defenses. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:2002.08347","element":"span"},{"text":", 2020.","element":"span"}],[{"id":"id-61","text":"[48] ","element":"span"},{"text":"Florian Tramèr, Alexey Kurakin, Nicolas Papernot, Dan Boneh, and Patrick McDaniel. Ensemble adversarial training: Attacks and defenses. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"ICLR","element":"span"},{"text":", 2018.","element":"span"}],[{"id":"id-63","text":"[49] ","element":"span"},{"text":"Dimitris Tsipras, Shibani Santurkar, Logan Engstrom, Alexander Turner, and Aleksander Madry. Robustness may be at odds with accuracy). ","element":"span"},{"style":{"fontStyle":"italic"},"text":"ICLR 2019","element":"span"},{"text":", 2018.","element":"span"}],[{"id":"id-36","text":"[50] ","element":"span"},{"text":"L.G. Valiant. The complexity of computing the permanent. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Theoretical Computer Science","element":"span"},{"text":", 8(2):189–201, 1979.","element":"span"}],[{"id":"id-71","text":"[51] ","element":"span"},{"text":"Martin J. Wainwright and Michael I. Jordan. Graphical models, exponential families, and variational inference. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Foundations and Trends® in Machine Learning","element":"span"},{"text":", 1(1–2):1–305, 2008.","element":"span"}],[{"id":"id-50","text":"[52] ","element":"span"},{"text":"Lily Weng, Huan Zhang, Hongge Chen, Zhao Song, Cho-Jui Hsieh, Luca Daniel, Duane Boning, and Inderjit Dhillon. Towards fast computation of certified robustness for relu networks. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"International Conference on Machine Learning","element":"span"},{"text":", pages 5276–5285, 2018.","element":"span"}],[{"id":"id-11","text":"[53] ","element":"span"},{"text":"Chaowei Xiao, Ruizhi Deng, Bo Li, Taesung Lee, Benjamin Edwards, Jinfeng Yi, Dawn Song, Mingyan Liu, and Ian Molloy. Advit: Adversarial frames identifier based on temporal consistency in videos. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Proceedings of the IEEE/CVF International Conference on Computer Vision","element":"span"},{"text":", pages 3968–3977, 2019.","element":"span"}],[{"id":"id-6","text":"[54] Chaowei Xiao, Ruizhi Deng, Bo Li, Fisher Yu, Mingyan Liu, and Dawn Song. Characterizing ","element":"span"},{"text":"adversarial examples based on spatial consistency information for semantic segmentation. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Proceedings of the European Conference on Computer Vision (ECCV)","element":"span"},{"text":", pages 217–234, 2018.","element":"span"}],[{"id":"id-17","text":"[55] ","element":"span"},{"text":"Kaidi Xu, Zhouxing Shi, Huan Zhang, Yihan Wang, Kai-Wei Chang, Minlie Huang, Bhavya Kailkhura, Xue Lin, and Cho-Jui Hsieh. Automatic perturbation analysis for scalable certified robustness and beyond. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Advances in Neural Information Processing Systems","element":"span"},{"text":", 33, 2020.","element":"span"}],[{"id":"id-30","text":"[56] ","element":"span"},{"text":"Zhe Xu, Ivan Gavran, Yousef Ahmad, Rupak Majumdar, Daniel Neider, Ufuk Topcu, and Bo Wu. Joint inference of reward machines and policies for reinforcement learning. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1909.05912","element":"span"},{"text":", 2019.","element":"span"}],[{"id":"id-23","text":"[57] ","element":"span"},{"text":"Greg Yang, Tony Duan, J Edward Hu, Hadi Salman, Ilya Razenshteyn, and Jerry Li. Randomized smoothing of all shapes and sizes. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"International Conference on Machine Learning","element":"span"},{"text":", pages 10693–10705. PMLR, 2020.","element":"span"}],[{"id":"id-67","text":"[58] ","element":"span"},{"text":"Zhuolin Yang, Linyi Li, Xiaojun Xu, Bhavya Kailkhura, Tao Xie, and Bo Li. On the certified robustness for ensemble models and beyond. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"ICLR","element":"span"},{"text":", 2021.","element":"span"}],[{"id":"id-22","text":"[59] ","element":"span"},{"text":"Zhuolin Yang, Linyi Li, Xiaojun Xu, Bhavya Kailkhura, Tao Xie, and Bo Li. On the certi-fied robustness for ensemble models and beyond. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"International Conference on Learning Representations","element":"span"},{"text":", 2022.","element":"span"}],[{"id":"id-8","text":"[60] ","element":"span"},{"text":"Zhuolin Yang, Linyi Li, Xiaojun Xu, Shiliang Zuo, Qian Chen, Pan Zhou, Benjamin I. P. Rubinstein, Ce Zhang, and Bo Li. Trs: Transferability reduced ensemble via promoting gradient","element":"span"}],[{"text":"diversity and model smoothness. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Neural Information Processing Systems (NeurIPS 2021)","element":"span"},{"text":", 2021.","element":"span"}],[{"id":"id-21","text":"[61] ","element":"span"},{"text":"Zhuolin Yang, Linyi Li, Xiaojun Xu, Shiliang Zuo, Qian Chen, Pan Zhou, Benjamin I P Rubinstein, Ce Zhang, and Bo Li. Trs: Transferability reduced ensemble via promoting gradient diversity and model smoothness. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Advances in Neural Information Processing Systems","element":"span"},{"text":", 2021.","element":"span"}],[{"id":"id-19","text":"[62] ","element":"span"},{"text":"Zhuolin Yang, Zhikuan Zhao, Boxin Wang, Jiawei Zhang, Linyi Li, Hengzhi Pei, Bojan Karlaš, Ji Liu, Heng Guo, Ce Zhang, and Bo Li. Improving certified robustness via statistical learning with logical reasoning. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"NeurIPS","element":"span"},{"text":", 2022.","element":"span"}],[{"id":"id-26","text":"[63] ","element":"span"},{"text":"Ce Zhang, Christopher Ré, Michael Cafarella, Christopher De Sa, Alex Ratner, Jaeho Shin, Feiran Wang, and Sen Wu. Deepdive: Declarative knowledge base construction. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Commun. ACM","element":"span"},{"text":", 60(5):93–102, April 2017.","element":"span"}],[{"id":"id-49","text":"[64] ","element":"span"},{"text":"Huan Zhang, Tsui-Wei Weng, Pin-Yu Chen, Cho-Jui Hsieh, and Luca Daniel. Efficient neural network robustness certification with general activation functions. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Advances in neural information processing systems","element":"span"},{"text":", pages 4939–4948, 2018.","element":"span"}],[{"id":"id-4","text":"[65] ","element":"span"},{"text":"Jiawei Zhang, Linyi Li, Huichen Li, Xiaolu Zhang, Shuang Yang, and Bo Li. Progressive-scale boundary blackbox attack via projective gradient estimation. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"ICML","element":"span"},{"text":", 2022.","element":"span"}]]},{"heading":"Checklist","paragraphs":[[{"style":{"width":"19%"},"width":306,"height":28,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/14-0.png","element":"img"}],[{"text":"(a) Do the main claims made in the abstract and introduction accurately reflect the paper’s contributions and scope? ","element":"span"},{"text":"[Yes]","element":"span"}],[{"text":"(b) Did you describe the limitations of your work? ","element":"span"},{"text":"[Yes] ","element":"span"},{"text":"We have mentioned the future improvement of our work in the related work part.","element":"span"}],[{"text":"(c) Did you discuss any potential negative societal impacts of your work? ","element":"span"},{"text":"[Yes] ","element":"span"},{"text":"This work will not infer obvious negative societal impacts.","element":"span"}],[{"text":"(d) Have you read the ethics review guidelines and ensured that your paper conforms to them? ","element":"span"},{"text":"[Yes]","element":"span"}],[{"style":{"width":"43%"},"width":685,"height":37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/14-1.png","element":"img"}],[{"text":"(a) Did you state the full set of assumptions of all theoretical results? ","element":"span"},{"text":"[Yes] ","element":"span"},{"text":"The assumptions have been all mentioned in the main paper and appendices.","element":"span"}],[{"text":"(b) Did you include complete proofs of all theoretical results? ","element":"span"},{"text":"[Yes] ","element":"span"},{"text":"The whole proofs are provided in Appendix ","element":"span"},{"text":"A ","element":"span"},{"text":"- ","element":"span"},{"text":"C.","element":"span"}],[{"style":{"width":"27%"},"width":437,"height":37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/14-2.png","element":"img"}],[{"text":"(a) Did you include the code, data, and instructions needed to reproduce the main experimental results (either in the supplemental material or as a URL)? ","element":"span"},{"text":"[Yes] ","element":"span"},{"text":"The code is provided at ","element":"span"},{"href":"https://github.com/Sensing-Reasoning/Sensing-Reasoning-Pipeline","style":{"fontFamily":"monospace"},"text":"https://github.com/Sensing-Reasoning/ ","element":"a"},{"href":"https://github.com/Sensing-Reasoning/Sensing-Reasoning-Pipeline","style":{"fontFamily":"monospace"},"text":"Sensing-Reasoning-Pipeline","element":"a"},{"text":".","element":"span"}],[{"text":"(b) Did you specify all the training details (e.g., data splits, hyperparameters, how they were chosen)? ","element":"span"},{"text":"[Yes] ","element":"span"},{"text":"All the training details have been provided in the Appendix ","element":"span"},{"text":"D ","element":"span"},{"text":"- ","element":"span"},{"text":"I.","element":"span"}],[{"text":"(c) Did you report error bars (e.g., with respect to the random seed after running experiments multiple times)? ","element":"span"},{"text":"[Yes] ","element":"span"},{"text":"The confidence of the reported certification results in the paper is guaranteed to be at least ","element":"span"},{"text":"99","element":"span"},{"style":{"fontStyle":"italic"},"text":".","element":"span"},{"text":"9%","element":"span"},{"text":", as mentioned in our main paper.","element":"span"}],[{"text":"(d) Did you include the total amount of compute and the type of resources used (e.g., type of GPUs, internal cluster, or cloud provider)? ","element":"span"},{"text":"[Yes] ","element":"span"},{"text":"The detailed information is mentioned in Appendix ","element":"span"},{"text":"D.","element":"span"}],[{"style":{"width":"94%"},"width":1495,"height":37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/14-3.png","element":"img"}],[{"text":"(a) If your work uses existing assets, did you cite the creators? ","element":"span"},{"text":"[Yes] ","element":"span"},{"text":"(b) Did you mention the license of the assets? ","element":"span"},{"text":"[Yes] ","element":"span"},{"text":"(c) Did you include any new assets either in the supplemental material or as a URL? ","element":"span"},{"text":"[Yes] ","element":"span"},{"text":"(d) Did you discuss whether and how consent was obtained from people whose data you’re using/curating? ","element":"span"},{"text":"[Yes] ","element":"span"},{"text":"We only use public and commonly used data.","element":"span"}],[{"text":"(e) Did you discuss whether the data you are using/curating contains personally identifiable information or offensive content? ","element":"span"},{"text":"[Yes] ","element":"span"},{"text":"We only use public and commonly used data.","element":"span"}],[{"style":{"width":"75%"},"width":1199,"height":37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/14-4.png","element":"img"}],[{"text":"(a) Did you include the full text of instructions given to participants and screenshots, if applicable? ","element":"span"},{"text":"[N/A]","element":"span"}],[{"text":"(b) Did you describe any potential participant risks, with links to Institutional Review Board (IRB) approvals, if applicable? ","element":"span"},{"text":"[N/A]","element":"span"}],[{"text":"(c) Did you include the estimated hourly wage paid to participants and the total amount spent on participant compensation? ","element":"span"},{"text":"[N/A]","element":"span"}]]},{"heading":"A Hardness of General Distribution","paragraphs":[[{"text":"We first recall the following definitions:","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Counting. ","element":"span"},{"text":"Given input polynomial-time computable weight function ","element":"span"},{"style":{"height":16},"width":72.17,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-0.png","element":"img","alt":" w(·)","inline":true,"padRight":true},{"text":"and query function ","element":"span"},{"style":{"height":16},"width":83.57,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-1.png","element":"img","alt":" Q(·),","inline":true,"padRight":true},{"text":"parameters ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-2.png","element":"img","alt":" α","inline":true},{"text":", a real number ","element":"span"},{"style":{"height":13.2},"width":323.34,"height":33,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-3.png","element":"img","alt":" ϵ > 0, a COUNTING","inline":true,"padRight":true},{"text":"oracle outputs a real number ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Z ","element":"span"},{"text":"such that","element":"span"}],[{"style":{"width":"34%"},"width":549,"height":92,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-4.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Robustness. ","element":"span"},{"text":"Given input polynomial-time computable weight function ","element":"span"},{"style":{"height":16},"width":72.17,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-5.png","element":"img","alt":" w(·)","inline":true,"padRight":true},{"text":"and query function ","element":"span"},{"style":{"height":16},"width":83.57,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-6.png","element":"img","alt":" Q(·),","inline":true,"padRight":true},{"text":"parameters ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-7.png","element":"img","alt":" α","inline":true},{"text":", two real numbers ","element":"span"},{"style":{"height":14},"width":529.81,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-8.png","element":"img","alt":" ϵ > 0 and δ > 0, a ROBUSTNESS","inline":true,"padRight":true},{"text":"oracle decides, for any ","element":"span"},{"style":{"height":14.99},"width":162.94,"height":37.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-9.png","element":"img","alt":" α′ ∈ P [m]","inline":true,"padRight":true},{"text":"such that ","element":"span"},{"style":{"height":16.78},"width":257.92,"height":41.96,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-10.png","element":"img","alt":" ∥α − α′∥∞ ≤ ϵ","inline":true},{"text":", whether the following is true:","element":"span"}],[{"style":{"width":"42%"},"width":672,"height":31,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-11.