Given extensive studies on adversarial attacks against ML models recently [3, 13, 39, 24, 65, 23, 54], building models that are robust against such attacks is an important and emerging topic. Thus, a plethora of empirical defenses have been proposed to improve the ML robustness [30, 60, 22, 44, 54, 53]; however, most of these are attacked again by stronger adaptive attacks [3, 1, 47]. To end such repeated security cat-and-mouse games, there is a line of research focusing on developing certified defenses for DNNs under certain adversarial constraints [8, 26, 25, 55, 28, 62, 27, 61, 59].
Though promising, existing certified defenses are restricted to certifying the model robustness within a limited norm bounded perturbation radius [57, 8]. One potential reason for such limitations for existing robust learning approaches is inherent in the fact that most of them have been treating machine learning as a “pure data-driven" technique that solely depends on a given training set, without interacting with the rich exogenous information such as domain knowledge (e.g., a stop sign should be of the octagon shape); while we know human, who has knowledge and inference abilities, is resilient to such attacks. Indeed, a recent seminal work [17] illustrates that integrating knowledge rules can significantly improve the empirical robustness of ML models, while leaving the certified robustness completely unexplored.
In this paper, we follow this promising Learning+Reasoning paradigm [17] and conduct, to our best knowledge, the first study on certified robustness for it. Actually, such a Learning+Reasoning paradigm has enabled a diverse range of applications [38, 63, 2, 37, 32, 56, 17, 43] including the ECCV’14 best paper [10] that encodes label relationships as a probabilistic graphical model and improves the empirical performance of deep neural networks on ImageNet. In this work, we first provide a concrete Sensing-reasoning pipeline following such paradigm to integrate statistical learning with logical reasoning as illustrated in Figure 1. In particular, the Sensing Component contains a set of statistical ML models such as deep neural networks (DNNs) that output their predictions as a set of Boolean random variables; and the Reasoning Component takes this set of Boolean random variables as inputs for logical inference models such as Markov logic networks (MLN) [40] or Bayesian networks (BN) [36] to produce the final output. We then prove the hardness of certifying the robustness of such a pipeline with MLN for reasoning. Finally, we provide an algorithm to certify the robustness of sensing-reasoning pipeline and we evaluate it on five datasets including both image and text data.
Figure 1: The sensing-reasoning pipeline, i.e., a sensing component consists of DNNs and a reasoning component is constructed as MLN. The goal of this paper is to provide certified robustness for such a pipeline, espe-
Compared with previous efforts focusing on certified robustness of neural networks, the reasoning component brings its own challenges and opportunities. Different from a neural network whose inference can be executed in polynomial time, many reasoning models such as MLN can be #P-complete for inference. However, as many reasoning models define a probability distribution in the exponential family, we have more functional structures that could potentially make the robustness optimization (which essentially solves a min-max problem) easier. In this paper, we provide the first treatment to this problem characterized by these unique challenges and opportunities.
We focus on MLN as the reasoning component, and explored three technical questions, each of which corresponds to a technical contribution of this work.
1. Is certifying robustness for the reasoning component feasible when the inference of the reasoning component is #P-hard? (Section 3) Before any concrete algorithm can be proposed, it is important to understand the computational complexity of the robustness certification. We first prove that the famous problem of counting in statistical inference [50] can be reduced to the problem of checking the certified robustness of general reasoning components and MLN. Therefore, checking certified robustness is no easier than counting on the same family of distribution. In other words, when the reasoning component is a graphical model such as MLN, checking certified robustness is no easier than calculating the partition function of the underlying graphical model, which is #P-hard.
2. Can we efficiently reason about the certified robustness for the reasoning component when given an oracle for statistical inference? (Section 4.2) Given the above hardness result, we focus on certifying the robustness given an inference oracle. However, even when statistical inference can be done by a given oracle [21, 18], it is still challenging to certify the robustness of MLN. Our second technical contribution is to develop such an algorithm for MLN as the reasoning component. We prove that providing certified robustness for MLN is possible because of the structure inherent in the probabilistic graphical models and distributions in the exponential family, which could lead to monotonicity and convexity properties under certain conditions for solving the certification optimization.
3. Can a reasoning component improve the certified robustness compared with the state-of-the-art certification methods? (Section 5) We test our algorithms on multiple sensing-reasoning pipelines, in which the sensing components contain the state-of-the-art deep neural networks. We construct these pipelines to cover a range of applications including image classification and natural language processing tasks. We show that based on our certification method on the reasoning component, the knowledge-enriched sensing-reasoning pipelines achieves significantly higher certified robustness than the state-of-the-art certification methods for DNNs.
The rest of the paper is organized as follows. We will first introduce the design of the sensing-reasoning pipeline in Section 2.1, followed by concrete illustrations taking the Markov Logic Networks as an example of the reasoning component in Section 2.2. Next, to certify the robustness of the sensing-reasoning pipeline, especially for the reasoning component, we first prove that certifying the robustness of the reasoning component itself is #P-complete (Section 3), and therefore we propose a certification algorithm to upper/lower bound the certification in Section 4, We provide the evaluation of our robustness certification considering different tasks in Section 5.
In this section, we first provide a sensing-reasoning pipeline and then formally defined its certified robustness, and particularly links it to certifying the robustness for the reasoning component.
2.1 Sensing-Reasoning Pipeline
Figure 2: A sensing-reasoning pipeline with MLN as
A sensing-reasoning pipeline contains a set of n sensors and a reasoning component R. Each sensor is a binary classifier (for multi-class classifier it corresponds to a group of sensors) — given an input data example X, each of the sensor
outputs a probability
neural network,
represents its output after the final softmax layer). The reasoning component takes the outputs of all sensing models as its inputs, and outputs a new Boolean random
variable
One natural choice of the reasoning component is to use a probabilistic graphical model (PGM). In the following subsection, we will make the reasoning component R more concrete by instantiating it as a Markov logic network (MLN). The output of a sensing-reasoning pipeline on the input data example X is the expectation of the output of reasoning component Example. A sensing-reasoning pipeline provides a generic, principled way of integrating domain knowledge with the output of statistical predictive models such as neural networks. One such example is [10] the task of ImageNet classification. Here each sensing model corresponds to the classifier for one specific class in ImageNet, e.g.,
and
. The reasoning component then encodes domain knowledge such that “If an image is classified as a dog then it must also be classified as an animal” using a PGM. There is no prior work considering the certified robustness of such a knowledge-enabled ML pipeline. Figure 2 illustrates a concrete sensing-reasoning pipeline, in which the reasoning component is implemented as an MLN.
2.2 Reasoning Component as Markov Logic Networks
Given the generic definition of a sensing-reasoning pipeline, one can use different models to implement the reasoning components. In this paper, we focus on Markov logic networks (MLN), which is a popular way to define a probabilistic graphical model using first-order logic [41]. Concretely, we define the reasoning component implemented as an MLN, which contains a set of weighted first-order logic rules, as illustrated in Figure 2(b). After grounding, an MLN defines a joint probabilistic distribution among a collection of random variables, as illustrated in Figure 2(c). We adapt the standard MLN semantics to a sensing-reasoning pipeline and use a slightly more general variant compared with the original MLN [41]. Each MLN program corresponds to a factor graph — Due to the space limitation, we will not discuss the grounding part and point the readers to [41]. We focus on defining the result after grounding, i.e., the factor graph.
Specifically, a grounded MLN is a factor graph G = (V, F), where V is a set of Boolean random variables. Specific to a sensing-reasoning pipeline, there are two types of random variables
1. Interface Variables Each sensing model
corresponds to one interface variable
in the grounded factor graph;
2. Interior variables are other variables introduced by the MLN model.
Each factor contains a weight
and a factor function
defined over a subset of variables
. There are two sets of factors
1. Interface Factors G: For each interface variable , we create one interface factor
weight
and factor function
defined over
2. Interior Factors H are other factors introduced by the MLN program.
Remarks: MLN-specific Structure. Our result applies to a more general family of factor graphs and are not necessarily specific to those grounded by MLN. Moreover, MLN provides an intuitive way of grounding such a factor graph with domain knowledge, and factor graphs grounded by MLN have certain properties that we will use later, e.g., all factors only return non-negative values, and there are no unusual weight sharing structures.
The above factor graph defines a joint probability distribution among all variables V. We define a possible world as a function that corresponds to one possible assignment of values to each random variable. Let
denote the set of all (exponentially many) possible worlds.
The statistical inference process of a reasoning component implemented using MLNs [41] computes the marginal probability of a given variable
where the partition functions are defined as
Why When the MLN does not introduce any interior variables and
interior factors, it is easy to see that setting ensures that the marginal probability of each interface variable equals to the output of the original sensing model
means that if we do not have additional knowledge in the reasoning component, the pipeline outputs the same distribution as the original sensing component.
