Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Provable Adversarial Robustness for Group Equivariant Tasks: Graphs, Point Clouds, Molecules, and More

Jan Schuchardt, Yan Scholten, Stephan Günnemann

TL;DR

This work defines a principled notion of adversarial robustness for group-equivariant tasks by introducing the action-induced input distance ${\hat{d}_{in}}$ and an output-distance that accounts for task symmetries. It shows that robustness can be achieved when the model’s equivariances match the task’s equivariances, enabling a reduction to traditional robustness guarantees, and it introduces equivariance-preserving randomized smoothing to provide architecture-agnostic certification. The authors extend graph-edit-distance certificates to nonuniform costs and demonstrate their approach experimentally on graphs, point clouds, and molecular forces, with smoothing-based guarantees showing competitive certifiable robustness. Overall, the framework connects robust and geometric ML, enabling rigorous guarantees for symmetry-aware tasks and guiding future work in equivariance-conscious attacks, defenses, and certifications.

Abstract

A machine learning model is traditionally considered robust if its prediction remains (almost) constant under input perturbations with small norm. However, real-world tasks like molecular property prediction or point cloud segmentation have inherent equivariances, such as rotation or permutation equivariance. In such tasks, even perturbations with large norm do not necessarily change an input's semantic content. Furthermore, there are perturbations for which a model's prediction explicitly needs to change. For the first time, we propose a sound notion of adversarial robustness that accounts for task equivariance. We then demonstrate that provable robustness can be achieved by (1) choosing a model that matches the task's equivariances (2) certifying traditional adversarial robustness. Certification methods are, however, unavailable for many models, such as those with continuous equivariances. We close this gap by developing the framework of equivariance-preserving randomized smoothing, which enables architecture-agnostic certification. We additionally derive the first architecture-specific graph edit distance certificates, i.e. sound robustness guarantees for isomorphism equivariant tasks like node classification. Overall, a sound notion of robustness is an important prerequisite for future work at the intersection of robust and geometric machine learning.

Provable Adversarial Robustness for Group Equivariant Tasks: Graphs, Point Clouds, Molecules, and More

TL;DR

This work defines a principled notion of adversarial robustness for group-equivariant tasks by introducing the action-induced input distance and an output-distance that accounts for task symmetries. It shows that robustness can be achieved when the model’s equivariances match the task’s equivariances, enabling a reduction to traditional robustness guarantees, and it introduces equivariance-preserving randomized smoothing to provide architecture-agnostic certification. The authors extend graph-edit-distance certificates to nonuniform costs and demonstrate their approach experimentally on graphs, point clouds, and molecular forces, with smoothing-based guarantees showing competitive certifiable robustness. Overall, the framework connects robust and geometric ML, enabling rigorous guarantees for symmetry-aware tasks and guiding future work in equivariance-conscious attacks, defenses, and certifications.

Abstract

A machine learning model is traditionally considered robust if its prediction remains (almost) constant under input perturbations with small norm. However, real-world tasks like molecular property prediction or point cloud segmentation have inherent equivariances, such as rotation or permutation equivariance. In such tasks, even perturbations with large norm do not necessarily change an input's semantic content. Furthermore, there are perturbations for which a model's prediction explicitly needs to change. For the first time, we propose a sound notion of adversarial robustness that accounts for task equivariance. We then demonstrate that provable robustness can be achieved by (1) choosing a model that matches the task's equivariances (2) certifying traditional adversarial robustness. Certification methods are, however, unavailable for many models, such as those with continuous equivariances. We close this gap by developing the framework of equivariance-preserving randomized smoothing, which enables architecture-agnostic certification. We additionally derive the first architecture-specific graph edit distance certificates, i.e. sound robustness guarantees for isomorphism equivariant tasks like node classification. Overall, a sound notion of robustness is an important prerequisite for future work at the intersection of robust and geometric machine learning.
Paper Structure (68 sections, 13 theorems, 75 equations, 31 figures, 2 tables, 5 algorithms)

This paper contains 68 sections, 13 theorems, 75 equations, 31 figures, 2 tables, 5 algorithms.

Table of Contents

  1. Introduction
  2. Related work
  3. Background
  4. Redefining robustness for group equivariant tasks
  5. Perturbation model for group equivariant tasks
  6. Output distance for group equivariant tasks
  7. Proposed definition of robustness for group equivariant tasks
  8. Achieving provable robustness for group equivariant tasks
  9. Equivariance-preserving randomized smoothing
  10. Deterministic edit distance certificates for graph and node classification
  11. Limitations
  12. Experimental evaluation
  13. Conclusion
  14. Acknowledgments and disclosure of funding
  15. Additional experiments
  16. ...and 53 more sections

Key Result

proposition 1

A function ${\hat{d}_\mathrm{in} : {\mathbb{X}} \times {\mathbb{X}} \rightarrow {\mathbb{R}}_+}$ that fulfills all three desiderata for any original distance function ${d_\mathrm{in} : {\mathbb{X}} \times {\mathbb{X}} \rightarrow {\mathbb{R}}_+}$ exists and is uniquely defined: ${\hat{d}_\mathrm{in}

Figures (31)

  • Figure 1: The right graph is constructed by inserting and deleting four edges. While their $\ell_0$ distance is large, the graphs are isomorphic and should thus have the same set of node labels.
  • Figure 2: The predicted trajectory (blue) should rotate as the image rotates (green), even in the presence of camera noise and other perturbations. It should not remain constant (red).
  • Figure 3: Provable robustness of smoothed ($\sigma=0.2$) PointNet and DGCNN point cloud classifiers on ModelNet40. Correspondence distance $\epsilon$ is the Frobenius distance between point clouds after finding an optimal matching via permutation.
  • Figure 4: Provable robustness of smoothed ($\sigma = 1fm$) DimeNet++ force predictions on MD17. The average provable bounds $\delta$ on prediction changes are $2$ to $13$ times smaller than the average test errors ($0.19$ to $[per-mode=repeated-symbol]{0.74}{\kilo \cal \per \mol \per \angstrom}$).
  • Figure 5: Randomized smoothing guarantees for GCNs on Cora-ML. Increasing the cost of adversarial edge insertions increases the provable robustness for the same perturbation budgets $\epsilon$.
  • ...and 26 more figures

Theorems & Definitions (30)

  • proposition 1
  • definition 1
  • proposition 2
  • proof
  • proposition 3
  • proof
  • proof
  • proposition 4
  • proof
  • proposition 5
  • ...and 20 more