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Proof of Theorem ","element":"span"},{"href":"#id-45","style":{"fontWeight":"bold"},"text":"1","element":"a"}],[{"style":{"fontWeight":"bold"},"text":"Theorem ","element":"span"},{"href":"#id-45","style":{"fontWeight":"bold"},"text":"1 ","element":"a"},{"text":"(C","element":"span"},{"text":"OUNTING ","element":"span"},{"style":{"height":12.8},"width":286.11,"height":32,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-12.png","element":"img","alt":" ≤t ROBUSTNESS","inline":true},{"text":")","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"text":"Given polynomial-time computable weight function ","element":"span"},{"style":{"height":16},"width":72.16,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-13.png","element":"img","alt":"w(·)","inline":true,"padRight":true},{"text":"and query function ","element":"span"},{"style":{"height":16},"width":74.07,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-14.png","element":"img","alt":" Q(·)","inline":true},{"text":", parameters ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-15.png","element":"img","alt":" α","inline":true,"padRight":true},{"text":"and real number ","element":"span"},{"style":{"height":11.6},"width":97.87,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-16.png","element":"img","alt":" ϵ > 0","inline":true},{"text":", the instance of C","element":"span"},{"text":"OUNTING","element":"span"},{"text":", ","element":"span"},{"style":{"height":16},"width":187.56,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-17.png","element":"img","alt":"(w, Q, α, ϵ)","inline":true,"padRight":true},{"text":"can be determined by up to ","element":"span"},{"style":{"height":17.38},"width":139.31,"height":43.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-18.png","element":"img","alt":" O(1/ε2c)","inline":true,"padRight":true},{"text":"queries of the R","element":"span"},{"text":"OBUSTNESS ","element":"span"},{"text":"oracle with input ","element":"span"},{"text":"perturbation ","element":"span"},{"style":{"height":16},"width":176.62,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-19.png","element":"img","alt":" ϵ = O(εc).","inline":true}],[{"style":{"fontStyle":"italic"},"text":"Proof. ","element":"span"},{"text":"Let ","element":"span"},{"style":{"height":16},"width":187.55,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-20.png","element":"img","alt":" (w, Q, α, ϵ)","inline":true,"padRight":true},{"text":"be an instance of C","element":"span"},{"text":"OUNTING","element":"span"},{"text":". Define a new distribution ","element":"span"},{"style":{"height":11.59},"width":35.42,"height":28.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-21.png","element":"img","alt":" τβ","inline":true,"padRight":true},{"text":"over ","element":"span"},{"style":{"fontStyle":"italic"},"text":"X ","element":"span"},{"text":"with a single parameter ","element":"span"},{"style":{"height":14.4},"width":102.38,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-22.png","element":"img","alt":" β ∈ R","inline":true,"padRight":true},{"text":"such that ","element":"span"},{"style":{"height":16.79},"width":270.22,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-23.png","element":"img","alt":" τβ(σ) ∝ t(σ; β),","inline":true,"padRight":true},{"text":"where ","element":"span"},{"style":{"height":16},"width":514.12,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-24.png","element":"img","alt":" t(σ; β) = w(σ; α) exp(βQ(σ)).","inline":true,"padRight":true},{"text":"Since ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Q ","element":"span"},{"text":"is polynomial-time computable, ","element":"span"},{"style":{"height":11.59},"width":35.42,"height":28.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-25.png","element":"img","alt":" τβ","inline":true,"padRight":true},{"text":"is accessible for any ","element":"span"},{"style":{"height":14.4},"width":23,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-26.png","element":"img","alt":" β","inline":true},{"text":". We will choose ","element":"span"},{"style":{"height":14.4},"width":23,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-27.png","element":"img","alt":" β","inline":true,"padRight":true},{"text":"later. For ","element":"span"},{"style":{"height":16},"width":160.83,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-28.png","element":"img","alt":" i ∈ {0, 1}","inline":true},{"text":", define ","element":"span"},{"style":{"height":19.58},"width":428.22,"height":48.96,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-29.png","element":"img","alt":" Zi := �σ:Q(σ)=i w(σ; α).","inline":true,"padRight":true},{"text":"Then we have","element":"span"}],[{"style":{"width":"64%"},"width":1019,"height":97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-30.png","element":"img"}],[{"text":"We further define","element":"span"}],[{"style":{"width":"87%"},"width":1379,"height":660,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-31.png","element":"img"}],[{"text":"Easy calculation implies that for ","element":"span"},{"style":{"height":16.99},"width":478.99,"height":42.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-32.png","element":"img","alt":" x > 0, Y +(β, x) > Y −(β, x)","inline":true,"padRight":true},{"text":"if and only if ","element":"span"},{"style":{"height":14.59},"width":120.26,"height":36.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-33.png","element":"img","alt":" R > eβ","inline":true},{"text":". Note that","element":"span"}],[{"style":{"width":"50%"},"width":808,"height":235,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-34.png","element":"img"}],[{"text":"The two maximum are achieved when ","element":"span"},{"style":{"height":14.18},"width":197.06,"height":35.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-35.png","element":"img","alt":" R = eβ±x/2","inline":true},{"text":". We will choose ","element":"span"},{"style":{"height":16},"width":283.44,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-36.png","element":"img","alt":" x = O(ϵ). Define","inline":true}],[{"style":{"width":"42%"},"width":678,"height":207,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/15-37.png","element":"img"}],[{"text":"This function ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Y ","element":"span"},{"text":"is increasing in ","element":"span"},{"style":{"height":16},"width":259.68,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-0.png","element":"img","alt":" [0, log R − x/2]","inline":true},{"text":", decreasing in ","element":"span"},{"style":{"height":16},"width":328.43,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-1.png","element":"img","alt":" [log R − x/2, log R]","inline":true},{"text":", increasing in ","element":"span"},{"text":"[log ","element":"span"},{"style":{"fontStyle":"italic"},"text":"R, ","element":"span"},{"text":"log ","element":"span"},{"style":{"fontStyle":"italic"},"text":"R ","element":"span"},{"text":"+ ","element":"span"},{"style":{"fontStyle":"italic"},"text":"x/","element":"span"},{"text":"2] ","element":"span"},{"text":"again, and decreasing in ","element":"span"},{"style":{"height":16},"width":284.64,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-2.png","element":"img","alt":" [log R + x/2, ∞)","inline":true,"padRight":true},{"text":"once again.","element":"span"}],[{"text":"Our goal is to estimate ","element":"span"},{"style":{"fontStyle":"italic"},"text":"R","element":"span"},{"text":". For any fixed ","element":"span"},{"style":{"height":14.4},"width":23,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-3.png","element":"img","alt":" β","inline":true},{"text":", we will query the R","element":"span"},{"text":"OBUSTNESS ","element":"span"},{"text":"oracle with parameters ","element":"span"},{"style":{"height":16},"width":214.88,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-4.png","element":"img","alt":"(t, Q, β, x, δ)","inline":true},{"text":". Using binary search in ","element":"span"},{"style":{"height":11.6},"width":19,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-5.png","element":"img","alt":" δ","inline":true},{"text":", we can estimate the function ","element":"span"},{"style":{"height":16},"width":88.13,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-6.png","element":"img","alt":" Y (β)","inline":true,"padRight":true},{"text":"above efficiently with additive error ","element":"span"},{"style":{"height":5.78},"width":30.18,"height":14.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-7.png","element":"img","alt":" ϵ′","inline":true,"padRight":true},{"text":"with at most ","element":"span"},{"style":{"height":19.37},"width":154.74,"height":48.43,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-8.png","element":"img","alt":" O(log 1ϵ′ )","inline":true,"padRight":true},{"text":"oracle calls. We use binary search once again in ","element":"span"},{"style":{"height":14.4},"width":23,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-9.png","element":"img","alt":" β","inline":true,"padRight":true},{"text":"so that it","element":"span"}],[{"style":{"width":"100%"},"width":1587,"height":51,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-10.png","element":"img"}],[{"text":"In particular, ","element":"span"},{"style":{"height":26.03},"width":303.17,"height":65.07,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-11.png","element":"img","alt":" Y (β0) ≥ ex/2−12(ex/2+1)","inline":true},{"text":". Note that here ","element":"span"},{"style":{"height":9.59},"width":34.58,"height":23.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-12.png","element":"img","alt":" ε0","inline":true,"padRight":true},{"text":"is the accumulated error from binary searching ","element":"span"},{"text":"twice.","element":"span"}],[{"text":"We claim that ","element":"span"},{"style":{"height":14.4},"width":38.54,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-13.png","element":"img","alt":" β0","inline":true,"padRight":true},{"text":"is a good estimator for ","element":"span"},{"text":"log ","element":"span"},{"style":{"fontStyle":"italic"},"text":"R","element":"span"},{"text":". First assume that ","element":"span"},{"style":{"height":14.58},"width":138.32,"height":36.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-14.png","element":"img","alt":" eβ0 < R","inline":true},{"text":", which implies that","element":"span"}],[{"style":{"width":"83%"},"width":1329,"height":741,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-15.png","element":"img"}],[{"text":"Let ","element":"span"},{"style":{"height":16.99},"width":190.91,"height":42.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-16.png","element":"img","alt":" ρ := Re−β0","inline":true},{"text":". Note that ","element":"span"},{"style":{"height":14},"width":93.74,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-17.png","element":"img","alt":" ρ > 1","inline":true},{"text":". We choose ","element":"span"},{"style":{"height":32.39},"width":866.84,"height":80.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-18.png","element":"img","alt":" ε0 := 12�ex/2−1ex/2+1�3. Then��√ρ −�ex/ρ�� < ex/2 − 1.","inline":true}],[{"text":"If ","element":"span"},{"style":{"height":13.78},"width":130.21,"height":34.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-19.png","element":"img","alt":" ρ ≥ ex","inline":true},{"text":", then","element":"span"},{"style":{"height":29.53},"width":468.63,"height":73.82,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-20.png","element":"img","alt":"��√ρ −�ex/ρ�� ≥ ex/2 − 1","inline":true},{"text":", a contradiction. Thus, ","element":"span"},{"style":{"height":13.78},"width":130.2,"height":34.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-21.png","element":"img","alt":" ρ < ex","inline":true},{"text":". It implies that ","element":"span"},{"style":{"height":19.97},"width":220.74,"height":49.93,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-22.png","element":"img","alt":"1 < Reβ0 < ex","inline":true},{"text":". Similarly for the case of ","element":"span"},{"style":{"height":14.58},"width":138.32,"height":36.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-23.png","element":"img","alt":" eβ0 > R","inline":true},{"text":", we have that ","element":"span"},{"style":{"height":19.97},"width":247.78,"height":49.93,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-24.png","element":"img","alt":" e−x < Reβ0 < 1","inline":true},{"text":". Thus in both cases, ","element":"span"},{"text":"we have our estimator ","element":"span"},{"style":{"height":19.97},"width":276.39,"height":49.94,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-25.png","element":"img","alt":" e−x < Reβ0 < ex.","inline":true}],[{"text":"Finally, to estimate ","element":"span"},{"style":{"height":20.97},"width":414.06,"height":52.43,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-26.png","element":"img","alt":" E[σ ∼ πα]Q(σ) = 11+R","inline":true,"padRight":true},{"text":"with multiplicative error ","element":"span"},{"style":{"height":0},"width":20,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-27.png","element":"img","alt":" ϵ","inline":true},{"text":", we only need to pick ","element":"span"},{"style":{"height":16},"width":396.06,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-28.png","element":"img","alt":"x := log(1 + ϵ) = O(ϵ).","inline":true}]]},{"heading":"B Robustness of MLN","paragraphs":[[{"style":{"fontWeight":"bold"},"text":"Lagrange multipliers","element":"span"}],[{"text":"Before proving the robustness result of MLN, we first briefly review the technique of Lagrange multipliers for constrained optimization: Consider following problem ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"P","element":"span"},{"text":",","element":"span"}],[{"style":{"width":"63%"},"width":1007,"height":60,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-29.png","element":"img"}],[{"text":"Introducing another real variable ","element":"span"},{"style":{"height":10.8},"width":23,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-30.png","element":"img","alt":" λ","inline":true},{"text":", we define following problem ","element":"span"},{"style":{"height":12},"width":51.84,"height":30,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-31.png","element":"img","alt":" P’,","inline":true}],[{"style":{"width":"90%"},"width":1431,"height":203,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-32.