Learning Weights for Interior Factors? In this paper, we view all weights for interior factors as
hyperparameters. These weights can be learned by maximizing the likelihood with weight learning algorithms for MLNs [29].
Beyond Marginal Probability for a Single Variable. We have assumed that the output of a sensing-
reasoning pipeline is the marginal probability distribution of a given random variable in the grounded factor graph. However, our result can be more general — given a function over possible worlds and outputs {0, 1}, the output of a pipeline can be the marginal probability of such a function. This will not change the algorithm that we propose later.
Given a reasoning component R, how hard is it to reason about its robustness? In this section, we aim at understanding this fundamental question. In order to provide the certified robustness of the reasoning component, which is defined as the lower bound of model predictions for inputs considering an adversarial perturbation with bounded magnitude [8], we need to analyze the hardness of this certification problem first. Specifically, we present the hardness results of determining the robustness of the reasoning component defined above, before we can provide our certification algorithm in Section 4.2. We start by defining the counting [50] and robustness problems on general distribution. We prove that counting can be reduced to checking for reasoning robustness, and hence the latter is at least as hard; We then prove the complexities of reasoning with MLN.
3.1 Harness of Certifying General Reasoning Model
Let be a set of variables. Let
be a distribution over
defined by a set of parameters
, where D is the domain of variables, either discrete or continuous, and P is the domain of parameters. We call
accessible if for any
, where
is a polynomial-time computable function. We will restrict our attention to accessible distributions only. We use
to denote a Boolean query, which is a polynomial-time computable function. We define the following two oracles:
Definition 1 (COUNTING). Given input polynomial-time computable weight function function
, parameters
, a real number
oracle outputs a real number Z that
Definition 2 (ROBUSTNESS). Given input polynomial-time computable weight function and query function
, parameters
, two real numbers
and
, a ROBUSTNESS oracle decides, for any
, whether the following is true:
We can prove that ROBUSTNESS is at least as hard as COUNTING by a reduction argument.
Theorem 1 (COUNTING ). Given polynomial-time computable weight function
and query function
, parameters
and real number
, the instance of COUNTING,
can be determined by up to
queries of the ROBUSTNESS oracle with input perturbation
Proof-sketch. We define the partition function and
. We then construct a new weight function
by introducing an additional parameter
, such that
, and
. Then we consider the perturbation
, with
and query the ROBUST- NESS oracle with input
multiple times to perform a binary search in
to estimate
. Perform a further “outer" binary search to find the
which maximizes the perturbation. This yields a good estimator for
which in turn gives
multiplicative error. We leave detailed proof to Appendix A.
3.2 Hardness of Certifying Markov Logic Networks
Given Theorem 1, we can now state the following result specifically for MLNs:
Theorem 2 (MLN Hardness). Given an MLN whose grounded factor graph is G = (V, F) in which the weights for interface factors are and constant thresholds
, deciding whether
is as hard as estimating multiplicative error, with
Proof. Let , query function
and
defined by the marginal distribution over interior variables of MLN. Theorem 1 directly implies that
queries of a ROBUSTNESS oracle can be used to efficiently estimate
In general, statistical inference in MLNs is #P-complete, and checking robustness for general MLNs is also #P-hard.
Given a sensing-reasoning pipeline with and a reasoning component R, we will first formally define its end-to-end certified robustness and then its connection to the robustness of each component. In particular, based on the above hardness result for certifying the robustness of the reasoning component in Section 3, we will provide an effective certification method to upper/lower bound the certification, taking any oracle for the inference of the reasoning component into account. With the certification of the reasoning component, we will finally provide the robustness certification for the sensing-reasoning pipeline by combining the certification of sensing and reasoning components. Definition 3 (
-robustness). A sensing-reasoning pipeline with
reasoning component
-robust on the input X, if for input perturbation
I.e., a perturbation on the input only changes the final pipeline output by at most
Sensing Robustness and Reasoning Robustness. We decompose the end-to-end certified robustness of the pipeline into two components. The first component, which we call the sensing robustness, has been studied by the research community recently [20, 46, 8] — given a perturbation the input X, we say each sensor
The robustness of the reasoning component R is defined as: Given a perturbation output of each sensor
, we say the reasoning component
It is easy to see that when the sensing component is-robust and the reasoning component is
, the sensing-reasoning pipeline is
Since the sensing robustness has been intensively studied by previous work, in this paper, we mainly focus on the reasoning robustness and therefore analyze the robustness of the pipeline.
4.1 Certifying Sensing Robustness
There are several existing ways to certify the robustness of sensing models, such as Interval Bound Propagation (IBP) [16], Randomized Smoothing [8], and others [64, 52]. Here we will leverage randomized smoothing to provide an example for certifying the robustness of sensing components.
Corollary 1. Given a sensing model , we construct a smoothed sensing model
. With input perturbation
, the smoothed sensing model satisfies
where is the Gaussian CDF and
as its inverse.
Thus, the output probability of smoothed sensing model can be bounded given input perturbations. Note that the specific ways of certifying sensing robustness is orthogonal to certifying reasoning robustness, and one can plug in different sensing certification strategies.
4.2 Certifying Reasoning Robustness
Given the hardness results for certifying reasoning robustness in Section 3.2, in this paper, we assume that we have access to an oracle for statistical inference, and provide a novel algorithm to certify the reasoning robustness. I.e., we assume that we are able to calculate the two partition functions
Lemma 4.1 (MLN Robustness). Given access to partition functions and
, and maximum perturbations
, if
, we have that
We leave the proof to the Appendix B. The high-level proof idea is to decouple into two sub-problems via a collection of Lagrangian multipliers, i.e.,
. For any assignment of
obtain a valid upper/lower bound, which reduces the certification process to the process of searching for an assignment of these multipliers that minimize the upper bound (maximize the lower bound). To efficiently search for the optimal assignment of
, it is crucial to consider the interactions between these
and the corresponding solution of
, which hinges on the structure of MLN. In particular, we can prove the following (Detailed proofs and discussions in Appendix C):
Proposition 1 (Monotonicity). When monotonically increases w.r.t.
monotonically decreases w.r.t.
Proposition 2 (Convexity). is a convex function in
Implication. Given the monotonicity region, the maximal and minimal of are achieved at either
or
respectively. Given the convexity region, the maximal is achieved at
, and the minimal is achieved at
or at the zero gradient of
. As a result, our analysis leads to the following certification algorithm.
Algorithm of Certifying Reasoning Robustness. Algorithm 1 illustrates the detailed algorithm based on the above result to upper bound the robustness of MLN. The main step is to explore different regimes of the . In this paper, we only explore regimes where
as this already provides reasonable solutions in our experiments. The function
defines the exploration strategy — Depending on the scale of the problem, one can explore
using grid search, random sampling, or even gradientbased methods. For experiments in this paper, we use either grid search or random sampling. It is an exciting future direction to understand other efficient exploration and search strategies. We leave the detailed explanation of the algorithm to Appendix C.
We conduct intensive experiments on five datasets to evaluate the certified robustness of the sensing-reasoning pipeline. We focus on two tasks with different modalities: image classification task on Road Sign dataset created based on GTSRB dataset [45] following the standard setting as [17]; and information extraction task with stocks news on text data. We also report additional results on two other image classification tasks (Word50 [6] and PrimateNet, which is a subset of ImageNet ILSVRC2012 [9]) with natural knowledge rules in Appendix G and Appendix F. We also report results on standard image benchmarks (MNIST and CIFAR10) with manually constructed knowledge rules in Appendix H. The code is provided at https://github.com/Sensing-Reasoning/ Sensing-Reasoning-Pipeline.
5.1 Experimental Setup
Datasets and Tasks. For the road sign classification task, we follow [17] and use the same dataset GTSRB [45], which contains 12 types of German road signs {"Stop”, "Priority Road”, "Yield”, "Construction Area”, "Keep Right”, "Turn Left”, "Do not Enter”, "No Vihicles”, "Speed Limit 20”, "Speed Limit 50”, "Speed Limit 120”, "End of Previous Limitation”}. It consists of 14880 training samples, 972 validation samples, and 3888 testing samples. We also include 13 additional detectors for knowledge integration, detecting attributes such as whether the border has an octagon shape (See Appendix D for a full list).
For the information extraction task, we use the HighTech dataset which consists of both daily closing asset price and financial news from 2006 to 2013 [12]. We choose 9 companies with the most news, resulting in 4810 articles related to 9 stocks filtered by company name. We split the dataset into training and testing days chronologically. We define three information extraction tasks as our sensing models: StockPrice(Day, Company, Price), StockPriceChange(Day, Company, Percent), StockPriceGain(Day, Company). The domain knowledge that we integrate depicts the relationships between these relations (See Appendix E for more details).
