Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Certified Adversarial Robustness with Additive Noise

Bai Li, Changyou Chen, Wenlin Wang, Lawrence Carin

TL;DR

This work tackles the challenge of providing scalable, provable robustness for neural networks against adversarial perturbations. It links adversarial robustness to robustness against additive Gaussian noise using Rényi divergence, and introduces a stability-training-based framework (STN) to strengthen the certified bounds. The method achieves competitive certified bounds and empirical robustness on MNIST, CIFAR-10, and ImageNet, with favorable comparisons to PixelDP, TRADES, and Wong et al., while maintaining high natural accuracy. The paper also discusses extensions to ℓ1 robustness via Laplacian noise and emphasizes preventing gradient masking through ensemble-gradient attacks, offering practical guidance for deploying certified defenses at scale.

Abstract

The existence of adversarial data examples has drawn significant attention in the deep-learning community; such data are seemingly minimally perturbed relative to the original data, but lead to very different outputs from a deep-learning algorithm. Although a significant body of work on developing defensive models has been considered, most such models are heuristic and are often vulnerable to adaptive attacks. Defensive methods that provide theoretical robustness guarantees have been studied intensively, yet most fail to obtain non-trivial robustness when a large-scale model and data are present. To address these limitations, we introduce a framework that is scalable and provides certified bounds on the norm of the input manipulation for constructing adversarial examples. We establish a connection between robustness against adversarial perturbation and additive random noise, and propose a training strategy that can significantly improve the certified bounds. Our evaluation on MNIST, CIFAR-10 and ImageNet suggests that the proposed method is scalable to complicated models and large data sets, while providing competitive robustness to state-of-the-art provable defense methods.

Certified Adversarial Robustness with Additive Noise

TL;DR

This work tackles the challenge of providing scalable, provable robustness for neural networks against adversarial perturbations. It links adversarial robustness to robustness against additive Gaussian noise using Rényi divergence, and introduces a stability-training-based framework (STN) to strengthen the certified bounds. The method achieves competitive certified bounds and empirical robustness on MNIST, CIFAR-10, and ImageNet, with favorable comparisons to PixelDP, TRADES, and Wong et al., while maintaining high natural accuracy. The paper also discusses extensions to ℓ1 robustness via Laplacian noise and emphasizes preventing gradient masking through ensemble-gradient attacks, offering practical guidance for deploying certified defenses at scale.

Abstract

The existence of adversarial data examples has drawn significant attention in the deep-learning community; such data are seemingly minimally perturbed relative to the original data, but lead to very different outputs from a deep-learning algorithm. Although a significant body of work on developing defensive models has been considered, most such models are heuristic and are often vulnerable to adaptive attacks. Defensive methods that provide theoretical robustness guarantees have been studied intensively, yet most fail to obtain non-trivial robustness when a large-scale model and data are present. To address these limitations, we introduce a framework that is scalable and provides certified bounds on the norm of the input manipulation for constructing adversarial examples. We establish a connection between robustness against adversarial perturbation and additive random noise, and propose a training strategy that can significantly improve the certified bounds. Our evaluation on MNIST, CIFAR-10 and ImageNet suggests that the proposed method is scalable to complicated models and large data sets, while providing competitive robustness to state-of-the-art provable defense methods.

Paper Structure

This paper contains 30 sections, 4 theorems, 15 equations, 7 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Preliminaries
  4. Notation
  5. Rényi Divergence
  6. Adversarial Examples
  7. Adversarial Defense
  8. Certified Robust Classifier
  9. Confidence Interval and Sample Size
  10. Choice of $\sigma$
  11. Improved Certified Robustness
  12. Stability Training
  13. Adversarial Logit Pairing
  14. Experiments
  15. Theoretical Bound
  16. ...and 15 more sections

Key Result

Lemma 2

Let $P=(p_1,\dots,p_k)$ and $Q=(q_1,\dots,q_k)$ be two multinomial distributions over the same index set $\{1,\dots,k\}$. If the indices of the largest probabilities do not match on $P$ and $Q$, that is $\text{argmax}_i\ p_i \neq \text{argmax}_j\ q_j$, then where $p_{(1)}$ and $p_{(2)}$ are the largest and the second largest probabilities among the set of all $p_i$.

Figures (7)

  • Figure 1: Accuracy lower bounds for MNIST (left) and CIFAR-10 (right). We test various choices of $\sigma$ in Algorithm \ref{['alg:1']}. For reference, we include results for PixelDP (green) and the lower bound without stability training (orange).
  • Figure 2: Comparison of the certified bound from STN (orange) and PixelDP (blue) on ImageNet.
  • Figure 3: MNIST and CIFAR-10: Comparisons of the adversarial robustness of TRADES and STN with various attack sizes for both $\ell_2$ and $\ell_\infty$. The plots are ordered as: MNIST($\ell_2$), MNIST($\ell_\infty$), CIFAR-10($\ell_2$), and CIFAR-10($\ell_\infty$). Both white-box (straight lines) and black-box attacks (dash lines) are considered.
  • Figure 4: Robust accuracy of STN with different choices of $\sigma$ for both $\ell_2$ and $\ell_\infty$ attacks. The plots are ordered as: MNIST($\ell_2$), MNIST($\ell_\infty$), CIFAR-10($\ell_2$), and CIFAR-10($\ell_\infty$).
  • Figure 5: The upper bounds under different $p_{(1)}$ and $p_{(2)}$. Our bound (red) is strictly higher than the one from PixedDP (blue).
  • ...and 2 more figures

Theorems & Definitions (5)

  • Definition 1: Rényi Divergence
  • Lemma 2
  • Theorem 3
  • Theorem 4
  • Lemma 5