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Proof of Lemma ","element":"span"},{"href":"#id-73","style":{"fontWeight":"bold"},"text":"4.1","element":"a"}],[{"style":{"fontWeight":"bold"},"text":"Lemma ","element":"span"},{"href":"#id-73","style":{"fontWeight":"bold"},"text":"4.1 ","element":"a"},{"text":"(MLN Robustness)","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"text":"Given access to partition functions ","element":"span"},{"style":{"height":17.68},"width":289.37,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-33.png","element":"img","alt":" Z1({pi(X)}i∈[n])","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":17.68},"width":289.37,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-34.png","element":"img","alt":"Z2({pi(X)}i∈[n])","inline":true},{"text":", and a maximum perturbations ","element":"span"},{"style":{"height":17.68},"width":337.68,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-35.png","element":"img","alt":" {Ci}i∈[n], ∀ϵ1, ..., ϵn","inline":true},{"text":", if ","element":"span"},{"style":{"height":16},"width":210.4,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/16-36.png","element":"img","alt":" ∀i. |ϵi| < Ci","inline":true},{"text":", we have","element":"span"}],[{"text":"that ","element":"span"},{"style":{"height":14},"width":264.32,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/17-0.png","element":"img","alt":" ∀λ1, ..., λn ∈ R,","inline":true}],[{"style":{"width":"83%"},"width":1331,"height":518,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/17-1.png","element":"img"}],[{"style":{"fontStyle":"italic"},"text":"Proof. ","element":"span"},{"text":"Consider the upper bound, we have","element":"span"}],[{"style":{"width":"78%"},"width":1237,"height":286,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/17-2.png","element":"img"}],[{"text":"Introducing Lagrange multipliers ","element":"span"},{"style":{"height":16},"width":76.44,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/17-3.png","element":"img","alt":" {λi}","inline":true},{"text":". Note that any choice of ","element":"span"},{"style":{"height":16},"width":76.44,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/17-4.png","element":"img","alt":" {λi}","inline":true,"padRight":true},{"text":"corresponds to a valid upper bound. Thus ","element":"span"},{"style":{"height":14},"width":254.54,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/17-5.png","element":"img","alt":" ∀λ1, ..., λn ∈ R","inline":true},{"text":", we can reformulate the above into","element":"span"}],[{"style":{"width":"86%"},"width":1367,"height":540,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/17-6.png","element":"img"}],[{"text":"We have the claimed upper-bound,","element":"span"}],[{"style":{"width":"71%"},"width":1130,"height":172,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/17-7.png","element":"img"}],[{"text":"Similarly, the lower-bound can be written in terms of Lagrange multipliers, and ","element":"span"},{"style":{"height":14},"width":320.73,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/17-8.png","element":"img","alt":" ∀λ1, ..., λn ∈ R, we","inline":true,"padRight":true},{"text":"have","element":"span"}],[{"style":{"width":"99%"},"width":1572,"height":558,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/17-9.png","element":"img"}]]},{"heading":"C Supplementary Results for Algorithm 1","paragraphs":[[{"style":{"width":"2%"},"width":36,"height":2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-0.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Proposition ","element":"span"},{"text":"(Monotonicity)","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"text":"When ","element":"span"},{"style":{"height":13.2},"width":109.65,"height":33,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-1.png","element":"img","alt":" λi ≥ 0","inline":true},{"text":", ","element":"span"},{"style":{"height":17.68},"width":218.13,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-2.png","element":"img","alt":"�Zr({ϵi}i∈[n])","inline":true,"padRight":true},{"text":"monotonically increases w.r.t. ","element":"span"},{"style":{"height":7.2},"width":27.18,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-3.png","element":"img","alt":" ϵi","inline":true},{"text":"; When ","element":"span"},{"style":{"height":17.68},"width":378.62,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-4.png","element":"img","alt":"λi ≤ −1, �Zr({ϵi}i∈[n])","inline":true,"padRight":true},{"text":"monotonically decreases w.r.t. ","element":"span"},{"style":{"height":7.2},"width":39.44,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-5.png","element":"img","alt":" ϵi.","inline":true}],[{"style":{"width":"82%"},"width":1315,"height":234,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-6.png","element":"img"}],[{"text":"where ","element":"span"},{"style":{"height":16},"width":646.24,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-7.png","element":"img","alt":" wGi(pi(x)) = log[pi(X)/(1 − pi(X))]","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":16},"width":377.08,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-8.png","element":"img","alt":" I1 = Σ ∧ {σ(v) = 1}","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":13.19},"width":131.06,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-9.png","element":"img","alt":" I2 = Σ","inline":true},{"text":". We can rewrite the perturbation on ","element":"span"},{"style":{"height":16},"width":100.96,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-10.png","element":"img","alt":" pi(X)","inline":true,"padRight":true},{"text":"as a perturbation on ","element":"span"},{"style":{"height":16},"width":579.18,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-11.png","element":"img","alt":" wGi: wGi(pi(X) + ϵi) = wGi + ˜ϵi,","inline":true}],[{"text":"where","element":"span"}],[{"style":{"width":"38%"},"width":616,"height":94,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-12.png","element":"img"}],[{"text":"Note that ","element":"span"},{"style":{"height":13.19},"width":27.18,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-13.png","element":"img","alt":" ˜ϵi","inline":true,"padRight":true},{"text":"is monatomic in ","element":"span"},{"style":{"height":7.2},"width":27.17,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-14.png","element":"img","alt":" ϵi","inline":true},{"text":". We also have","element":"span"}],[{"style":{"width":"71%"},"width":1135,"height":45,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-15.png","element":"img"}],[{"text":"We can hence apply the same Lagrange multiplier procedure as in the above proof of Lemma 6 and conclude that","element":"span"}],[{"style":{"width":"57%"},"width":905,"height":193,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-16.png","element":"img"}],[{"text":"where ","element":"span"},{"style":{"height":16.15},"width":505.28,"height":40.38,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-17.png","element":"img","alt":" ϵi ∈ [−Ci, Ci] ˜ϵi ∈ [−C′i, C′i]","inline":true,"padRight":true},{"text":"with ","element":"span"},{"style":{"height":28.8},"width":528.94,"height":72,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-18.png","element":"img","alt":" C′i = log�(1−pi(X))(pi(X)+Ci)pi(X)(1−pi(X)−Ci)�","inline":true},{"text":". We are now in the","element":"span"}],[{"style":{"width":"86%"},"width":1374,"height":404,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-19.png","element":"img"}],[{"text":"Since ","element":"span"},{"style":{"height":16},"width":842.87,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-20.png","element":"img","alt":" σ(xi) ∈ {0, 1}, when λi ≥ 0, σ(xi) + λi ≥ 0 and �Zr","inline":true,"padRight":true},{"text":"monotonically increases in ","element":"span"},{"style":{"height":13.19},"width":195.48,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-21.png","element":"img","alt":" ˜ϵi and hence","inline":true,"padRight":true},{"text":"in ","element":"span"},{"style":{"height":16},"width":686.57,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-22.png","element":"img","alt":" ϵi. When λi ≤ −1, σ(xi) + λi ≤ 0 and �Zr","inline":true,"padRight":true},{"text":"monotonically decreases in ","element":"span"},{"style":{"height":13.19},"width":27.18,"height":32.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-23.png","element":"img","alt":" ˜ϵi","inline":true,"padRight":true},{"text":"and hence in ","element":"span"},{"style":{"height":7.2},"width":39.44,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-24.png","element":"img","alt":" ϵi.","inline":true}],[{"style":{"width":"90%"},"width":1429,"height":677,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-25.png","element":"img"}],[{"text":"The above is simply the variance of ","element":"span"},{"style":{"height":16},"width":174.12,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-26.png","element":"img","alt":" σ(xi) + λi","inline":true},{"text":", namely ","element":"span"},{"style":{"height":21.11},"width":663.21,"height":52.76,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-27.png","element":"img","alt":" E�(σ(xi) + λi)2�− E [σ(xi) + λi]2 ≥ 0","inline":true},{"text":". The convexity of ","element":"span"},{"style":{"height":13.59},"width":263.74,"height":33.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/18-28.png","element":"img","alt":"�Zr in ˜ϵi follows.","inline":true}]]},{"heading":"D Image Classiﬁcation on Road Sign Dataset","paragraphs":[[{"text":"All the experiments shown in Appendix ","element":"span"},{"text":"D ","element":"span"},{"text":"- ","element":"span"},{"text":"I ","element":"span"},{"text":"are run on 4 RTX 2080 Ti GPUs.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Task and Dataset. ","element":"span"},{"text":"For road sign classification task, the whole dataset can be viewed as a subset of GTSRB dataset ","element":"span"},{"href":"#id-53","referenceIndex":45,"text":"[45]","element":"a"},{"text":", which contains 12 types of German road signs {\"Stop”, \"Priority Road”, \"Yield”, \"Construction Area”, \"Keep Right”, \"Turn Left”, \"Do not Enter”, \"No Vihicles”, \"Speed Limit 20”, \"Speed Limit 50”, \"Speed Limit 120”, \"End of Previous Limitation”}, with 14880 training samples, 972 validation samples and 3888 testing samples in total. Besides the road sign classes, we construct ","element":"span"},{"text":"13 ","element":"span"},{"text":"attribute classes as follows:","element":"span"}],[{"style":{"width":"67%"},"width":1068,"height":216,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/19-0.png","element":"img"}],[{"text":"Based on the indication direction from road sign classes to attribute classes, and the exclusive relationship between attribute classes with the same type, we develop the following two types of knowledge rules as follows:","element":"span"}],[{"text":"• Indication rules ","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"u, v","element":"span"},{"text":")","element":"span"},{"text":": Road sign class ","element":"span"},{"style":{"fontStyle":"italic"},"text":"u ","element":"span"},{"text":"indicates attribute ","element":"span"},{"style":{"fontStyle":"italic"},"text":"v","element":"span"},{"text":".","element":"span"}],[{"text":"• Exclusion rules ","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"u, v","element":"span"},{"text":")","element":"span"},{"text":": Attribute classes ","element":"span"},{"style":{"fontStyle":"italic"},"text":"u ","element":"span"},{"text":"and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"v ","element":"span"},{"text":"with the same type (\"Shape”, \"Color”, \"Digit” or \"Content”) are naturally exclusive. (e.g., One road sign can not have \"Octagon” shape and \"Triangle” shape at the same time.)","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Knowledge. ","element":"span"},{"text":"We construct our first-order logical rules based on our predefined indication and exclusion knowledge as follows:","element":"span"}],[{"text":"• Indication edge ","element":"span"},{"style":{"height":8.8},"width":150.3,"height":22,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/19-1.png","element":"img","alt":" u =⇒ v","inline":true},{"text":": if one object belongs to road sign class ","element":"span"},{"style":{"fontStyle":"italic"},"text":"u","element":"span"},{"text":", it should have attribute ","element":"span"},{"style":{"fontStyle":"italic"},"text":"u","element":"span"},{"text":":","element":"span"}],[{"style":{"width":"92%"},"width":1471,"height":193,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/19-2.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Intuitive Example. ","element":"span"},{"text":"Following the HEX graph-based knowledge structure and rules, we will show several adversary scenarios which could be mitigated through the inference reasoning phase. For instance, if the “Construction Area\" object is attacked to be “Stop Sign\" while other sensing nodes remain unaffected, like the border shape is still detected as the “Triangle” shape. Then the indication knowledge rule (The “Stop Sign\" object should have the “Octagon” border shape) and the exclusive knowledge rule (No class can have the “Triangle” border shape and “Octagon” shape at the same time) would be violated. Such violation of the knowledge rules would discourage our pipeline to predict “Stop Sign\" as what the attacker wants. However, the sensing-reasoning pipeline may not distinguish the “Yield\", and “Construction Area\" classes if the attacker fooled the “Construction Area\" sensing completely, which shows the limitation of such structural knowledge, and more knowledge would be required in this case to help improve the robustness.","element":"span"}],[{"id":"id-76","style":{"width":"79%"},"width":1254,"height":382,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/20-0.png","element":"img"}],[{"text":"Figure 4: ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"PrimateNet","element":"figcaption","subtype":"caption"},{"text":". The knowledge structure of PrimateNet dataset. The ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"Blue ","element":"figcaption","subtype":"caption"},{"text":"arrows represent the Hierarchical rules between different classes, and the ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"Red ","element":"figcaption","subtype":"caption"},{"text":"arrows represent the Exclusive rules. Some exclusive rules are omitted due to the space limit.","element":"figcaption","subtype":"caption"}]]},{"heading":"E Information Extraction on Stock News","paragraphs":[[{"text":"To further evaluate the certified robustness of the reasoning component, in this section we will focus on the perturbation directly added to the reasoning component (e.g. ","element":"span"},{"style":{"height":13.19},"width":48.48,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/20-1.png","element":"img","alt":" CS","inline":true,"padRight":true},{"text":"in Figure ","element":"span"},{"href":"#id-33","text":"1)","element":"a"},{"text":".","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Tasks and Dataset. ","element":"span"},{"text":"We consider information extraction tasks in NLP based on a stock news dataset — HighTech dataset which consists of both daily closing asset price and financial news from ","element":"span"},{"style":{"fontStyle":"italic"},"text":"2006 ","element":"span"},{"text":"to ","element":"span"},{"style":{"fontStyle":"italic"},"text":"2013 ","element":"span"},{"href":"#id-56","referenceIndex":12,"text":"[12]","element":"a"},{"text":". We choose 9 companies with the most news, resulting in 4810 articles related to 9 stocks filtered by company name. We split the dataset into training and testing days chronologically. We define three information extraction tasks as our sensing models: ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"StockPrice(Day, Company, Price)","element":"span"},{"text":", ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"StockPriceChange(Day, Company, Percent)","element":"span"},{"text":", ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"StockPriceGain(Day, Company)","element":"span"},{"text":". The domain knowledge that we integrate depicts the relationships between these relations. We describe the three information extraction tasks in details below:","element":"span"}],[{"text":"• ","element":"span"},{"style":{"fontWeight":"bold"},"text":"StockPrice(day, company, price) ","element":"span"},{"text":"In this task, we aim to extract the daily closing price of the stock from the article. We first extract numbers in every sentence from the article as candidate relations. Then we label every relation by the given daily closing asset price: label the relation whose number starts with \"$\" and has the minimum difference with the given closing price as positive and label others as negative. We train a BERT-based classifier ","element":"span"},{"href":"#id-74","referenceIndex":11,"text":"[11] ","element":"a"},{"text":"as the sensing model to judge the relation of whether the number was the closing price of the stock on that day and output the confidence.","element":"span"}],[{"text":"• ","element":"span"},{"style":{"fontWeight":"bold"},"text":"StockPriceChange(day, company, percent) ","element":"span"},{"text":"In this task, we want to extract the percentage that the closing price of the stock changed from the collected news articles. We first extract numbers in every sentence from the articles as candidate relations. Then we label every relation via yesterday’s and today’s closing asset price. We train a BERT-based classifier as the sensing model to judge the relations of whether the number was the change rate of the closing price of the stock on that day and output the confidence.","element":"span"}],[{"text":"• ","element":"span"},{"style":{"fontWeight":"bold"},"text":"StockPriceGain(day, company, gain) ","element":"span"},{"text":"In this task, we want to extract information about whether the closing price of the stock rose or fell on the day based on the news article. We treat each sentence with the stock name and the numbers which start with \"$\" as a candidate. Then we judge each relationship by whether it indicates the stock price rose or fell by counting the positive and negative words in the sentence. We label the relation as positive: when ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Count(positive word) > Count(negative words)","element":"span"},{"text":"; and negative: when ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Count(positive word) < Count(negative words)","element":"span"},{"text":". We train a BERT-based classifier as the sensing model and output the confidence.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Implementation Details. ","element":"span"},{"text":"To train BERT classifiers, we use the final hidden state of the first token [CLS] from BERT as the representation of the whole input and we apply dropout with probability ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p ","element":"span"},{"text":"= 0","element":"span"},{"style":{"fontStyle":"italic"},"text":".","element":"span"},{"text":"5 ","element":"span"},{"text":"on this final hidden state. A fully connected layer is added to the top of BERT for classification. To fine-tune the BERT classifiers for three information tasks, we use Adam optimization with a learning rate of ","element":"span"},{"style":{"height":13.78},"width":80.76,"height":34.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/20-2.png","element":"img","alt":" 10−5","inline":true,"padRight":true},{"text":"and weight decay of ","element":"span"},{"style":{"height":13.38},"width":80.76,"height":33.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/20-3.png","element":"img","alt":" 10−4","inline":true},{"text":". We train our classifiers for 30 epochs with the batch size of 32.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Knowledge. ","element":"span"},{"text":"We construct a new test set for the above three tasks. Specifically, for each news article, given the current date ","element":"span"},{"style":{"fontStyle":"italic"},"text":"d ","element":"span"},{"text":"and company name, we extract stock price ","element":"span"},{"style":{"height":10},"width":36.04,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/20-4.png","element":"img","alt":" p1","inline":true,"padRight":true},{"text":"on the current date, and stock price ","element":"span"},{"style":{"height":10},"width":36.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/20-5.png","element":"img","alt":" p0","inline":true,"padRight":true},{"text":"on the date before the current date. We also predict whether the stock price goes up or down ","element":"span"},{"style":{"fontStyle":"italic"},"text":"y ","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"y ","element":"span"},{"text":"= 0 ","element":"span"},{"text":"if the prediction is “down” otherwise ","element":"span"},{"style":{"fontStyle":"italic"},"text":"y ","element":"span"},{"text":"= 1","element":"span"},{"text":") and extract the percentage of stock price ","element":"span"},{"text":"change ","element":"span"},{"style":{"height":14.4},"width":23,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-0.png","element":"img","alt":" β","inline":true},{"text":". The extracted information forms a 4-tuple ","element":"span"},{"style":{"height":16},"width":206.1,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-1.png","element":"img","alt":" (p0, p1, y, β)","inline":true,"padRight":true},{"text":"that satisfies the following rules (knowledge):","element":"span"}],[{"text":"• ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Rule 1","element":"span"},{"text":": The extracted stock price ","element":"span"},{"style":{"height":10},"width":36.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-2.png","element":"img","alt":" p0","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":10},"width":36.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-3.png","element":"img","alt":" p1","inline":true,"padRight":true},{"text":"(sensing model ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"StockPrice","element":"span"},{"text":") should be consistent with the stock price change prediction (sensing model ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"StockPriceGain","element":"span"},{"text":").","element":"span"}],[{"style":{"width":"58%"},"width":928,"height":41,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-4.png","element":"img"}],[{"text":"• ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Rule 2","element":"span"},{"text":": The extracted stock price ","element":"span"},{"style":{"height":10},"width":36.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-5.png","element":"img","alt":" p0","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":10},"width":36.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-6.png","element":"img","alt":" p1","inline":true,"padRight":true},{"text":"(sensing model ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"StockPrice","element":"span"},{"text":") should be consistent with the percentage change of stock price prediction (sensing model ","element":"span"},{"style":{"fontFamily":"monospace"},"text":"StockPriceChange","element":"span"},{"text":").","element":"span"}],[{"style":{"width":"67%"},"width":1069,"height":48,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-7.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Threat Model. ","element":"span"},{"text":"We attack sensing models by adding perturbations on a sensing group’s top-","element":"span"},{"text":"1 ","element":"span"},{"text":"confidence value ","element":"span"},{"style":{"fontStyle":"italic"},"text":"P ","element":"span"},{"text":"without change other choices’ confidence value on the perturbed sensing position: ","element":"span"},{"style":{"height":17.78},"width":760.32,"height":44.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-8.png","element":"img","alt":"P ′ = clip(P − CS, 10−5, 1 − 10−5), where CS","inline":true,"padRight":true},{"text":"is the perturbation scale on the confidence output of sensing models. In our attack setting, we add perturbations to all sensing groups.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Intuitive Example. ","element":"span"},{"text":"Here we show an intuitive example of how our knowledge can help improve the ML robustness under adversarial attacks. Assume our sensors extract the correct stock price information ","element":"span"},{"style":{"height":16},"width":243.62,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-9.png","element":"img","alt":" (p∗0, p∗1, y∗, β∗)","inline":true},{"text":", where price ","element":"span"},{"style":{"height":14.94},"width":127.55,"height":37.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-10.png","element":"img","alt":" p∗0 > p∗1","inline":true,"padRight":true},{"text":"and the stock price change is “down\" (","element":"span"},{"style":{"fontStyle":"italic"},"text":"y ","element":"span"},{"text":"= 0","element":"span"},{"text":") by ","element":"span"},{"style":{"height":15.2},"width":57.64,"height":38,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-11.png","element":"img","alt":"β%","inline":true},{"text":". Now if the first stock price extraction sensor is attacked to output an incorrect prediction ","element":"span"},{"style":{"height":10.76},"width":36.05,"height":26.89,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-12.png","element":"img","alt":" p′0","inline":true,"padRight":true},{"text":"such that ","element":"span"},{"style":{"height":14.94},"width":132.02,"height":37.35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-13.png","element":"img","alt":" p′0 < p∗1","inline":true,"padRight":true},{"text":"while other sensors remain intact; ","element":"span"},{"style":{"height":10.76},"width":36.05,"height":26.89,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-14.png","element":"img","alt":" p′0","inline":true,"padRight":true},{"text":"will violate our knowledge rules 1 and 2. ","element":"span"},{"text":"Specifically, the stock price change ","element":"span"},{"style":{"height":14.94},"width":197.92,"height":37.35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-15.png","element":"img","alt":" p′0 − p∗1 < 0","inline":true,"padRight":true},{"text":"is inconsistent with stock price change prediction ","element":"span"},{"style":{"fontStyle":"italic"},"text":"y ","element":"span"},{"text":"= 0","element":"span"},{"text":", i.e., ","element":"span"},{"style":{"height":14.94},"width":217.52,"height":37.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-16.png","element":"img","alt":" p′0 − p∗1 > 0","inline":true},{"text":". As a result, our reasoning component will reduce the confidence of ","element":"span"},{"text":"the wrong prediction ","element":"span"},{"style":{"height":10.76},"width":36.04,"height":26.89,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-17.png","element":"img","alt":" p′0","inline":true,"padRight":true},{"text":"and increase the confidence of the ground truth ","element":"span"},{"style":{"height":14.94},"width":36.05,"height":37.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-18.png","element":"img","alt":" p∗0","inline":true,"padRight":true},{"text":"as it is consistent with ","element":"span"},{"text":"knowledge rules, therefore potentially recovering the correct prediction of ","element":"span"},{"style":{"height":14.94},"width":48.36,"height":37.35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/21-19.png","element":"img","alt":" p∗0.","inline":true}]]},{"heading":"F Image Classiﬁcation on PrimateNet Dataset","paragraphs":[[{"style":{"fontWeight":"bold"},"text":"Task and Dataset. ","element":"span"},{"text":"We aim to evaluate the certified robustness of our sensing-reasoning pipeline on large-scale dataset such as ImageNet ILSVRC2012 ","element":"span"},{"href":"#id-55","referenceIndex":9,"text":"[9]","element":"a"},{"text":". In particular, to obtain domain knowledge for the images, we select 18 Primate animal categories to form a PrimateNet dataset, containing {Orangutan, Gorilla, Chimpanzee, Gibbon, Siamang, Madagascar cat, Woolly indris, Guenon, Baboon, Macaque, Langur, Colobus, Marmosets, Capuchin monkey, Howler monkey, Titi monkey, Spider monkey, Squirrel monkey}. Moreover, we create 7 internal classes {Greater ape, Lesser ape, Ape, Lemur, Old-world monkey, New-world monkey, Monkey} to construct the hierarchical structure according to the WordNet ","element":"span"},{"href":"#id-75","referenceIndex":14,"text":"[14]","element":"a"},{"text":". With such a hierarchical structure, we can build the Primate-class Hierarchy and Exclusion(HEX) graph based on the concepts from ","element":"span"},{"href":"#id-32","referenceIndex":10,"text":"[10] ","element":"a"},{"text":"as shown in Fig ","element":"span"},{"href":"#id-76","text":"4. ","element":"a"},{"text":"Within the HEX graph, we develop two types of knowledge rules described as follows:","element":"span"}],[{"text":"• Hierarchy rules ","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"u, v","element":"span"},{"text":")","element":"span"},{"text":": class ","element":"span"},{"style":{"fontStyle":"italic"},"text":"u ","element":"span"},{"text":"subsumes class ","element":"span"},{"style":{"fontStyle":"italic"},"text":"v ","element":"span"},{"text":"(e.g. Great Ape subsumes Gorilla);","element":"span"}],[{"text":"• Exclusion edge ","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"u, v","element":"span"},{"text":")","element":"span"},{"text":": class ","element":"span"},{"style":{"fontStyle":"italic"},"text":"u ","element":"span"},{"text":"and class ","element":"span"},{"style":{"fontStyle":"italic"},"text":"v ","element":"span"},{"text":"are naturally exclusive (e.g. Gorilla cannot belong to Great Ape and Lesser Ape at the same time).","element":"span"}],[{"text":"We consider each class in the HEX graph as the prediction of one sensing model in the sensing-reasoning pipeline, and we construct 25 sensing models as the leaf and internal nodes in the HEX graph. Here we use the MLN as our reasoning component connecting to these sensing models.