Knowledge Rules. We integrate different types of knowledge rules for these two applications. We provide the full list of knowledge rules in the Appendix D.
For road sign classification, we follow [17], which includes two different types of knowledge rules — Indication rules (road sign class u indicates attribute v) and Exclusion rules (attribute classes u and v with the same general type such as "Shape”, "Color”, "Digit” or "Content” are naturally exclusive).
For information extraction, we integrate knowledge about the relationships between the sensing models (e.g., StockPrice, StockPriceChange, StockPriceGain). For example, the stock prices of two consecutive days, and
, should be consistent with
Implementation Details. Throughout the road sign classification experiment, we implement all sensing models using the GTSRB-CNN [13] architecture. During training, we train all sensors with Isotropic Gaussian augmented data with 50000 training iterations until converge and tune the training parameters on the validation set, following [8]. We use the SGD-momentum with the initial learning rate as 0.01 and the weight decay parameter as
to train all the sensors for 50000 iterations with 200 as the batch size, following [17]. During certification, we adopt the same smoothing parameter for training to construct the smoothed model based on Monte-Carlo sampling.
For information extraction, we use BERT as our model architecture. During training, we use the final hidden state of the first token [CLS] from BERT as the representation of the whole input and apply dropout with probability p = 0.5 on this final hidden state. Additionally, there is a fully connected layer added on top of BERT for classification. To fine-tune the BERT classifiers for three information tasks, we use the Adam optimizer with the initial learning rate as and the weight decay parameter as
. We train all the sensors for 30 epochs, and the batch size 32.
Evaluation Metrics. We adopt the standard certified accuracy as our evaluation metric, defined by the percentage of instances that can be certified under certain -norm bounded perturbations. Specifically, given the input x with ground-truth label y, once we can certify the bound of the model’s output confidence on predicting label y under the norm-bounded perturbation as [L, U], the certified accuracy can be defined by:
where
denotes the indicator function. Since each sensing component’s certification is performed by randomized smoothing, which yields the failure probability characterized by
, we will control the failure probability
for the whole sensing-reasoning pipeline pipeline with n sensing models as
by applying the union bound. Throughout all the experiments,
is kept to 0.001 so our end-to-end certification is guaranteed to be correct with at least 99.9% confidence.
5.2 Results of Road Sign Classification
In this section, we evaluate the certified robustness of our sensing-reasoning pipeline under the -norm bounded perturbation. We first report the
certified accuracy of our sensing-reasoning pipeline and compare it to a strong baseline as a vanilla randomized smoothing trained model (without knowledge). Note that it is flexible to replace the sensing component with other robust training
Table 1: (Road sign classification) Certified accuracy under different input perturbation magnitudes (Models are smoothed with different Gaussian noises
. Rows with
denote the best certified accuracy among all the smoothing parameters for each method. The bold numbers show the higher certified accuracy under the same
setting and the numbers with underline show the highest certified accuracy for each
among different smoothing parameters. (All certificates hold with p = 99.9%)
algorithms. We conduct our evaluation under different smoothing parameters and various
perturbation magnitudes on the input image
(Table 1). During certification, we evaluate our certification time per sample with 25 sensors as 5.39s, which shows that the overall certification time is generally acceptable.
As shown in Table 1, we can see that with knowledge integration, sensing-reasoning pipeline achieves consistently higher certified accuracy compared to the baseline smoothed ML model without knowledge under all the perturbation magnitudes and smoothing parameter
settings. Under the small perturbation magnitude cases, our improvement is very significant (around 5%). More interestingly, given large
but small smoothing parameter
, vanilla randomized smoothing-based certification directly fails (0% certified accuracy) due to the looseness of the hypothesis testing bound, while the sensing-reasoning pipeline could still achieve reasonable certified robustness (over 71% on
) under the same
settings. This indicates a very realistic case: we always under-estimate the attacker’s ability easily under the real-world setting – in this case, the sensing-reasoning pipeline could remain robust even provide reasonable certified accuracy with a conservative smoothing parameter.
5.3 Results of Information Extraction
In this section, we conduct the certified robustness evaluation on the information extraction task on text data. Since there is no good certification method on discrete NLP data for sensing models, we directly assume the maximal perturbation on the output of sensors ().
Table 2: (Information extraction) Certified accuracy under different perturbation magnitudes (based on the sensing models’ output uncertainty. (All
Table 2 shows the certified accuracy on the final outputs of the reasoning component. We see that the sensing-reasoning pipeline provides signifi-cantly higher certified robustness, and even under a high perturbation magnitude on all sensing models’ output confidence (), which means the sensing-reasoning pipeline can still leverage the knowledge to help enhance the robustness given strong attacker. To further illustrate intu-
itively why such knowledge-based reasoning helps, Figure 3 shows the “margin” — the probability of the ground truth class minus the probability of the wrong class — with or without knowledge integration. We see that, with knowledge integration, we can significantly increase the number of examples with a large “margin” under adversarial perturbations. This explains the improvement of certified robustness, which highly relies on such prediction confident margin.
We also conduct experiments on PrimateNet, Word50, MNIST, CIFAR10 datasets for the image classification tasks in Appendix F- Appendix H. We observe similar results that knowledge integration significantly boosts the certified robustness.
Robustness for Single ML model and ML Ensemble. Lots of efforts have been made to improve the robustness of single ML or ensemble models. Adversarial training [15], and its variations [48,
Figure 3: (Information extraction) Histogram of the robustness margin (the difference between the probability of the correct class (lower bound) and the top wrong class (upper bound)) under perturbations. If such a difference is positive, it means that the classifier makes the right prediction under perturbations.
31, 54] have generally been more successful in practice, but usually come at the cost of accuracy and increased training time [49, 54]. To further provide certifiable robustness guarantees for ML models, various certifiable defenses and robustness verification approaches have been proposed [20, 46, 8, 27, 25]. Among these strategies, randomized smoothing [8] has achieved scalable performance. With improvements in training, including pretraining and adversarial training, the certified robustness bound can be further improved [4, 42]. In addition to the single ML model, some work proposed to promote the diversity of classifiers and therefore develop a robust ML ensemble [34, 60, 58, 59]. Although promising, these defense approaches, either empirical or theoretical, can only improve the robustness of a single ML or ensemble model. Certifying or improving the robustness of such single or pure ensemble models is very challenging, given that there is no additional information that can be utilized. In addition, the ML learning process usually favors a pipeline that is able to incorporate different sensing components as well as domain knowledge in practice. Thus, certifying the robustness of such pipelines is of great importance.
Robustness of End-to-end ML Systems. There have been intensive studies on joint inference between multiple models, and the predictions based on joint inference can help to further improve the clean accuracy of ML pipelines [56, 10, 38, 33, 7, 5], which have been applied to a range of real-world applications [2, 37, 32]. Often, these approaches use different statistical inference models such as factor graphs [51], Markov logic networks [41], and Bayesian networks [35] as a way to integrate domain knowledge. In this paper, we take a different perspective on this problem — instead of treating joint inference as a way to improve the clean accuracy, we explore the possibility of using it as exogenous information to improve the end-to-end certified robustness of ML pipelines. A recent work [17] explores the empirical robustness improvement via knowledge integration, while there is no robustness guarantee provided. As we show in this paper, by integrating domain knowledge, we are able to improve the certified robustness of the ML pipelines significantly.
We provide the first certifiably robust sensing-reasoning pipeline with knowledge-based logical reasoning. We theoretically prove the certified robustness of such ML pipelines, and provide complexity analysis for certifying the reasoning component. Our extensive empirical results demonstrate the certified robustness of sensing-reasoning pipeline, and we believe our work would shed light on future research towards improving and certifying robustness for general ML frameworks as well as different ways to integrate logical reasoning with statistical learning.
Acknowledgements This work is partially supported by the NSF grant No.1910100, NSF CNS No.2046726, C3 AI, and the Alfred P. Sloan Foundation. CZ and the DS3Lab gratefully acknowledge the support from the Swiss State Secretariat for Education, Research and Innovation (SERI) under contract number MB22.00036 (for European Research Council (ERC) Starting Grant TRIDENT 101042665), the Swiss National Science Foundation (Project Number 200021_184628, and 197485), Innosuisse/SNF BRIDGE Discovery (Project Number 40B2-0_187132), European Union Horizon 2020 Research and Innovation Programme (DAPHNE, 957407), Botnar Research Centre for Child Health, Swiss Data Science Center, Alibaba, Cisco, eBay, Google Focused Research Awards, Kuaishou Inc., Oracle Labs, Zurich Insurance, and the Department of Computer Science at ETH Zurich. HG has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No. 947778).
[1] Anish Athalye, Nicholas Carlini, and David Wagner. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning, pages 274–283, 2018.
