Formal Guarantees on the Robustness of a Classifier against Adversarial Manipulation

TL;DR

The paper tackles the vulnerability of classifiers to adversarial perturbations by introducing instance-specific formal robustness guarantees. It derives a lower bound on the perturbation norm that preserves the predicted class, using a local cross-Lipschitz constant, and presents the Cross-Lipschitz regularization to tighten these guarantees. The authors provide concrete bounds for kernel methods (Gaussian kernels) and one-hidden-layer neural networks, along with efficient box-constrained adversarial sample generation. Empirically, Cross-Lipschitz regularization improves robustness bounds and often maintains or enhances accuracy across MNIST, CIFAR-10, and German Traffic Sign benchmarks, with local constants offering substantially tighter guarantees than global ones. This work lays groundwork for reliable deployment of ML systems in safety-critical contexts by strengthening formal robustness guarantees and practical adversarial analysis.

Abstract

Recent work has shown that state-of-the-art classifiers are quite brittle, in the sense that a small adversarial change of an originally with high confidence correctly classified input leads to a wrong classification again with high confidence. This raises concerns that such classifiers are vulnerable to attacks and calls into question their usage in safety-critical systems. We show in this paper for the first time formal guarantees on the robustness of a classifier by giving instance-specific lower bounds on the norm of the input manipulation required to change the classifier decision. Based on this analysis we propose the Cross-Lipschitz regularization functional. We show that using this form of regularization in kernel methods resp. neural networks improves the robustness of the classifier without any loss in prediction performance.

Figures (14)

• Figure 1: Kernel Methods: Cross-Lipschitz regularization achieves both better test error and robustness against adversarial samples (upper bounds, larger is better) compared to the standard regularization. The robustness guarantee is weaker than for neural networks but this is most likely due to the relatively loose bound.
• Figure 2: Neural Networks, Left: Adversarial resistance wrt to $L_2$-norm on MNIST. Right: Average robustness guarantee wrt to $L_2$-norm on MNIST for different neural networks (one hidden layer, 1024 HU) and hyperparameters. The Cross-Lipschitz regularization leads to better robustness with similar or better prediction performance. Top row: plain MNIST, Middle: Data Augmentation, Bottom: Adv. Training
• Figure 3: Left: Adversarial resistance wrt to $L_2$-norm on test set of CIFAR10. Right: Average robustness guarantee on the test set wrt to $L_2$-norm for the test set of CIFAR10 for different neural networks (one hidden layer, 1024 HU) and hyperparameters. While Cross-Lipschitz regularization yields good test errors, the guarantees are not necessarily stronger. Top row: CIFAR10 (plain), Middle: CIFAR10 trained with data augmentation, Bottom: Adversarial Training.
• Figure 4: Top left: original test image, for each classifier we generate the corresponding adversarial sample which changes the classifier decision (denoted as Pred). Note that for Cross-Lipschitz regularization this new decision makes (often) sense, whereas for the neural network models (weight decay/dropout) the change is so small that the new decision is clearly wrong.
• Figure 5: Top left: original test image, for each classifier we generate the corresponding adversarial sample which changes the classifier decision (denoted as Pred). Note that for the kernel methods this new decision makes sense, whereas for all neural network models the change is so small that the new decision is clearly wrong.

Theorems & Definitions (15)

• Theorem 2.1
• proof
• Lemma 2.1
• proof
• Proposition 2.1
• proof
• Proposition 2.2
• proof
• Proposition 4.1
• Lemma 4.1