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Implementation details. ","element":"span"},{"text":"For each leaf sensing model, we utilize 1300 images from the ILSVRC2012 training set and 50 images from the ILSVRC2012 dev set. We split the 1300 images into 1000 images for training and 300 for testing. For each internal node, we uniformly sample the training images from all its children nodes’ training images to form its training set with the same size 1300, since there are no specific instances belonging to internal nodes’ categories in PrimateNet.","element":"span"}],[{"text":"During training, we utilize the sensing DNN model for each node in the knowledge hierarchy to output the probability value given the input images. The models consist of a pre-trained ResNet18 feature extractor concatenated by two Fully-Connected layers with ReLU activation. In order to provide the certified robustness of the end-to-end sensing-reasoning pipeline, we adapt the randomized smoothing strategy mentioned in ","element":"span"},{"href":"#id-14","referenceIndex":8,"text":"[8] ","element":"a"},{"text":"to certify the robustness of sensing models, and then compose it with the certified robustness of the reasoning component. Specifically, we smoothed our sensing models by ","element":"span"},{"text":"adding the isotropic Gaussian noise ","element":"span"},{"style":{"height":17.39},"width":239.78,"height":43.47,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-0.png","element":"img","alt":" ϵ ∼ N(0, σ2I)","inline":true,"padRight":true},{"text":"to the training images during training. We train each sensing model for 80 epochs with the Adam optimizer (initial learning rate is set to ","element":"span"},{"style":{"height":16.59},"width":164.3,"height":41.47,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-1.png","element":"img","alt":" 2 × 10−4)","inline":true,"padRight":true},{"text":"and evaluate the sensing models’ performance on the validation set containing 50 images after every training epoch to avoid over-fitting. During testing, we certify the robustness of trained sensing models with the same smoothing parameter ","element":"span"},{"style":{"height":6.8},"width":23,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-2.png","element":"img","alt":" σ","inline":true,"padRight":true},{"text":"used during model training.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Knowledge. ","element":"span"},{"text":"The knowledge used in this task includes the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"hierarchical ","element":"span"},{"text":"and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"exclusive ","element":"span"},{"text":"relationships between different categories of the sensing predictions. For instance, the category “Ape\" would include all the instances classified as “Greater ape, Lesser ape\" (hierarchical); and there should not be any intersection for instances predicted as “Monkey\" or “Lemur\" (exclusive). Thus, we build our knowledge rules based on the structural relationships such as hierarchy and exclusion knowledge:","element":"span"}],[{"text":"• ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Hierarchy edge ","element":"span"},{"style":{"height":8.8},"width":150.29,"height":22,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-3.png","element":"img","alt":" u =⇒ v","inline":true},{"text":": If one object belongs to class ","element":"span"},{"style":{"fontStyle":"italic"},"text":"u","element":"span"},{"text":", it should belong to class ","element":"span"},{"style":{"fontStyle":"italic"},"text":"v ","element":"span"},{"text":"as well:","element":"span"}],[{"style":{"width":"58%"},"width":929,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-4.png","element":"img"}],[{"text":"• ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Exclusion edge ","element":"span"},{"style":{"height":10.4},"width":90.52,"height":26,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-5.png","element":"img","alt":" u ⊕ v","inline":true},{"text":": One object should not belong to class ","element":"span"},{"style":{"fontStyle":"italic"},"text":"u ","element":"span"},{"text":"and class ","element":"span"},{"style":{"fontStyle":"italic"},"text":"v ","element":"span"},{"text":"at the same time:","element":"span"}],[{"style":{"width":"57%"},"width":916,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-6.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Threat Model. ","element":"span"},{"text":"In this paper, we consider a strong attacker who has access to perturbing several sensing models’ input instances during inference time. To perform the attack, the attacker will add perturbation ","element":"span"},{"style":{"height":11.6},"width":19,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-7.png","element":"img","alt":" δ","inline":true},{"text":", bounded by ","element":"span"},{"style":{"height":13.19},"width":43.48,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-8.png","element":"img","alt":" CI","inline":true,"padRight":true},{"text":"under the ","element":"span"},{"style":{"height":7.6},"width":32.6,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-9.png","element":"img","alt":" ℓ2","inline":true,"padRight":true},{"text":"norm, onto the test instance against the victim sensing models: ","element":"span"},{"style":{"height":16},"width":178.05,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-10.png","element":"img","alt":" ||δ||2 < CI","inline":true},{"text":". In particular, we consider the attacker to attack ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-11.png","element":"img","alt":" α","inline":true,"padRight":true},{"text":"percent of the total sensing models.","element":"span"}],[{"text":"Since we apply randomized smoothing to sensing models during training, for each sensing model, we can certify the output probability ","element":"span"},{"style":{"height":10},"width":34.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-12.png","element":"img","alt":" p′","inline":true,"padRight":true},{"text":"as a function of the original confidence ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":", the bound of the perturbation ","element":"span"},{"style":{"height":13.19},"width":43.48,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-13.png","element":"img","alt":" CI","inline":true},{"text":", and smoothing parameter ","element":"span"},{"style":{"height":6.8},"width":23,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-14.png","element":"img","alt":" σ","inline":true,"padRight":true},{"text":"according to Corollary 2 as below:","element":"span"}],[{"style":{"width":"48%"},"width":774,"height":45,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-15.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Evaluation Metrics. ","element":"span"},{"text":"To evaluate the certified robustness of sensing-reasoning pipeline, we focus on the standard ","element":"span"},{"style":{"fontStyle":"italic"},"text":"certified accuracy ","element":"span"},{"text":"on a given test set, and the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"certified ratio ","element":"span"},{"text":"measuring the percentage of instances that could be certified within a certain perturbation magnitude/radius.","element":"span"}],[{"text":"Based on the previous analysis, given the ","element":"span"},{"style":{"height":7.6},"width":32.61,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-16.png","element":"img","alt":" ℓ2","inline":true,"padRight":true},{"text":"based perturbation bound ","element":"span"},{"style":{"height":13.19},"width":43.48,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-17.png","element":"img","alt":" CI","inline":true},{"text":", we can certify the output probability of the sensing-reasoning pipeline as ","element":"span"},{"text":"[","element":"span"},{"style":{"fontStyle":"italic"},"text":"L","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"style":{"fontStyle":"italic"},"text":"U","element":"span"},{"text":"]","element":"span"},{"text":". In order to evaluate the certified robustness of sensing-reasoning pipeline, we define the ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Certified Robustness","element":"span"},{"text":", measuring the percentage of instances that could be certified to make correct prediction within a perturbation radius, to evaluate the certified robustness following existing work ","element":"span"},{"href":"#id-14","referenceIndex":8,"text":"[8]","element":"a"},{"text":", which is formally defined as:","element":"span"}],[{"style":{"width":"59%"},"width":948,"height":95,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-18.png","element":"img"}],[{"text":"where ","element":"span"},{"style":{"fontStyle":"italic"},"text":"N ","element":"span"},{"text":"refers to the number instances and ","element":"span"},{"style":{"height":10},"width":30.54,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-19.png","element":"img","alt":" yi","inline":true,"padRight":true},{"text":"the ground truth label of the given instance ","element":"span"},{"style":{"height":16},"width":94.18,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-20.png","element":"img","alt":" i. I(·)","inline":true,"padRight":true},{"text":"is an indicator function which outputs 1 when its argument takes value true and 0 otherwise.","element":"span"}],[{"text":"Moreover, we report the ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Certified Ratio ","element":"span"},{"text":"to measure the percentage of instances that could be certified as a consistent prediction within a perturbation radius (even the consistent prediction might be wrong). The Certified Ratio is defined as:","element":"span"}],[{"style":{"width":"34%"},"width":541,"height":95,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-21.png","element":"img"}],[{"text":"Here the lower and upper bounds of the output probability ","element":"span"},{"style":{"height":13.19},"width":152.55,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/22-22.png","element":"img","alt":" Li and Ui","inline":true,"padRight":true},{"text":"indicate the binary prediction of each sensing model. We assume when the output probability is less than 0.5, it outputs 0.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Intuitive Example. ","element":"span"},{"text":"Following the HEX graph-based knowledge structure and rules, we will show several adversary scenarios which could be mitigated through the inference reasoning phase. For instance, based on Figure ","element":"span"},{"href":"#id-76","text":"4, ","element":"a"},{"text":"if one “Gorilla\" object is attacked to be “Siamang\" while other sensing nodes remain unaffected, the hierarchical knowledge rule (An object belongs to “Great Ape\" class cannot belong to “Siamang\" class) and the exclusive knowledge rule (No object could belong to “Great","element":"span"}],[{"id":"id-78","text":"Table 3: ","element":"figcaption","subtype":"caption"},{"style":{"fontStyle":"italic"},"text":"Benign ","element":"figcaption","subtype":"caption"},{"text":"accuracy (i.e. ","element":"figcaption","subtype":"caption"},{"style":{"height":12.8},"width":245.59,"height":32,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-0.png","element":"img","alt":" CI = 0, α = 0","inline":true},{"text":") of models with and without knowledge under different smoothing parameters ","element":"figcaption","subtype":"caption"},{"style":{"height":6.4},"width":21,"height":16,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-1.png","element":"img","alt":" σ","inline":true,"padRight":true},{"text":"evaluated on PrimateNet.","element":"figcaption","subtype":"caption"}],[{"style":{"width":"47%"},"width":758,"height":182,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-2.png","element":"img"}],[{"id":"id-77","text":"Table 4: ","element":"figcaption","subtype":"caption"},{"text":"Certified Robustness and Certified Ratio under different perturbation magnitude ","element":"figcaption","subtype":"caption"},{"style":{"height":11.6},"width":40.31,"height":28.99,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-3.png","element":"img","alt":" CI","inline":true,"padRight":true},{"text":"and sensing model attack ratio ","element":"figcaption","subtype":"caption"},{"style":{"height":6.4},"width":24,"height":16,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-4.png","element":"img","alt":" α","inline":true,"padRight":true},{"text":"on PrimateNet. The sensing models are smoothed with Gaussian noise ","element":"figcaption","subtype":"caption"},{"style":{"height":16.09},"width":316.44,"height":40.24,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-5.png","element":"img","alt":" ϵ ∼ N(0, ˆσ2Id) with","inline":true,"padRight":true},{"text":"different smoothing parameter ","element":"figcaption","subtype":"caption"},{"style":{"height":6.4},"width":31.36,"height":16,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-6.png","element":"img","alt":" σ.","inline":true}],[{"style":{"width":"58%"},"width":933,"height":1233,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-7.png","element":"img"}],[{"text":"Ape\" and “Siamang\" classes at the same time) would be violated. Such violation of the knowledge rules would discourage our pipeline to predicting “Siamang\" as what the attacker wants. However, the sensing-reasoning pipeline may not distinguish the “Orangutan\", “Gorilla\", and “Chimpanzee\" classes if the attacker fooled the “Gorilla\" sensing completely, which shows the limitation of such structural knowledge, and more knowledge would be required in this case to help improve the robustness.