[2] Marenglen Biba, Stefano Ferilli, and Floriana Esposito. Protein fold recognition using markov logic networks. In Mathematical Approaches to Polymer Sequence Analysis and Related Problems, pages 69–85. Springer, 2011.
[3] Nicholas Carlini and David Wagner. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), pages 39–57. IEEE, 2017.
[4] Yair Carmon, Aditi Raghunathan, Ludwig Schmidt, Percy Liang, and John C Duchi. Unlabeled data improves adversarial robustness. arXiv preprint arXiv:1905.13736, 2019.
[5] Deepayan Chakrabarti, Stanislav Funiak, Jonathan Chang, and Sofus A Macskassy. Joint inference of multiple label types in large networks. arXiv preprint arXiv:1401.7709, 2014.
[6] Liang-Chieh Chen, Alexander Schwing, Alan Yuille, and Raquel Urtasun. Learning deep structured models. In International Conference on Machine Learning, pages 1785–1794. PMLR, 2015.
[7] Liwei Chen, Yansong Feng, Jinghui Mo, Songfang Huang, and Dongyan Zhao. Joint inference for knowledge base population. In Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP), pages 1912–1923, Doha, Qatar, October 2014. Association for Computational Linguistics.
[8] Jeremy M Cohen, Elan Rosenfeld, and J Zico Kolter. Certified adversarial robustness via randomized smoothing. arXiv preprint arXiv:1902.02918, 2019.
[9] J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei. ImageNet: A Large-Scale Hierarchical Image Database. In CVPR09, 2009.
[10] Jia Deng, Nan Ding, Yangqing Jia, Andrea Frome, Kevin Murphy, Samy Bengio, Yuan Li, Hartmut Neven, and Hartwig Adam. Large-scale object classification using label relation graphs. In European conference on computer vision, pages 48–64. Springer, 2014.
[11] Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. BERT: pre-training of deep bidirectional transformers for language understanding. In Jill Burstein, Christy Doran, and Thamar Solorio, editors, NAACL-HLT, pages 4171–4186. Association for Computational Linguistics, 2019.
[12] Xiao Ding, Yue Zhang, Ting Liu, and Junwen Duan. Using structured events to predict stock price movement: An empirical investigation. In Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP), pages 1415–1425, 2014.
[13] Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Chaowei Xiao, Atul Prakash, Tadayoshi Kohno, and Dawn Song. Robust physical-world attacks on deep learning visual classification. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 1625–1634, 2018.
[14] Christiane Fellbaum. Wordnet. The encyclopedia of applied linguistics, 2012.
[15] Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. ICLR, 2015.
[16] Sven Gowal, Krishnamurthy Dvijotham, Robert Stanforth, Rudy Bunel, Chongli Qin, Jonathan Uesato, Relja Arandjelovic, Timothy Mann, and Pushmeet Kohli. On the effectiveness of interval bound propagation for training verifiably robust models. arXiv preprint arXiv:1810.12715, 2018.
[17] Nezihe Merve Gürel, Xiangyu Qi, Luka Rimanic, Ce Zhang, and Bo Li. Knowledge enhanced machine learning pipeline against diverse adversarial attacks. ICML, 2021.
[18] Tuyen N Huynh and Raymond J Mooney. Max-margin weight learning for markov logic networks. In Joint European Conference on Machine Learning and Knowledge Discovery in Databases, pages 564–579. Springer, 2009.
[19] Jongheon Jeong and Jinwoo Shin. Consistency regularization for certified robustness of smoothed classifiers. Advances in Neural Information Processing Systems, 33:10558–10570, 2020.
[20] J Zico Kolter and Eric Wong. Provable defenses against adversarial examples via the convex outer adversarial polytope. arXiv preprint arXiv:1711.00851, 2017.
[21] Ondrej Kuzelka. Complex markov logic networks: Expressivity and liftability. In Conference on Uncertainty in Artificial Intelligence, pages 729–738. PMLR, 2020.
[22] Bo Li and Yevgeniy Vorobeychik. Feature cross-substitution in adversarial classification. In Advances in neural information processing systems, pages 2087–2095, 2014.
[23] Huichen Li, Linyi Li, Xiaojun Xu, Xiaolu Zhang, Shuang Yang, and Bo Li. Nonlinear gradient estimation for query efficient blackbox attack. In International Conference on Artificial Intelligence and Statistics (AISTATS 2021), Proceedings of Machine Learning Research. PMLR, 13–15 Apr 2021.
[24] Huichen Li, Xiaojun Xu, Xiaolu Zhang, Shuang Yang, and Bo Li. Qeba: Query-efficient boundary-based blackbox attack. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 1221–1230, 2020.
[25] Linyi Li, Xiangyu Qi, Tao Xie, and Bo Li. Sok: Certified robustness for deep neural networks. arXiv, abs/2009.04131, 2020.
[26] Linyi Li, Maurice Weber, Xiaojun Xu, Luka Rimanic, Bhavya Kailkhura, Tao Xie, Ce Zhang, and Bo Li. Tss: Transformation-specific smoothing for robustness certification. In ACM Conference on Computer and Communications Security (CCS 2021), 2021.
[27] Linyi Li, Jiawei Zhang, Tao Xie, and Bo Li. Double sampling randomized smoothing. In International Conference on Machine Learning, 2022.
[28] Linyi Li, Zexuan Zhong, Bo Li, and Tao Xie. Robustra: training provable robust neural networks over reference adversarial space. In Proceedings of the 28th International Joint Conference on Artificial Intelligence, pages 4711–4717. AAAI Press, 2019.
[29] Daniel Lowd and Pedro Domingos. Efficient weight learning for markov logic networks. In Joost N. Kok, Jacek Koronacki, Ramon Lopez de Mantaras, Stan Matwin, Dunja Mladeniˇc, and Andrzej Skowron, editors, Knowledge Discovery in Databases: PKDD 2007, pages 200–211, Berlin, Heidelberg, 2007. Springer Berlin Heidelberg.
[30] Xingjun Ma, Bo Li, Yisen Wang, Sarah M Erfani, Sudanthi Wijewickrema, Grant Schoenebeck, Dawn Song, Michael E Houle, and James Bailey. Characterizing adversarial subspaces using local intrinsic dimensionality. arXiv preprint arXiv:1801.02613, 2018.
[31] Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
[32] Emily K. Mallory, Ce Zhang, Christopher Ré, and Russ B. Altman. Large-scale extraction of gene interactions from full-text literature using DeepDive. Bioinformatics, 32(1):106–113, 09 2015.
[33] Andrew McCallum. Joint inference for natural language processing. In Proceedings of the Thirteenth Conference on Computational Natural Language Learning (CoNLL-2009), page 1, Boulder, Colorado, June 2009. Association for Computational Linguistics.
[34] Tianyu Pang, Kun Xu, Chao Du, Ning Chen, and Jun Zhu. Improving adversarial robustness via promoting ensemble diversity. arXiv preprint arXiv:1901.08846, 2019.
[35] Judea Pearl. Causality: Models, Reasoning, and Inference. Cambridge University Press, USA, 2000.
[36] Judea Pearl. Bayesian networks. 2011.
[37] Shanan E. Peters, Ce Zhang, Miron Livny, and Christopher Ré. A machine reading system for assembling synthetic paleontological databases. PLOS ONE, 9(12):1–22, 12 2014.
[38] Hoifung Poon and Pedro Domingos. Joint inference in information extraction. In AAAI, volume 7, pages 913–918, 2007.
[39] Haonan Qiu, Chaowei Xiao, Lei Yang, Xinchen Yan, Honglak Lee, and Bo Li. Semanticadv: Generating adversarial examples via attribute-conditioned image editing. In European Conference on Computer Vision, pages 19–37. Springer, 2020.
[40] Matthew Richardson and Pedro Domingos. Markov logic networks. Machine learning, 62(1-2):107–136, 2006.
[41] Matthew Richardson and Pedro Domingos. Markov logic networks. Machine Learning, 62(1-2):107–136, 2006.
[42] Hadi Salman, Jerry Li, Ilya Razenshteyn, Pengchuan Zhang, Huan Zhang, Sebastien Bubeck, and Greg Yang. Provably robust deep learning via adversarially trained smoothed classifiers. In Advances in Neural Information Processing Systems, pages 11289–11300, 2019.
[43] Shibani Santurkar, Dimitris Tsipras, Mahalaxmi Elango, David Bau, Antonio Torralba, and Aleksander Madry. Editing a classifier by rewriting its prediction rules. Advances in Neural Information Processing Systems, 34:23359–23373, 2021.
[44] Ali Shafahi, Mahyar Najibi, Amin Ghiasi, Zheng Xu, John Dickerson, Christoph Studer, Larry S Davis, Gavin Taylor, and Tom Goldstein. Adversarial training for free! arXiv preprint arXiv:1904.12843, 2019.
