Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Enhancing Certifiable Semantic Robustness via Robust Pruning of Deep Neural Networks

Hanjiang Hu, Bowei Li, Ziwei Wang, Tianhao Wei, Casidhe Hutchison, Eric Sample, Changliu Liu

TL;DR

The paper tackles certifiable robustness under semantic perturbations (e.g., brightness and contrast) in vision systems, highlighting that over-parameterization impedes tight guarantees. It introduces Unbiased and Smooth Neuron (USN) metrics to quantify per-neuron contributions to robustness bounds and couples USN-guided pruning with a Wasserstein-distance regularization in a progressive training-pruning pipeline. The approach is validated on keypoint detection across CNN7 and ResNet18 under realistic perturbations, showing improved certification accuracy and reduced verification time compared to unpruned or randomly pruned baselines, while preserving task performance. This work provides a principled, scalable framework for robustness-aware model compression, enabling feasible formal guarantees for safety-critical perception systems.

Abstract

Deep neural networks have been widely adopted in many vision and robotics applications with visual inputs. It is essential to verify its robustness against semantic transformation perturbations, such as brightness and contrast. However, current certified training and robustness certification methods face the challenge of over-parameterization, which hinders the tightness and scalability due to the over-complicated neural networks. To this end, we first analyze stability and variance of layers and neurons against input perturbation, showing that certifiable robustness can be indicated by a fundamental Unbiased and Smooth Neuron metric (USN). Based on USN, we introduce a novel neural network pruning method that removes neurons with low USN and retains those with high USN, thereby preserving model expressiveness without over-parameterization. To further enhance this pruning process, we propose a new Wasserstein distance loss to ensure that pruned neurons are more concentrated across layers. We validate our approach through extensive experiments on the challenging robust keypoint detection task, which involves realistic brightness and contrast perturbations, demonstrating that our method achieves superior robustness certification performance and efficiency compared to baselines.

Enhancing Certifiable Semantic Robustness via Robust Pruning of Deep Neural Networks

TL;DR

The paper tackles certifiable robustness under semantic perturbations (e.g., brightness and contrast) in vision systems, highlighting that over-parameterization impedes tight guarantees. It introduces Unbiased and Smooth Neuron (USN) metrics to quantify per-neuron contributions to robustness bounds and couples USN-guided pruning with a Wasserstein-distance regularization in a progressive training-pruning pipeline. The approach is validated on keypoint detection across CNN7 and ResNet18 under realistic perturbations, showing improved certification accuracy and reduced verification time compared to unpruned or randomly pruned baselines, while preserving task performance. This work provides a principled, scalable framework for robustness-aware model compression, enabling feasible formal guarantees for safety-critical perception systems.

Abstract

Deep neural networks have been widely adopted in many vision and robotics applications with visual inputs. It is essential to verify its robustness against semantic transformation perturbations, such as brightness and contrast. However, current certified training and robustness certification methods face the challenge of over-parameterization, which hinders the tightness and scalability due to the over-complicated neural networks. To this end, we first analyze stability and variance of layers and neurons against input perturbation, showing that certifiable robustness can be indicated by a fundamental Unbiased and Smooth Neuron metric (USN). Based on USN, we introduce a novel neural network pruning method that removes neurons with low USN and retains those with high USN, thereby preserving model expressiveness without over-parameterization. To further enhance this pruning process, we propose a new Wasserstein distance loss to ensure that pruned neurons are more concentrated across layers. We validate our approach through extensive experiments on the challenging robust keypoint detection task, which involves realistic brightness and contrast perturbations, demonstrating that our method achieves superior robustness certification performance and efficiency compared to baselines.

Paper Structure

This paper contains 21 sections, 4 theorems, 19 equations, 4 figures, 3 tables, 1 algorithm.

Table of Contents

  1. INTRODUCTION
  2. PROBLEM FORMULATION
  3. Neural Networks with Neuron Characterization
  4. Semantic Perturbation and Certifiable Robustness
  5. METHODOLOGY
  6. Neuron Stability and Variance Analysis
  7. Unbiased and Smooth Neuron (USN) Metrics
  8. Wasserstein Distance for USN Regularization
  9. Integrated Training and Pruning Pipeline
  10. EXPERIMENTS
  11. Experimental Setup
  12. Training and Pruning Details
  13. Certification Metrics and Baselines
  14. Results Comparison
  15. CNN7
  16. ...and 6 more sections

Key Result

Lemma III.1

For a neural network $f^L$ as defined in def:nn and original input $x_0$, the output deviation of perturbed input $x\in B_p^h(x_0,\epsilon)$ under norm $\|\cdot\|_q, q \geq2,$ can be bounded in terms of any intermediate layer $i=1,\dots,L-1$ as, where the constant $C_i = \|W^i\|_2\prod_{k=i+1}^{L} \|W^k\|_2 \cdot L_{\sigma^{k-1}}$$L_{\sigma^k}$ and the $\ell_2$ Lipschitz constant of activation fu

Figures (4)

  • Figure 1: The overview of model training with the progressive robust pruning pipeline.
  • Figure 2: Samples of keypoint detection under changing semantic perturbation of images.
  • Figure 3: Visualization of USN metrics (color-coded) w.r.t. flattened channels of neurons (each column represents one channel and the horizontal axes show different channels) after vanilla training without USN, robust training with USN but without pruning, and robust training and pruning with USN (ours). We can see that our robust pruning can significantly reduce the neurons with high unbiased and smooth metrics compared to robust training with USN without pruning.
  • Figure 4: Comparison of the number of correctly predicted keypoints and verification time under different pruning strategies for ResNet18 under Wasserstein regularization $\lambda_W=10$.

Theorems & Definitions (19)

  • Definition II.1: Deep Neural Networks for Regression
  • Definition II.2: Pre-activation Neuron and Layer Output
  • Definition II.3: Semantic Perturbation Set
  • Remark II.1
  • Definition II.4: Robustness Certification
  • Remark II.2
  • Lemma III.1: Layer-to-Output Lipschitz Bound
  • proof
  • Definition III.1: Neuron Output Distribution
  • Theorem III.1: Probabilistic Robustness Certification
  • ...and 9 more