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Evaluation Results. ","element":"span"},{"text":"We evaluate the robustness of the sensing-reasoning pipeline compared with the baseline which is consist of 25 randomized smoothed sensing models for each Primate categories (without knowledge). We evaluate the average certified robustness of both under benign and adversarial scenarios with different smoothing parameter ","element":"span"},{"style":{"height":16},"width":360.92,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-8.png","element":"img","alt":" ˆσ ∈ {0.12, 0.25, 0.50}","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":7.6},"width":32.6,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-9.png","element":"img","alt":" ℓ2","inline":true,"padRight":true},{"text":"perturbation bound ","element":"span"},{"style":{"height":16},"width":225.86,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-10.png","element":"img","alt":"CI = {ˆσ, 2ˆσ}","inline":true},{"text":". The evaluation results are shown in Table ","element":"span"},{"href":"#id-77","text":"4 ","element":"a"},{"text":"and Table ","element":"span"},{"href":"#id-78","text":"3.","element":"a"}],[{"text":"First, we evaluate both the sensing-reasoning pipeline and the smoothed ML model with benign test data as shown in Table ","element":"span"},{"href":"#id-78","text":"3. ","element":"a"},{"text":"It is interesting that the sensing-reasoning pipeline with knowledge even outperforms the single model without knowledge about ","element":"span"},{"text":"0","element":"span"},{"style":{"fontStyle":"italic"},"text":".","element":"span"},{"text":"7% ","element":"span"},{"text":"over different randomized smoothing parameter ","element":"span"},{"style":{"height":6.8},"width":23,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-11.png","element":"img","alt":" σ","inline":true},{"text":". It shows that even without attacks, the knowledge could help to improve the classification accuracy slightly, indicating that the domain knowledge integration can help relax the tradeoff between benign accuracy and robustness.","element":"span"}],[{"text":"Next, we evaluate the certified robustness of sensing-reasoning pipeline and the smoothed ML model considering different smoothing parameters ","element":"span"},{"style":{"height":16},"width":365.22,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-12.png","element":"img","alt":" ˆσ = {0.12, 0.25, 0.50}","inline":true,"padRight":true},{"text":"and the input perturbation bound ","element":"span"},{"style":{"height":16},"width":225.88,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-13.png","element":"img","alt":"CI = {ˆσ, 2ˆσ}","inline":true,"padRight":true},{"text":"in Table ","element":"span"},{"href":"#id-77","text":"4. ","element":"a"},{"text":"We can see that when the attack ratio of sensing models ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/23-14.png","element":"img","alt":" α","inline":true,"padRight":true},{"text":"is small, both the Certified Robustness and Certified Ratio of sensing-reasoning pipeline are significantly higher","element":"span"}],[{"id":"id-79","style":{"width":"89%"},"width":1426,"height":551,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/24-0.png","element":"img"}],[{"text":"Figure 5: ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"(PrimateNet) ","element":"figcaption","subtype":"caption"},{"text":"Histogram of the ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"robustness margin ","element":"figcaption","subtype":"caption"},{"text":"(difference between the probability of the correct class (lower bound) and the top wrong class (upper bound)) under perturbation. If such a difference is positive, it means that the classifier makes the right prediction under perturbation. Evaluation is made under smoothing parameter ","element":"figcaption","subtype":"caption"},{"style":{"height":11.99},"width":256.24,"height":29.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/24-1.png","element":"img","alt":" σ = 0.25 with ℓ2","inline":true,"padRight":true},{"text":"perturbation scale ","element":"figcaption","subtype":"caption"},{"style":{"height":14.4},"width":210.25,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/24-2.png","element":"img","alt":" CI = {σ, 2σ}","inline":true},{"text":". The ratio of the attacked sensors ","element":"figcaption","subtype":"caption"},{"style":{"height":13.2},"width":165.28,"height":33,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/24-3.png","element":"img","alt":" α equals to","inline":true,"padRight":true},{"text":"10%","element":"figcaption","subtype":"caption"},{"style":{"fontStyle":"italic"},"text":", ","element":"figcaption","subtype":"caption"},{"text":"20%","element":"figcaption","subtype":"caption"},{"style":{"fontStyle":"italic"},"text":", ","element":"figcaption","subtype":"caption"},{"text":"30%","element":"figcaption","subtype":"caption"},{"style":{"fontStyle":"italic"},"text":", ","element":"figcaption","subtype":"caption"},{"text":"50%","element":"figcaption","subtype":"caption"},{"text":".","element":"figcaption","subtype":"caption"}],[{"text":"than that of the baseline smoothed ML model. In the meantime, when the sensing attack ratio ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/24-4.png","element":"img","alt":" α","inline":true,"padRight":true},{"text":"is large (e.g. ","element":"span"},{"text":"50%","element":"span"},{"text":") both the sensing-reasoning pipeline and baseline smoothed ML model obtain low Certified Robustness and Certified Ratio, and their performance gap becomes small.","element":"span"}],[{"text":"This is interesting and intuitive, since if a large percent of sensing models are attacked, such structurebased knowledge, for which the solution to a given regular expression is not unique, would have higher confidence to prefer the other (wrong) side of the prediction. As a result, it is interesting for future work to identify more “robust\" knowledge which is resilient against the large attack ratio of sensing models, in addition to the hierarchical structure knowledge.","element":"span"}],[{"text":"We also find that when ","element":"span"},{"style":{"height":16},"width":89.69,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/24-5.png","element":"img","alt":" CI/ˆσ","inline":true,"padRight":true},{"text":"is small (","element":"span"},{"style":{"height":13.19},"width":123,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/24-6.png","element":"img","alt":"CI = ˆσ","inline":true},{"text":"), the model with knowledge can perform consistently better than the baseline ML models. When ","element":"span"},{"style":{"height":16},"width":89.69,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/24-7.png","element":"img","alt":" CI/ˆσ","inline":true,"padRight":true},{"text":"is large (","element":"span"},{"style":{"height":13.19},"width":142.82,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/24-8.png","element":"img","alt":"CI = 2ˆσ","inline":true},{"text":"), the performance gap becomes even larger. This phenomenon indicates that sensing-reasoning pipeline could demonstrate its strength of robustness compared to the traditional smoothed DNN against an adversary with stronger ability.","element":"span"}],[{"text":"To further evaluate the strength of our certified robustness, we calculate the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"robustness margin ","element":"span"},{"text":"— the difference between the lower bound of the true class probability and the upper bound of the top wrong class probability under different perturbation scales — to inspect the robustness certification (larger difference infer stronger certification). Figure ","element":"span"},{"href":"#id-79","text":"5 ","element":"a"},{"text":"shows the histogram of the robustness margin for the model with and without knowledge under smoothing parameter ","element":"span"},{"style":{"height":11.2},"width":148.26,"height":28,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/24-9.png","element":"img","alt":" ˆσ = 0.25","inline":true,"padRight":true},{"text":"and different perturbation scale ","element":"span"},{"style":{"height":13.19},"width":43.48,"height":32.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/24-10.png","element":"img","alt":" CI","inline":true},{"text":". We leave histogram figures under other ","element":"span"},{"style":{"height":6.8},"width":23,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/24-11.png","element":"img","alt":" σ","inline":true,"padRight":true},{"text":"settings in Appendix.","element":"span"}],[{"text":"From Figure ","element":"span"},{"href":"#id-79","text":"5, ","element":"a"},{"text":"we can see that under different adversary scenarios, more instances could receive the positive margin (i.e correct prediction) with sensing-reasoning pipeline, which indicates its robustness. Moreover, we find that the sensing-reasoning pipeline could output a large margin value with high frequency under various attacks. That means, it can certify the robustness of the ground truth class with high confidence, which is challenging for current certified robustness approaches for single ML models.","element":"span"}],[{"text":"In addition, to evaluate the utility of different knowledge, we also develop sensing-reasoning pipeline by using only one type of knowledge (hierarchical or exclusive relationship only) and the results are shown in Appendix ","element":"span"},{"text":"I. ","element":"span"},{"text":"We observe that using partial knowledge, the robustness of sensing-reasoning pipeline would decrease compared with that using the full knowledge.","element":"span"}]]},{"heading":"G Image Classiﬁcation on Word50 Dataset","paragraphs":[[{"style":{"fontWeight":"bold"},"text":"Task and Dataset. ","element":"span"},{"text":"In addition, we also conduct experiments on Word50 dataset ","element":"span"},{"href":"#id-54","referenceIndex":6,"text":"[6]","element":"a"},{"text":", which is created by randomly selecting 50 words and each consisting of five characters. Here we only pick 10 words from it to reduce the computation complexity, and the goal is to classify these 10 words. All the character images are of size ","element":"span"},{"style":{"height":10.8},"width":133.86,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/24-12.png","element":"img","alt":" 28 × 28","inline":true,"padRight":true},{"text":"and perturbed by scaling, rotation, and translation. The background of the characters is blurry by inserting different patches, which makes it a quite challenging task. For reference, Some word images sampled from the dataset are shown in Figure ","element":"span"},{"href":"#id-80","text":"6. ","element":"a"},{"text":"The interesting property of this dataset is that the character combination is given as the prior knowledge, which can be integrated into our sensing-reasoning pipeline. The training, validation, and test sets contain ","element":"span"},{"text":"2","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"text":"049","element":"span"},{"text":", ","element":"span"},{"text":"408","element":"span"},{"text":", and ","element":"span"},{"text":"423 ","element":"span"},{"text":"variations of word styles respectively.","element":"span"}],[{"text":"Similar to the classification task on Road Sign dataset, we develop the following two types of knowledge rules as follows:","element":"span"}],[{"text":"• Deduction rules ","element":"span"},{"style":{"height":16},"width":241.99,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-0.png","element":"img","alt":" (u, vi): word u","inline":true,"padRight":true},{"text":"contains character ","element":"span"},{"style":{"height":13.59},"width":165.02,"height":33.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-1.png","element":"img","alt":" vi on the i","inline":true},{"text":"th position of the word.","element":"span"}],[{"text":"• Exclusion rules ","element":"span"},{"style":{"height":16},"width":117.87,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-2.png","element":"img","alt":" (ui, vi)","inline":true},{"text":": character ","element":"span"},{"style":{"height":9.19},"width":33.82,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-3.png","element":"img","alt":" ui","inline":true,"padRight":true},{"text":"and character ","element":"span"},{"style":{"height":9.19},"width":30.32,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-4.png","element":"img","alt":" vi","inline":true,"padRight":true},{"text":"are naturally exclusive on the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"i","element":"span"},{"text":"th position of the word.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Implementation details. ","element":"span"},{"text":"Multi-layer perceptrons (MLPs) are used as the main model architecture for the main task that the classification of the 10 words, which is the same to ","element":"span"},{"href":"#id-54","referenceIndex":6,"text":"[6]","element":"a"},{"text":", and the input is the concatenation of the images of 5 characters which consist of a full word. As for the extra knowledge, we train another five MLP models for the classification of the character on each position of the input word, then the corresponding output dimensions for each such character classifier is ","element":"span"},{"text":"26","element":"span"},{"text":". While during the inference, we will only pick the top2 of the output from each character classifier, so the final input dimension to the MLN is ","element":"span"},{"style":{"height":12.4},"width":267.81,"height":31,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-5.png","element":"img","alt":" 10 + 5 × 2 = 20","inline":true,"padRight":true},{"text":"dimensions. Thus, to keep the certification probability the same as the baseline, the ","element":"span"},{"style":{"height":14},"width":33.44,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-6.png","element":"img","alt":" ζ0","inline":true,"padRight":true},{"text":"here will be set to ","element":"span"},{"style":{"height":18.18},"width":635.16,"height":45.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-7.png","element":"img","alt":" 1 − (1 − 0.001)(1/20) = 5.002 × 10−5.","inline":true}],[{"text":"For these sensing models, we adapt the randomized smoothing strategy ","element":"span"},{"href":"#id-14","referenceIndex":8,"text":"[8] ","element":"a"},{"text":"to give the certified robustness guarantee of their output confidence under the ","element":"span"},{"style":{"height":7.6},"width":32.61,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-8.png","element":"img","alt":" ℓ2","inline":true},{"text":"-norm bounded perturbation. The ","element":"span"},{"style":{"height":9.19},"width":55.53,"height":22.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-9.png","element":"img","alt":"wH","inline":true,"padRight":true},{"text":"is set to ","element":"span"},{"text":"2 ","element":"span"},{"text":"for the deduction rules, and the corresponding ","element":"span"},{"style":{"height":14},"width":46.51,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-10.png","element":"img","alt":" fH","inline":true,"padRight":true},{"text":"is the identity function; while for the exclusion rules, the ","element":"span"},{"style":{"height":9.19},"width":55.53,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-11.png","element":"img","alt":" wH","inline":true,"padRight":true},{"text":"is set to ","element":"span"},{"style":{"height":7.2},"width":71,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-12.png","element":"img","alt":" −∞","inline":true},{"text":", and the ","element":"span"},{"style":{"height":14},"width":46.51,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-13.png","element":"img","alt":" fH","inline":true,"padRight":true},{"text":"here is the negation function, namely, ","element":"span"},{"style":{"height":16},"width":253.98,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-14.png","element":"img","alt":"fH(v) = 1 − v.","inline":true}],[{"style":{"fontWeight":"bold"},"text":"Knowledge. ","element":"span"},{"text":"We construct our first-order logical rules based on our predefined Deduction and Exclusion knowledge rules:","element":"span"}],[{"style":{"width":"92%"},"width":1471,"height":279,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-15.