[45] Johannes Stallkamp, Marc Schlipsing, Jan Salmen, and Christian Igel. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural networks, 32:323–332, 2012.
[46] Vincent Tjeng, Kai Xiao, and Russ Tedrake. Evaluating robustness of neural networks with mixed integer programming. arXiv preprint arXiv:1711.07356, 2017.
[47] Florian Tramer, Nicholas Carlini, Wieland Brendel, and Aleksander Madry. On adaptive attacks to adversarial example defenses. arXiv preprint arXiv:2002.08347, 2020.
[48] Florian Tramèr, Alexey Kurakin, Nicolas Papernot, Dan Boneh, and Patrick McDaniel. Ensemble adversarial training: Attacks and defenses. ICLR, 2018.
[49] Dimitris Tsipras, Shibani Santurkar, Logan Engstrom, Alexander Turner, and Aleksander Madry. Robustness may be at odds with accuracy). ICLR 2019, 2018.
[50] L.G. Valiant. The complexity of computing the permanent. Theoretical Computer Science, 8(2):189–201, 1979.
[51] Martin J. Wainwright and Michael I. Jordan. Graphical models, exponential families, and variational inference. Foundations and Trends® in Machine Learning, 1(1–2):1–305, 2008.
[52] Lily Weng, Huan Zhang, Hongge Chen, Zhao Song, Cho-Jui Hsieh, Luca Daniel, Duane Boning, and Inderjit Dhillon. Towards fast computation of certified robustness for relu networks. In International Conference on Machine Learning, pages 5276–5285, 2018.
[53] Chaowei Xiao, Ruizhi Deng, Bo Li, Taesung Lee, Benjamin Edwards, Jinfeng Yi, Dawn Song, Mingyan Liu, and Ian Molloy. Advit: Adversarial frames identifier based on temporal consistency in videos. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 3968–3977, 2019.
[54] Chaowei Xiao, Ruizhi Deng, Bo Li, Fisher Yu, Mingyan Liu, and Dawn Song. Characterizing adversarial examples based on spatial consistency information for semantic segmentation. In Proceedings of the European Conference on Computer Vision (ECCV), pages 217–234, 2018.
[55] Kaidi Xu, Zhouxing Shi, Huan Zhang, Yihan Wang, Kai-Wei Chang, Minlie Huang, Bhavya Kailkhura, Xue Lin, and Cho-Jui Hsieh. Automatic perturbation analysis for scalable certified robustness and beyond. Advances in Neural Information Processing Systems, 33, 2020.
[56] Zhe Xu, Ivan Gavran, Yousef Ahmad, Rupak Majumdar, Daniel Neider, Ufuk Topcu, and Bo Wu. Joint inference of reward machines and policies for reinforcement learning. arXiv preprint arXiv:1909.05912, 2019.
[57] Greg Yang, Tony Duan, J Edward Hu, Hadi Salman, Ilya Razenshteyn, and Jerry Li. Randomized smoothing of all shapes and sizes. In International Conference on Machine Learning, pages 10693–10705. PMLR, 2020.
[58] Zhuolin Yang, Linyi Li, Xiaojun Xu, Bhavya Kailkhura, Tao Xie, and Bo Li. On the certified robustness for ensemble models and beyond. ICLR, 2021.
[59] Zhuolin Yang, Linyi Li, Xiaojun Xu, Bhavya Kailkhura, Tao Xie, and Bo Li. On the certi-fied robustness for ensemble models and beyond. In International Conference on Learning Representations, 2022.
[60] Zhuolin Yang, Linyi Li, Xiaojun Xu, Shiliang Zuo, Qian Chen, Pan Zhou, Benjamin I. P. Rubinstein, Ce Zhang, and Bo Li. Trs: Transferability reduced ensemble via promoting gradient
diversity and model smoothness. In Neural Information Processing Systems (NeurIPS 2021), 2021.
[61] Zhuolin Yang, Linyi Li, Xiaojun Xu, Shiliang Zuo, Qian Chen, Pan Zhou, Benjamin I P Rubinstein, Ce Zhang, and Bo Li. Trs: Transferability reduced ensemble via promoting gradient diversity and model smoothness. In Advances in Neural Information Processing Systems, 2021.
[62] Zhuolin Yang, Zhikuan Zhao, Boxin Wang, Jiawei Zhang, Linyi Li, Hengzhi Pei, Bojan Karlaš, Ji Liu, Heng Guo, Ce Zhang, and Bo Li. Improving certified robustness via statistical learning with logical reasoning. NeurIPS, 2022.
[63] Ce Zhang, Christopher Ré, Michael Cafarella, Christopher De Sa, Alex Ratner, Jaeho Shin, Feiran Wang, and Sen Wu. Deepdive: Declarative knowledge base construction. Commun. ACM, 60(5):93–102, April 2017.
[64] Huan Zhang, Tsui-Wei Weng, Pin-Yu Chen, Cho-Jui Hsieh, and Luca Daniel. Efficient neural network robustness certification with general activation functions. In Advances in neural information processing systems, pages 4939–4948, 2018.
[65] Jiawei Zhang, Linyi Li, Huichen Li, Xiaolu Zhang, Shuang Yang, and Bo Li. Progressive-scale boundary blackbox attack via projective gradient estimation. ICML, 2022.
(a) Do the main claims made in the abstract and introduction accurately reflect the paper’s contributions and scope? [Yes]
(b) Did you describe the limitations of your work? [Yes] We have mentioned the future improvement of our work in the related work part.
(c) Did you discuss any potential negative societal impacts of your work? [Yes] This work will not infer obvious negative societal impacts.
(d) Have you read the ethics review guidelines and ensured that your paper conforms to them? [Yes]
(a) Did you state the full set of assumptions of all theoretical results? [Yes] The assumptions have been all mentioned in the main paper and appendices.
(b) Did you include complete proofs of all theoretical results? [Yes] The whole proofs are provided in Appendix A - C.
(a) Did you include the code, data, and instructions needed to reproduce the main experimental results (either in the supplemental material or as a URL)? [Yes] The code is provided at https://github.com/Sensing-Reasoning/ Sensing-Reasoning-Pipeline.
(b) Did you specify all the training details (e.g., data splits, hyperparameters, how they were chosen)? [Yes] All the training details have been provided in the Appendix D - I.
(c) Did you report error bars (e.g., with respect to the random seed after running experiments multiple times)? [Yes] The confidence of the reported certification results in the paper is guaranteed to be at least 99.9%, as mentioned in our main paper.
(d) Did you include the total amount of compute and the type of resources used (e.g., type of GPUs, internal cluster, or cloud provider)? [Yes] The detailed information is mentioned in Appendix D.
(a) If your work uses existing assets, did you cite the creators? [Yes] (b) Did you mention the license of the assets? [Yes] (c) Did you include any new assets either in the supplemental material or as a URL? [Yes] (d) Did you discuss whether and how consent was obtained from people whose data you’re using/curating? [Yes] We only use public and commonly used data.
(e) Did you discuss whether the data you are using/curating contains personally identifiable information or offensive content? [Yes] We only use public and commonly used data.
(a) Did you include the full text of instructions given to participants and screenshots, if applicable? [N/A]
(b) Did you describe any potential participant risks, with links to Institutional Review Board (IRB) approvals, if applicable? [N/A]
(c) Did you include the estimated hourly wage paid to participants and the total amount spent on participant compensation? [N/A]
We first recall the following definitions:
Counting. Given input polynomial-time computable weight function and query function
parameters
, a real number
oracle outputs a real number Z such that
Robustness. Given input polynomial-time computable weight function and query function
parameters
, two real numbers
oracle decides, for any
such that
, whether the following is true:
Proof of Theorem 1
Theorem 1 (COUNTING ). Given polynomial-time computable weight function
and query function
, parameters
and real number
, the instance of COUNTING,
can be determined by up to
queries of the ROBUSTNESS oracle with input perturbation
Proof. Let be an instance of COUNTING. Define a new distribution
over X with a single parameter
such that
where
Since Q is polynomial-time computable,
is accessible for any
. We will choose
later. For
, define
Then we have
We further define
Easy calculation implies that for if and only if
. Note that
The two maximum are achieved when . We will choose
This function Y is increasing in , decreasing in
, increasing in [log R, log R + x/2] again, and decreasing in
once again.
Our goal is to estimate R. For any fixed , we will query the ROBUSTNESS oracle with parameters
. Using binary search in
, we can estimate the function
above efficiently with additive error
with at most
oracle calls. We use binary search once again in
so that it
In particular, . Note that here
is the accumulated error from binary searching twice.
We claim that is a good estimator for log R. First assume that
, which implies that
Let . Note that
. We choose
If , then
, a contradiction. Thus,
. It implies that
. Similarly for the case of
, we have that
. Thus in both cases, we have our estimator
Finally, to estimate with multiplicative error
, we only need to pick
Lagrange multipliers
Before proving the robustness result of MLN, we first briefly review the technique of Lagrange multipliers for constrained optimization: Consider following problem P,
Introducing another real variable , we define following problem
Proof of Lemma 4.1
Lemma 4.1 (MLN Robustness). Given access to partition functions and
, and a maximum perturbations
, if
, we have
that
Proof. Consider the upper bound, we have
Introducing Lagrange multipliers . Note that any choice of
corresponds to a valid upper bound. Thus
, we can reformulate the above into
We have the claimed upper-bound,
Similarly, the lower-bound can be written in terms of Lagrange multipliers, and have
Proposition (Monotonicity). When ,
monotonically increases w.r.t.
; When
monotonically decreases w.r.t.
where and
and
. We can rewrite the perturbation on
as a perturbation on
where
Note that is monatomic in
. We also have
We can hence apply the same Lagrange multiplier procedure as in the above proof of Lemma 6 and conclude that
where with
. We are now in the
Since monotonically increases in
in
monotonically decreases in
and hence in
The above is simply the variance of , namely
. The convexity of
All the experiments shown in Appendix D - I are run on 4 RTX 2080 Ti GPUs.
Task and Dataset. For road sign classification task, the whole dataset can be viewed as a subset of GTSRB dataset [45], which contains 12 types of German road signs {"Stop”, "Priority Road”, "Yield”, "Construction Area”, "Keep Right”, "Turn Left”, "Do not Enter”, "No Vihicles”, "Speed Limit 20”, "Speed Limit 50”, "Speed Limit 120”, "End of Previous Limitation”}, with 14880 training samples, 972 validation samples and 3888 testing samples in total. Besides the road sign classes, we construct 13 attribute classes as follows:
Based on the indication direction from road sign classes to attribute classes, and the exclusive relationship between attribute classes with the same type, we develop the following two types of knowledge rules as follows:
• Indication rules (u, v): Road sign class u indicates attribute v.
• Exclusion rules (u, v): Attribute classes u and v with the same type ("Shape”, "Color”, "Digit” or "Content”) are naturally exclusive. (e.g., One road sign can not have "Octagon” shape and "Triangle” shape at the same time.)
Knowledge. We construct our first-order logical rules based on our predefined indication and exclusion knowledge as follows:
• Indication edge : if one object belongs to road sign class u, it should have attribute u:
Intuitive Example. Following the HEX graph-based knowledge structure and rules, we will show several adversary scenarios which could be mitigated through the inference reasoning phase. For instance, if the “Construction Area" object is attacked to be “Stop Sign" while other sensing nodes remain unaffected, like the border shape is still detected as the “Triangle” shape. Then the indication knowledge rule (The “Stop Sign" object should have the “Octagon” border shape) and the exclusive knowledge rule (No class can have the “Triangle” border shape and “Octagon” shape at the same time) would be violated. Such violation of the knowledge rules would discourage our pipeline to predict “Stop Sign" as what the attacker wants. However, the sensing-reasoning pipeline may not distinguish the “Yield", and “Construction Area" classes if the attacker fooled the “Construction Area" sensing completely, which shows the limitation of such structural knowledge, and more knowledge would be required in this case to help improve the robustness.
Figure 4: PrimateNet. The knowledge structure of PrimateNet dataset. The Blue arrows represent the Hierarchical rules between different classes, and the Red arrows represent the Exclusive rules. Some exclusive rules are omitted due to the space limit.
To further evaluate the certified robustness of the reasoning component, in this section we will focus on the perturbation directly added to the reasoning component (e.g. in Figure 1).
Tasks and Dataset. We consider information extraction tasks in NLP based on a stock news dataset — HighTech dataset which consists of both daily closing asset price and financial news from 2006 to 2013 [12]. We choose 9 companies with the most news, resulting in 4810 articles related to 9 stocks filtered by company name. We split the dataset into training and testing days chronologically. We define three information extraction tasks as our sensing models: StockPrice(Day, Company, Price), StockPriceChange(Day, Company, Percent), StockPriceGain(Day, Company). The domain knowledge that we integrate depicts the relationships between these relations. We describe the three information extraction tasks in details below:
• StockPrice(day, company, price) In this task, we aim to extract the daily closing price of the stock from the article. We first extract numbers in every sentence from the article as candidate relations. Then we label every relation by the given daily closing asset price: label the relation whose number starts with "$" and has the minimum difference with the given closing price as positive and label others as negative. We train a BERT-based classifier [11] as the sensing model to judge the relation of whether the number was the closing price of the stock on that day and output the confidence.
• StockPriceChange(day, company, percent) In this task, we want to extract the percentage that the closing price of the stock changed from the collected news articles. We first extract numbers in every sentence from the articles as candidate relations. Then we label every relation via yesterday’s and today’s closing asset price. We train a BERT-based classifier as the sensing model to judge the relations of whether the number was the change rate of the closing price of the stock on that day and output the confidence.
• StockPriceGain(day, company, gain) In this task, we want to extract information about whether the closing price of the stock rose or fell on the day based on the news article. We treat each sentence with the stock name and the numbers which start with "$" as a candidate. Then we judge each relationship by whether it indicates the stock price rose or fell by counting the positive and negative words in the sentence. We label the relation as positive: when Count(positive word) > Count(negative words); and negative: when Count(positive word) < Count(negative words). We train a BERT-based classifier as the sensing model and output the confidence.
Implementation Details. To train BERT classifiers, we use the final hidden state of the first token [CLS] from BERT as the representation of the whole input and we apply dropout with probability p = 0.5 on this final hidden state. A fully connected layer is added to the top of BERT for classification. To fine-tune the BERT classifiers for three information tasks, we use Adam optimization with a learning rate of and weight decay of
. We train our classifiers for 30 epochs with the batch size of 32.
Knowledge. We construct a new test set for the above three tasks. Specifically, for each news article, given the current date d and company name, we extract stock price on the current date, and stock price
on the date before the current date. We also predict whether the stock price goes up or down y (y = 0 if the prediction is “down” otherwise y = 1) and extract the percentage of stock price change
. The extracted information forms a 4-tuple
that satisfies the following rules (knowledge):
• Rule 1: The extracted stock price and
(sensing model StockPrice) should be consistent with the stock price change prediction (sensing model StockPriceGain).
• Rule 2: The extracted stock price and
(sensing model StockPrice) should be consistent with the percentage change of stock price prediction (sensing model StockPriceChange).
Threat Model. We attack sensing models by adding perturbations on a sensing group’s top-1 confidence value P without change other choices’ confidence value on the perturbed sensing position: is the perturbation scale on the confidence output of sensing models. In our attack setting, we add perturbations to all sensing groups.
Intuitive Example. Here we show an intuitive example of how our knowledge can help improve the ML robustness under adversarial attacks. Assume our sensors extract the correct stock price information , where price
and the stock price change is “down" (y = 0) by
. Now if the first stock price extraction sensor is attacked to output an incorrect prediction
such that
while other sensors remain intact;
will violate our knowledge rules 1 and 2. Specifically, the stock price change
is inconsistent with stock price change prediction y = 0, i.e.,
. As a result, our reasoning component will reduce the confidence of the wrong prediction
and increase the confidence of the ground truth
as it is consistent with knowledge rules, therefore potentially recovering the correct prediction of
Task and Dataset. We aim to evaluate the certified robustness of our sensing-reasoning pipeline on large-scale dataset such as ImageNet ILSVRC2012 [9]. In particular, to obtain domain knowledge for the images, we select 18 Primate animal categories to form a PrimateNet dataset, containing {Orangutan, Gorilla, Chimpanzee, Gibbon, Siamang, Madagascar cat, Woolly indris, Guenon, Baboon, Macaque, Langur, Colobus, Marmosets, Capuchin monkey, Howler monkey, Titi monkey, Spider monkey, Squirrel monkey}. Moreover, we create 7 internal classes {Greater ape, Lesser ape, Ape, Lemur, Old-world monkey, New-world monkey, Monkey} to construct the hierarchical structure according to the WordNet [14]. With such a hierarchical structure, we can build the Primate-class Hierarchy and Exclusion(HEX) graph based on the concepts from [10] as shown in Fig 4. Within the HEX graph, we develop two types of knowledge rules described as follows:
• Hierarchy rules (u, v): class u subsumes class v (e.g. Great Ape subsumes Gorilla);
• Exclusion edge (u, v): class u and class v are naturally exclusive (e.g. Gorilla cannot belong to Great Ape and Lesser Ape at the same time).