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Threat Model. ","element":"span"},{"text":"Same to the setting of the experiments on the Stop Sign dataset, here we consider a stronger attack scenario where the attacker can attack the main task model and all the attribute sensors with ","element":"span"},{"style":{"fontWeight":"bold"},"text":"different ","element":"span"},{"style":{"height":7.6},"width":32.6,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-16.png","element":"img","alt":" ℓ2","inline":true},{"text":"-norm bounded perturbation ","element":"span"},{"style":{"height":16},"width":230.42,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-17.png","element":"img","alt":" δ : ||δ||2 < CI","inline":true,"padRight":true},{"text":"at the same time. Later on, we can see our sensing-reasoning pipeline could still achieve higher end-to-end certified robustness under even harder cases.","element":"span"}],[{"text":"Given the ","element":"span"},{"style":{"height":7.6},"width":32.6,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-18.png","element":"img","alt":" ℓ2","inline":true},{"text":"-norm bound ","element":"span"},{"style":{"height":13.19},"width":43.48,"height":32.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-19.png","element":"img","alt":" CI","inline":true},{"text":", for each sensing model, we can bound its output probability ","element":"span"},{"style":{"height":10},"width":34.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-20.png","element":"img","alt":" p′","inline":true,"padRight":true},{"text":"under such perturbation, given the original probability ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p ","element":"span"},{"text":"and the certification smoothing parameter ","element":"span"},{"style":{"height":6.8},"width":23,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-21.png","element":"img","alt":" σ","inline":true,"padRight":true},{"text":"according to Corollary 2 as below:","element":"span"}],[{"style":{"width":"48%"},"width":774,"height":45,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-22.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Evaluation Metrics. ","element":"span"},{"text":"We adopt the standard ","element":"span"},{"style":{"fontStyle":"italic"},"text":"certified accuracy ","element":"span"},{"text":"as our evaluation metric, defined by the percentage of instances that can be certified under any ","element":"span"},{"style":{"height":7.6},"width":32.6,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-23.png","element":"img","alt":" ℓ2","inline":true},{"text":"-norm bounded perturbation ","element":"span"},{"style":{"height":16},"width":243.92,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-24.png","element":"img","alt":" δ : ||δ||2 < CI.","inline":true,"padRight":true},{"text":"Specifically, given the input ","element":"span"},{"style":{"fontStyle":"italic"},"text":"x ","element":"span"},{"text":"with ground-truth label ","element":"span"},{"style":{"fontStyle":"italic"},"text":"y","element":"span"},{"text":", we can certify the bound of confidence on predicting label ","element":"span"},{"style":{"fontStyle":"italic"},"text":"y ","element":"span"},{"text":"as ","element":"span"},{"text":"[","element":"span"},{"style":{"fontStyle":"italic"},"text":"L","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"style":{"fontStyle":"italic"},"text":"U","element":"span"},{"text":"] ","element":"span"},{"text":"for either a vanilla randomize smoothing-based model or our sensing-reasoning pipeline. After that, the certified accuracy can be defined by: ","element":"span"},{"style":{"height":21.43},"width":462.79,"height":53.59,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-25.png","element":"img","alt":"1N�Ni=1 I([Li > 0.5]) where","inline":true},{"style":{"height":19.94},"width":61.05,"height":49.85,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-26.png","element":"img","alt":"I(·)","inline":true,"padRight":true},{"text":"denotes the indicator function.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Intuitive Example. ","element":"span"},{"text":"To make the example more clear, here we use ","element":"span"},{"style":{"fontStyle":"italic"},"text":"pos","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"’a’","element":"span"},{"text":", i) to represent that the character ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’a’ ","element":"span"},{"text":"is in the i","element":"span"},{"style":{"fontStyle":"italic"},"text":"th ","element":"span"},{"text":"position of the word. Then during the inference, given an input word image, we assume the top2 characters returned from the character classifiers for each position is ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’s,m’","element":"span"},{"text":", ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’n,b’","element":"span"},{"text":", ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’a,o’","element":"span"},{"text":", ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’q,a’","element":"span"},{"text":", ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’k,c’","element":"span"},{"text":", which are shown in the order of the position. Now, for word ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’snack’","element":"span"},{"text":", the corresponding first-order logical form of its deduction rules would be ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’snack’ ","element":"span"},{"style":{"height":8.8},"width":64.36,"height":22,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-27.png","element":"img","alt":" =⇒","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"pos","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"’s’","element":"span"},{"text":", ","element":"span"},{"text":"1","element":"span"},{"text":"), ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’snack’ ","element":"span"},{"style":{"height":8.8},"width":64.35,"height":22,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-28.png","element":"img","alt":" =⇒","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"pos","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"’n’","element":"span"},{"text":", ","element":"span"},{"text":"2","element":"span"},{"text":"), ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’snack’ ","element":"span"},{"style":{"height":8.8},"width":64.35,"height":22,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-29.png","element":"img","alt":" =⇒","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"pos","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"’a’","element":"span"},{"text":", ","element":"span"},{"text":"3","element":"span"},{"text":") and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’snack’ ","element":"span"},{"style":{"height":8.8},"width":64.36,"height":22,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/25-30.png","element":"img","alt":" =⇒","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"pos","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"’k’","element":"span"},{"text":", ","element":"span"},{"text":"5","element":"span"},{"text":"); while for other","element":"span"}],[{"id":"id-81","text":"Table 5: Certified accuracy under different per- ","element":"figcaption","subtype":"caption"},{"text":"turbation magnitude ","element":"figcaption","subtype":"caption"},{"style":{"height":13.19},"width":43.48,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-0.png","element":"img","alt":" CI","inline":true,"padRight":true},{"text":"on Word10 dataset. The sensing models are smoothed with Gaussian noise ","element":"figcaption","subtype":"caption"},{"style":{"height":17.39},"width":258.12,"height":43.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-1.png","element":"img","alt":"ϵ ∼ N(0, ˆσ2Id)","inline":true,"padRight":true},{"text":"with different smoothing parameter ","element":"figcaption","subtype":"caption"},{"style":{"height":10.8},"width":23,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-2.png","element":"img","alt":" ˆσ","inline":true},{"text":". Rows with ","element":"figcaption","subtype":"caption"},{"style":{"height":7.6},"width":20,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-3.png","element":"img","alt":" ∗","inline":true,"padRight":true},{"text":"denote the best certified accuracy among all the ","element":"figcaption","subtype":"caption"},{"style":{"height":16},"width":360.8,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-4.png","element":"img","alt":" ˆσ ∈ {0.12, 0.25, 0.50}","inline":true},{"text":". (All certificates holds with 99.9% confidence)","element":"figcaption","subtype":"caption"}],[{"style":{"width":"94%"},"width":1504,"height":150,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-5.png","element":"img"}],[{"id":"id-80","text":"Figure 6: Several word images sampled from ","element":"figcaption","subtype":"caption"},{"text":"Word50 dataset.","element":"figcaption","subtype":"caption"}],[{"text":"words like ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’macaw’","element":"span"},{"text":", the corresponding rules would be ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’macaw’ ","element":"span"},{"style":{"height":14},"width":558.59,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-6.png","element":"img","alt":" =⇒ pos(’m’, 1) and ’macaw’ =⇒","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"pos","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"’a’","element":"span"},{"text":", ","element":"span"},{"text":"4","element":"span"},{"text":"). Notice, if the character of the specific word is not shown in the top2 returned characters of its corresponding position, then there will be no deduction rule built for this word and this character. At the meantime, when we consider the possible worlds that satisfy ","element":"span"},{"style":{"height":17.68},"width":512.2,"height":44.2,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-7.png","element":"img","alt":" σ(xsnack) ∧ σ(vpos(’q’,4) = 1, we","inline":true,"padRight":true},{"text":"will still consider it as a violation of the exclusive rules. In other words, even if the character ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’c’ ","element":"span"},{"text":"is not shown in the top2 characters returned from the knowledge classifier in fourth position and thus we do not build the deduction rule ","element":"span"},{"style":{"fontStyle":"italic"},"text":"’snack’ ","element":"span"},{"style":{"height":14.4},"width":237.58,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-8.png","element":"img","alt":" =⇒ pos(’c’, 4","inline":true},{"text":") explicitly at this time as said above, this rule is still assumed to be true underlyingly.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Evaluation Results. ","element":"span"},{"text":"We evaluate the robustness of the sensing-reasoning pipeline and compare it to the baseline as a vanilla randomized smoothed main task model (without knowledge). We train our models under different smoothing parameters ","element":"span"},{"style":{"height":16},"width":377.66,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-9.png","element":"img","alt":" ˆσ = {0.12, 0.25, 0.50}","inline":true,"padRight":true},{"text":"and evaluate our sensing-reasoning pipeline under various ","element":"span"},{"style":{"height":7.6},"width":32.6,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-10.png","element":"img","alt":" ℓ2","inline":true,"padRight":true},{"text":"perturbation magnitude ","element":"span"},{"style":{"height":16},"width":476.45,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-11.png","element":"img","alt":" CI = {0.12, 0.25, 0.50, 1.00}","inline":true},{"text":". Results are show in Table ","element":"span"},{"href":"#id-81","text":"5, ","element":"a"},{"text":"and as we can see, with extra knowledge, the performance is improved tremendously which strongly demonstrates the potential of the sensing-reasoning pipeline.","element":"span"}]]},{"heading":"H Image Classiﬁcation with Constructed Knowledge Rules","paragraphs":[[{"text":"For natural image datasets with no apparent knowledge rules, we can still apply our sensing-reasoning pipeline based on some generated simple knowledge rules such as redundancy rules. For instance, we test on MNIST and CIFAR10 dataset by constructing basic rules as follows: for MNIST, we construct five pseudo attributes and randomly assign them to four different digits, so that each digit will exactly contain two pseudo attributes; for CIFAR10, we randomly generate ten pseudo attributes, and each pseudo attribute will be randomly assigned to 3 to 7 different categories. We build the indication rules between each pseudo attribute and its corresponding digits, and the exclusion rules between different digit classes.","element":"span"}],[{"text":"During the training, we adopt the SOTA Consistency training ","element":"span"},{"href":"#id-82","referenceIndex":19,"text":"[19] ","element":"a"},{"text":"as our sensing model training method, and build our sensing-reasoning pipeline on top of these pretrained sensing models.","element":"span"}],[{"text":"From the results shown in Table ","element":"span"},{"href":"#id-83","text":"6 ","element":"a"},{"text":"and Table ","element":"span"},{"href":"#id-84","text":"7, ","element":"a"},{"text":"we can see that the sensing-reasoning pipeline beats the SOTA baselines in terms of the certified robustness even with the simple and generated knowledge rules. Generally, we should expect higher certified robustness by integrating with natural and meaningful knowledge rules (e.g., road sign classification and information extraction tasks as shown in our paper).","element":"span"}],[{"id":"id-83","text":"Table 6: (","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"MNIST","element":"figcaption","subtype":"caption"},{"text":") ","element":"figcaption","subtype":"caption"},{"style":{"fontStyle":"italic"},"text":"Certified accuracy ","element":"figcaption","subtype":"caption"},{"text":"under different input perturbation magnitudes (","element":"figcaption","subtype":"caption"},{"style":{"height":14},"width":70.04,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-12.png","element":"img","alt":"CI).","inline":true}],[{"style":{"width":"99%"},"width":1572,"height":85,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/26-13.png","element":"img"}],[{"id":"id-84","text":"Table 7: (","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"CIFAR10","element":"figcaption","subtype":"caption"},{"text":") ","element":"figcaption","subtype":"caption"},{"style":{"fontStyle":"italic"},"text":"Certified accuracy ","element":"figcaption","subtype":"caption"},{"text":"under different input perturbation magnitudes (","element":"figcaption","subtype":"caption"},{"style":{"height":14},"width":70.04,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/27-0.png","element":"img","alt":"CI).","inline":true}],[{"style":{"width":"99%"},"width":1572,"height":85,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/27-1.png","element":"img"}]]},{"heading":"I Ablation Study on Partial Knowledge Enrichment.","paragraphs":[[{"text":"In PrimateNet experiments, we also investigate how Hierarchy knowledge and Exclusive knowledge would affect the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"End-to-end ","element":"span"},{"text":"robustness of our sensing-reasoning pipeline individually. We compare the certified robustness and certified ratio of our sensing-reasoning pipeline enriched by {No knowledge; Hierarchy knowledge only; Exclusive knowledge only; Hierarchy + Exclusive knowledge} and the results are shown in Table ","element":"span"},{"href":"#id-85","text":"8 ","element":"a"},{"text":"and ","element":"span"},{"href":"#id-86","text":"9.","element":"a"}],[{"text":"From the results, we can see while partial knowledge enrichment would lead to fragile robustness under severe scenarios (","element":"span"},{"style":{"height":11.2},"width":147.59,"height":28,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/27-2.png","element":"img","alt":"α = 0.5","inline":true},{"text":"), complete knowledge enrichment could achieve much better robustness compared to sensing-reasoning pipeline without knowledge enrichment. This indicates that incomplete (or weak) knowledge, which is easy to break and hard to recover under severe adversarial scenarios, could even harm the robustness of our sensing-reasoning pipeline. How to explore good and robust knowledge to enrich our sensing-reasoning pipeline could be our interesting future direction.","element":"span"}],[{"id":"id-85","text":"Table 8: ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"Certified Robustness ","element":"figcaption","subtype":"caption"},{"text":"with different perturbation magnitude ","element":"figcaption","subtype":"caption"},{"style":{"height":11.59},"width":40.31,"height":28.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/27-3.png","element":"img","alt":" CI","inline":true,"padRight":true},{"text":"and sensing model attack ratio ","element":"figcaption","subtype":"caption"},{"style":{"height":6.4},"width":68.62,"height":16,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/27-4.png","element":"img","alt":" α on","inline":true,"padRight":true},{"text":"PrimateNet. The sensing models are smoothed with Gaussian noise ","element":"figcaption","subtype":"caption"},{"style":{"height":16.09},"width":235.18,"height":40.24,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/27-5.png","element":"img","alt":" ϵ ∼ N(0, ˆσ2Id)","inline":true,"padRight":true},{"text":"with different smoothing parameter ","element":"figcaption","subtype":"caption"},{"style":{"height":9.6},"width":111.24,"height":24,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/27-6.png","element":"img","alt":" σ. Here","inline":true,"padRight":true},{"style":{"fontWeight":"bold"},"text":"“Hierarchy.” ","element":"figcaption","subtype":"caption"},{"text":"refers to the sensing-reasoning pipeline enriched by hierarchy knowledge only while ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"“Exclusive.” ","element":"figcaption","subtype":"caption"},{"text":"the exclusive knowledge only. ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"“Combined.” ","element":"figcaption","subtype":"caption"},{"text":"shows the sensing-reasoning pipeline enriched by both domain knowledge.","element":"figcaption","subtype":"caption"}],[{"style":{"width":"61%"},"width":982,"height":1281,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/27-7.png","element":"img"}]]},{"heading":"J Reasoning Component as Bayesian Networks","paragraphs":[[{"text":"A Bayesian network (BN) is a probabilistic graphical model that represents a set of variables and their conditional dependencies with a directed acyclic graph. Let us first consider a Bayesian Network with tree structures, the probability of a random variable being 1 is given by","element":"span"}],[{"style":{"width":"64%"},"width":1025,"height":89,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/28-0.png","element":"img"}],[{"text":"In the following subsections, we will prove a hardness result of checking robustness in general MLN and BNs and use the above definition to construct an efficient procedure to certify robustness for binary tree BNs.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"J.1 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Hardness of Certifying Bayesian Networks","element":"span"}],[{"text":"Analogously with the above reasoning, we can also state the general hardness result for deciding the robustness of BNs:","element":"span"}],[{"id":"id-87","style":{"fontWeight":"bold"},"text":"Theorem 3 ","element":"span"},{"text":"(BN hardness)","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Given a Bayesian network with a set of parameters ","element":"span"},{"style":{"height":16},"width":73.24,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/28-1.png","element":"img","alt":" {pi}","inline":true},{"style":{"fontStyle":"italic"},"text":", a set of perturbation parameters ","element":"span"},{"style":{"height":16},"width":69.37,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/28-2.png","element":"img","alt":" {ϵi}","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"and threshold ","element":"span"},{"style":{"height":11.6},"width":19,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/28-3.png","element":"img","alt":" δ","inline":true},{"style":{"fontStyle":"italic"},"text":", deciding whether","element":"span"}],[{"style":{"width":"49%"},"width":781,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/28-4.png","element":"img"}],[{"style":{"fontStyle":"italic"},"text":"is at least as hard as estimating ","element":"span"},{"style":{"height":16},"width":412.39,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/28-5.png","element":"img","alt":" Pr [X = 1; {pi}] up to εc","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"multiplicative error, with ","element":"span"},{"style":{"height":16},"width":189.89,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/28-6.png","element":"img","alt":" ϵi = O(εc).","inline":true}],[{"id":"id-86","text":"Table 9: ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"Certified Ratio ","element":"figcaption","subtype":"caption"},{"text":"with different perturbation magnitude ","element":"figcaption","subtype":"caption"},{"style":{"height":11.6},"width":40.31,"height":28.99,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/28-7.png","element":"img","alt":" CI","inline":true,"padRight":true},{"text":"and sensing model attack ratio ","element":"figcaption","subtype":"caption"},{"style":{"height":6.4},"width":73.25,"height":16,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/28-8.png","element":"img","alt":" α on","inline":true,"padRight":true},{"text":"PrimateNet. The sensing models are smoothed with Gaussian noise ","element":"figcaption","subtype":"caption"},{"style":{"height":16.09},"width":235.18,"height":40.24,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/28-9.png","element":"img","alt":" ϵ ∼ N(0, ˆσ2Id)","inline":true,"padRight":true},{"text":"with different smoothing parameter ","element":"figcaption","subtype":"caption"},{"style":{"height":9.6},"width":111.24,"height":24,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/28-10.png","element":"img","alt":" σ. Here","inline":true,"padRight":true},{"style":{"fontWeight":"bold"},"text":"“Hierarchy.” ","element":"figcaption","subtype":"caption"},{"text":"refers to the sensing-reasoning pipeline enriched by hierarchy knowledge only while ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"“Exclusive.” ","element":"figcaption","subtype":"caption"},{"text":"the exclusive knowledge only. ","element":"figcaption","subtype":"caption"},{"style":{"fontWeight":"bold"},"text":"“Combined.” ","element":"figcaption","subtype":"caption"},{"text":"shows the sensing-reasoning pipeline enriched by both domain knowledge.","element":"figcaption","subtype":"caption"}],[{"style":{"width":"61%"},"width":982,"height":1280,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/28-11.png","element":"img"}],[{"style":{"fontStyle":"italic"},"text":"Proof. ","element":"span"},{"text":"Let ","element":"span"},{"style":{"height":16},"width":448.79,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/29-0.png","element":"img","alt":" α = [pi], Q(σ) = X and πα","inline":true,"padRight":true},{"text":"defined by the the probability distribution of a target random variable. Since ","element":"span"},{"style":{"height":16},"width":182.68,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/29-1.png","element":"img","alt":" X ∈ {0, 1}","inline":true},{"text":", we have ","element":"span"},{"style":{"height":16},"width":590.98,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/29-2.png","element":"img","alt":" E[σ ∼ πα]Q(σ) = Pr [X = 1; {pi}]","inline":true},{"text":". The proof then follows analogously from Theorem ","element":"span"},{"href":"#id-45","text":"1.","element":"a"}],[{"text":"Based on the hardness analysis of the reasoning robustness, we can see that it is challenging to directly certify the robustness of the reasoning component. However, just as we can approximately certify the robustness of single ML models ","element":"span"},{"href":"#id-16","referenceIndex":25,"text":"[25]","element":"a"},{"text":", in the next section, we will present and discuss how to approximately certify the robustness of the reasoning component, and we show that for some structures such as BN trees, the certification could even be tight.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"J.2 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Certifying Bayesian Networks","element":"span"}],[{"text":"Apart from MLNs, we also aim to reason about the robustness for Bayesian networks with binary tree structures, and derive an efficient algorithm to provide the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"tight ","element":"span"},{"text":"upper and lower bounds of reasoning robustness. Concretely, we introduce the set of perturbation ","element":"span"},{"style":{"height":16},"width":201.74,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/29-3.png","element":"img","alt":" {ϵi} on {pi}","inline":true,"padRight":true},{"text":"and consider the maximum resultant probability:","element":"span"}],[{"style":{"width":"91%"},"width":1456,"height":598,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/29-4.png","element":"img"}],[{"text":"In the above we have isolated the last variable in the expression. Without additional structure, the above optimisation over perturbation is hard as stated in Theorem ","element":"span"},{"href":"#id-87","text":"3. ","element":"a"},{"text":"However, if additionally we require the Bayesian network to be binary trees, we show that the optimisation over perturbation and the checking of robustness of the model is trackable. We summarise the procedure for checking robustness of binary tree structured BNs in the following theorem with the proof.","element":"span"}],[{"id":"id-88","style":{"fontWeight":"bold"},"text":"Lemma J.1 ","element":"span"},{"text":"(Binary BN Robustness)","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Given a Bayesian network with binary tree structure, and the set of parameters ","element":"span"},{"style":{"height":16},"width":73.24,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/29-5.png","element":"img","alt":" {pi}","inline":true},{"style":{"fontStyle":"italic"},"text":", the probability of a variable ","element":"span"},{"style":{"fontStyle":"italic"},"text":"X ","element":"span"},{"text":"= 1","element":"span"},{"style":{"fontStyle":"italic"},"text":",","element":"span"}],[{"style":{"width":"58%"},"width":924,"height":90,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/29-6.png","element":"img"}],[{"style":{"fontStyle":"italic"},"text":"is ","element":"span"},{"style":{"height":13.99},"width":31.71,"height":34.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/29-7.png","element":"img","alt":" δb","inline":true},{"style":{"fontStyle":"italic"},"text":"-robust, where","element":"span"}],[{"style":{"width":"78%"},"width":1247,"height":313,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/29-8.png","element":"img"}],[{"style":{"fontStyle":"italic"},"text":"Where ","element":"span"},{"style":{"height":16},"width":774.37,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/29-9.png","element":"img","alt":" A0 = P(1|0, 0), A1 = P(1|0, 1) − P(1|0, 0)","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"and ","element":"span"},{"style":{"height":16},"width":477.65,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/29-10.png","element":"img","alt":" A2 = P(1|1, 1) − P(1|0, 1)","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"are all pre-computable constants given the parameters of the Bayesian network.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Proof of Lemma ","element":"span"},{"href":"#id-88","style":{"fontWeight":"bold"},"text":"J.1","element":"a"}],[{"style":{"fontStyle":"italic"},"text":"Proof. ","element":"span"},{"text":"We explicitly write out the probability subject to perturbation,","element":"span"}],[{"style":{"width":"87%"},"width":1384,"height":971,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/30-0.png","element":"img"}],[{"text":"It follows that the robustness problem boils down to finding the maximum and minimum of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"F ","element":"span"},{"text":"= ","element":"span"},{"style":{"height":16},"width":922.45,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/30-1.png","element":"img","alt":"A0 + A1y2 + A1y1 + (A2 − A1)y1y2, with yi = pi + ϵi.","inline":true}],[{"text":"Specifically, in order to compute ","element":"span"},{"style":{"height":13.59},"width":253.9,"height":33.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/30-2.png","element":"img","alt":" Fmax and Fmin","inline":true},{"text":", we take partial derivatives of F:","element":"span"}],[{"style":{"width":"99%"},"width":1583,"height":594,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2003.00120/images/30-3.png","element":"img"}],[{"text":"Having shown the robustness of probability of one node in the Bayesian network, the robustness of the whole network can be computed recursively from the bottom to the top.","element":"span"}]]}],"_version":"3.3.4"},"paperNode":"$25:props:children:props:children:0:props:product"}]]