We consider each class in the HEX graph as the prediction of one sensing model in the sensing-reasoning pipeline, and we construct 25 sensing models as the leaf and internal nodes in the HEX graph. Here we use the MLN as our reasoning component connecting to these sensing models.
Implementation details. For each leaf sensing model, we utilize 1300 images from the ILSVRC2012 training set and 50 images from the ILSVRC2012 dev set. We split the 1300 images into 1000 images for training and 300 for testing. For each internal node, we uniformly sample the training images from all its children nodes’ training images to form its training set with the same size 1300, since there are no specific instances belonging to internal nodes’ categories in PrimateNet.
During training, we utilize the sensing DNN model for each node in the knowledge hierarchy to output the probability value given the input images. The models consist of a pre-trained ResNet18 feature extractor concatenated by two Fully-Connected layers with ReLU activation. In order to provide the certified robustness of the end-to-end sensing-reasoning pipeline, we adapt the randomized smoothing strategy mentioned in [8] to certify the robustness of sensing models, and then compose it with the certified robustness of the reasoning component. Specifically, we smoothed our sensing models by adding the isotropic Gaussian noise to the training images during training. We train each sensing model for 80 epochs with the Adam optimizer (initial learning rate is set to
and evaluate the sensing models’ performance on the validation set containing 50 images after every training epoch to avoid over-fitting. During testing, we certify the robustness of trained sensing models with the same smoothing parameter
used during model training.
Knowledge. The knowledge used in this task includes the hierarchical and exclusive relationships between different categories of the sensing predictions. For instance, the category “Ape" would include all the instances classified as “Greater ape, Lesser ape" (hierarchical); and there should not be any intersection for instances predicted as “Monkey" or “Lemur" (exclusive). Thus, we build our knowledge rules based on the structural relationships such as hierarchy and exclusion knowledge:
• Hierarchy edge : If one object belongs to class u, it should belong to class v as well:
• Exclusion edge : One object should not belong to class u and class v at the same time:
Threat Model. In this paper, we consider a strong attacker who has access to perturbing several sensing models’ input instances during inference time. To perform the attack, the attacker will add perturbation , bounded by
under the
norm, onto the test instance against the victim sensing models:
. In particular, we consider the attacker to attack
percent of the total sensing models.
Since we apply randomized smoothing to sensing models during training, for each sensing model, we can certify the output probability as a function of the original confidence p, the bound of the perturbation
, and smoothing parameter
according to Corollary 2 as below:
Evaluation Metrics. To evaluate the certified robustness of sensing-reasoning pipeline, we focus on the standard certified accuracy on a given test set, and the certified ratio measuring the percentage of instances that could be certified within a certain perturbation magnitude/radius.
Based on the previous analysis, given the based perturbation bound
, we can certify the output probability of the sensing-reasoning pipeline as [L, U]. In order to evaluate the certified robustness of sensing-reasoning pipeline, we define the Certified Robustness, measuring the percentage of instances that could be certified to make correct prediction within a perturbation radius, to evaluate the certified robustness following existing work [8], which is formally defined as:
where N refers to the number instances and the ground truth label of the given instance
is an indicator function which outputs 1 when its argument takes value true and 0 otherwise.
Moreover, we report the Certified Ratio to measure the percentage of instances that could be certified as a consistent prediction within a perturbation radius (even the consistent prediction might be wrong). The Certified Ratio is defined as:
Here the lower and upper bounds of the output probability indicate the binary prediction of each sensing model. We assume when the output probability is less than 0.5, it outputs 0.
Intuitive Example. Following the HEX graph-based knowledge structure and rules, we will show several adversary scenarios which could be mitigated through the inference reasoning phase. For instance, based on Figure 4, if one “Gorilla" object is attacked to be “Siamang" while other sensing nodes remain unaffected, the hierarchical knowledge rule (An object belongs to “Great Ape" class cannot belong to “Siamang" class) and the exclusive knowledge rule (No object could belong to “Great
Table 3: Benign accuracy (i.e. ) of models with and without knowledge under different smoothing parameters
evaluated on PrimateNet.
Table 4: Certified Robustness and Certified Ratio under different perturbation magnitude and sensing model attack ratio
on PrimateNet. The sensing models are smoothed with Gaussian noise
different smoothing parameter
Ape" and “Siamang" classes at the same time) would be violated. Such violation of the knowledge rules would discourage our pipeline to predicting “Siamang" as what the attacker wants. However, the sensing-reasoning pipeline may not distinguish the “Orangutan", “Gorilla", and “Chimpanzee" classes if the attacker fooled the “Gorilla" sensing completely, which shows the limitation of such structural knowledge, and more knowledge would be required in this case to help improve the robustness.
Evaluation Results. We evaluate the robustness of the sensing-reasoning pipeline compared with the baseline which is consist of 25 randomized smoothed sensing models for each Primate categories (without knowledge). We evaluate the average certified robustness of both under benign and adversarial scenarios with different smoothing parameter and
perturbation bound
. The evaluation results are shown in Table 4 and Table 3.
First, we evaluate both the sensing-reasoning pipeline and the smoothed ML model with benign test data as shown in Table 3. It is interesting that the sensing-reasoning pipeline with knowledge even outperforms the single model without knowledge about 0.7% over different randomized smoothing parameter . It shows that even without attacks, the knowledge could help to improve the classification accuracy slightly, indicating that the domain knowledge integration can help relax the tradeoff between benign accuracy and robustness.
Next, we evaluate the certified robustness of sensing-reasoning pipeline and the smoothed ML model considering different smoothing parameters and the input perturbation bound
in Table 4. We can see that when the attack ratio of sensing models
is small, both the Certified Robustness and Certified Ratio of sensing-reasoning pipeline are significantly higher
Figure 5: (PrimateNet) Histogram of the robustness margin (difference between the probability of the correct class (lower bound) and the top wrong class (upper bound)) under perturbation. If such a difference is positive, it means that the classifier makes the right prediction under perturbation. Evaluation is made under smoothing parameter perturbation scale
. The ratio of the attacked sensors
10%, 20%, 30%, 50%.
than that of the baseline smoothed ML model. In the meantime, when the sensing attack ratio is large (e.g. 50%) both the sensing-reasoning pipeline and baseline smoothed ML model obtain low Certified Robustness and Certified Ratio, and their performance gap becomes small.
This is interesting and intuitive, since if a large percent of sensing models are attacked, such structurebased knowledge, for which the solution to a given regular expression is not unique, would have higher confidence to prefer the other (wrong) side of the prediction. As a result, it is interesting for future work to identify more “robust" knowledge which is resilient against the large attack ratio of sensing models, in addition to the hierarchical structure knowledge.
We also find that when is small (
), the model with knowledge can perform consistently better than the baseline ML models. When
is large (
), the performance gap becomes even larger. This phenomenon indicates that sensing-reasoning pipeline could demonstrate its strength of robustness compared to the traditional smoothed DNN against an adversary with stronger ability.
To further evaluate the strength of our certified robustness, we calculate the robustness margin — the difference between the lower bound of the true class probability and the upper bound of the top wrong class probability under different perturbation scales — to inspect the robustness certification (larger difference infer stronger certification). Figure 5 shows the histogram of the robustness margin for the model with and without knowledge under smoothing parameter and different perturbation scale
. We leave histogram figures under other
settings in Appendix.
From Figure 5, we can see that under different adversary scenarios, more instances could receive the positive margin (i.e correct prediction) with sensing-reasoning pipeline, which indicates its robustness. Moreover, we find that the sensing-reasoning pipeline could output a large margin value with high frequency under various attacks. That means, it can certify the robustness of the ground truth class with high confidence, which is challenging for current certified robustness approaches for single ML models.
In addition, to evaluate the utility of different knowledge, we also develop sensing-reasoning pipeline by using only one type of knowledge (hierarchical or exclusive relationship only) and the results are shown in Appendix I. We observe that using partial knowledge, the robustness of sensing-reasoning pipeline would decrease compared with that using the full knowledge.
Task and Dataset. In addition, we also conduct experiments on Word50 dataset [6], which is created by randomly selecting 50 words and each consisting of five characters. Here we only pick 10 words from it to reduce the computation complexity, and the goal is to classify these 10 words. All the character images are of size and perturbed by scaling, rotation, and translation. The background of the characters is blurry by inserting different patches, which makes it a quite challenging task. For reference, Some word images sampled from the dataset are shown in Figure 6. The interesting property of this dataset is that the character combination is given as the prior knowledge, which can be integrated into our sensing-reasoning pipeline. The training, validation, and test sets contain 2, 049, 408, and 423 variations of word styles respectively.
Similar to the classification task on Road Sign dataset, we develop the following two types of knowledge rules as follows:
• Deduction rules contains character
th position of the word.
• Exclusion rules : character
and character
are naturally exclusive on the ith position of the word.
Implementation details. Multi-layer perceptrons (MLPs) are used as the main model architecture for the main task that the classification of the 10 words, which is the same to [6], and the input is the concatenation of the images of 5 characters which consist of a full word. As for the extra knowledge, we train another five MLP models for the classification of the character on each position of the input word, then the corresponding output dimensions for each such character classifier is 26. While during the inference, we will only pick the top2 of the output from each character classifier, so the final input dimension to the MLN is dimensions. Thus, to keep the certification probability the same as the baseline, the
here will be set to
For these sensing models, we adapt the randomized smoothing strategy [8] to give the certified robustness guarantee of their output confidence under the -norm bounded perturbation. The
is set to 2 for the deduction rules, and the corresponding
is the identity function; while for the exclusion rules, the
is set to
, and the
here is the negation function, namely,
Knowledge. We construct our first-order logical rules based on our predefined Deduction and Exclusion knowledge rules:
Threat Model. Same to the setting of the experiments on the Stop Sign dataset, here we consider a stronger attack scenario where the attacker can attack the main task model and all the attribute sensors with different -norm bounded perturbation
at the same time. Later on, we can see our sensing-reasoning pipeline could still achieve higher end-to-end certified robustness under even harder cases.
Given the -norm bound
, for each sensing model, we can bound its output probability
under such perturbation, given the original probability p and the certification smoothing parameter
according to Corollary 2 as below:
Evaluation Metrics. We adopt the standard certified accuracy as our evaluation metric, defined by the percentage of instances that can be certified under any -norm bounded perturbation
Specifically, given the input x with ground-truth label y, we can certify the bound of confidence on predicting label y as [L, U] for either a vanilla randomize smoothing-based model or our sensing-reasoning pipeline. After that, the certified accuracy can be defined by:
denotes the indicator function.
Intuitive Example. To make the example more clear, here we use pos(’a’, i) to represent that the character ’a’ is in the ith position of the word. Then during the inference, given an input word image, we assume the top2 characters returned from the character classifiers for each position is ’s,m’, ’n,b’, ’a,o’, ’q,a’, ’k,c’, which are shown in the order of the position. Now, for word ’snack’, the corresponding first-order logical form of its deduction rules would be ’snack’ pos(’s’, 1), ’snack’
pos(’n’, 2), ’snack’
pos(’a’, 3) and ’snack’
pos(’k’, 5); while for other
Table 5: Certified accuracy under different per- turbation magnitude on Word10 dataset. The sensing models are smoothed with Gaussian noise
with different smoothing parameter
. Rows with
denote the best certified accuracy among all the
. (All certificates holds with 99.9% confidence)
Figure 6: Several word images sampled from Word50 dataset.
words like ’macaw’, the corresponding rules would be ’macaw’ pos(’a’, 4). Notice, if the character of the specific word is not shown in the top2 returned characters of its corresponding position, then there will be no deduction rule built for this word and this character. At the meantime, when we consider the possible worlds that satisfy
will still consider it as a violation of the exclusive rules. In other words, even if the character ’c’ is not shown in the top2 characters returned from the knowledge classifier in fourth position and thus we do not build the deduction rule ’snack’
) explicitly at this time as said above, this rule is still assumed to be true underlyingly.
Evaluation Results. We evaluate the robustness of the sensing-reasoning pipeline and compare it to the baseline as a vanilla randomized smoothed main task model (without knowledge). We train our models under different smoothing parameters and evaluate our sensing-reasoning pipeline under various
perturbation magnitude
. Results are show in Table 5, and as we can see, with extra knowledge, the performance is improved tremendously which strongly demonstrates the potential of the sensing-reasoning pipeline.
For natural image datasets with no apparent knowledge rules, we can still apply our sensing-reasoning pipeline based on some generated simple knowledge rules such as redundancy rules. For instance, we test on MNIST and CIFAR10 dataset by constructing basic rules as follows: for MNIST, we construct five pseudo attributes and randomly assign them to four different digits, so that each digit will exactly contain two pseudo attributes; for CIFAR10, we randomly generate ten pseudo attributes, and each pseudo attribute will be randomly assigned to 3 to 7 different categories. We build the indication rules between each pseudo attribute and its corresponding digits, and the exclusion rules between different digit classes.
During the training, we adopt the SOTA Consistency training [19] as our sensing model training method, and build our sensing-reasoning pipeline on top of these pretrained sensing models.
From the results shown in Table 6 and Table 7, we can see that the sensing-reasoning pipeline beats the SOTA baselines in terms of the certified robustness even with the simple and generated knowledge rules. Generally, we should expect higher certified robustness by integrating with natural and meaningful knowledge rules (e.g., road sign classification and information extraction tasks as shown in our paper).
Table 6: (MNIST) Certified accuracy under different input perturbation magnitudes (
Table 7: (CIFAR10) Certified accuracy under different input perturbation magnitudes (
In PrimateNet experiments, we also investigate how Hierarchy knowledge and Exclusive knowledge would affect the End-to-end robustness of our sensing-reasoning pipeline individually. We compare the certified robustness and certified ratio of our sensing-reasoning pipeline enriched by {No knowledge; Hierarchy knowledge only; Exclusive knowledge only; Hierarchy + Exclusive knowledge} and the results are shown in Table 8 and 9.
From the results, we can see while partial knowledge enrichment would lead to fragile robustness under severe scenarios (), complete knowledge enrichment could achieve much better robustness compared to sensing-reasoning pipeline without knowledge enrichment. This indicates that incomplete (or weak) knowledge, which is easy to break and hard to recover under severe adversarial scenarios, could even harm the robustness of our sensing-reasoning pipeline. How to explore good and robust knowledge to enrich our sensing-reasoning pipeline could be our interesting future direction.
Table 8: Certified Robustness with different perturbation magnitude and sensing model attack ratio
PrimateNet. The sensing models are smoothed with Gaussian noise
with different smoothing parameter
“Hierarchy.” refers to the sensing-reasoning pipeline enriched by hierarchy knowledge only while “Exclusive.” the exclusive knowledge only. “Combined.” shows the sensing-reasoning pipeline enriched by both domain knowledge.
A Bayesian network (BN) is a probabilistic graphical model that represents a set of variables and their conditional dependencies with a directed acyclic graph. Let us first consider a Bayesian Network with tree structures, the probability of a random variable being 1 is given by
In the following subsections, we will prove a hardness result of checking robustness in general MLN and BNs and use the above definition to construct an efficient procedure to certify robustness for binary tree BNs.
J.1 Hardness of Certifying Bayesian Networks
Analogously with the above reasoning, we can also state the general hardness result for deciding the robustness of BNs:
Theorem 3 (BN hardness). Given a Bayesian network with a set of parameters , a set of perturbation parameters
and threshold
, deciding whether
is at least as hard as estimating multiplicative error, with
Table 9: Certified Ratio with different perturbation magnitude and sensing model attack ratio
PrimateNet. The sensing models are smoothed with Gaussian noise
with different smoothing parameter
“Hierarchy.” refers to the sensing-reasoning pipeline enriched by hierarchy knowledge only while “Exclusive.” the exclusive knowledge only. “Combined.” shows the sensing-reasoning pipeline enriched by both domain knowledge.
Proof. Let defined by the the probability distribution of a target random variable. Since
, we have
. The proof then follows analogously from Theorem 1.
Based on the hardness analysis of the reasoning robustness, we can see that it is challenging to directly certify the robustness of the reasoning component. However, just as we can approximately certify the robustness of single ML models [25], in the next section, we will present and discuss how to approximately certify the robustness of the reasoning component, and we show that for some structures such as BN trees, the certification could even be tight.
J.2 Certifying Bayesian Networks
Apart from MLNs, we also aim to reason about the robustness for Bayesian networks with binary tree structures, and derive an efficient algorithm to provide the tight upper and lower bounds of reasoning robustness. Concretely, we introduce the set of perturbation and consider the maximum resultant probability:
In the above we have isolated the last variable in the expression. Without additional structure, the above optimisation over perturbation is hard as stated in Theorem 3. However, if additionally we require the Bayesian network to be binary trees, we show that the optimisation over perturbation and the checking of robustness of the model is trackable. We summarise the procedure for checking robustness of binary tree structured BNs in the following theorem with the proof.
Lemma J.1 (Binary BN Robustness). Given a Bayesian network with binary tree structure, and the set of parameters , the probability of a variable X = 1,
is -robust, where
Where and
are all pre-computable constants given the parameters of the Bayesian network.
Proof of Lemma J.1
Proof. We explicitly write out the probability subject to perturbation,
It follows that the robustness problem boils down to finding the maximum and minimum of F =
Specifically, in order to compute , we take partial derivatives of F:
Having shown the robustness of probability of one node in the Bayesian network, the robustness of the whole network can be computed recursively from the bottom to the top.