Tight Robustness Certification through the Convex Hull of $\ell_0$ Attacks

TL;DR

The paper tackles local robustness certification against few-pixel attacks, where the perturbation space is a non-convex $\ell_0$-ball. It shows that the convex hull of the $\ell_0$-ball around $\bar{x}$ is the intersection of the bounding box $\mathcal{D}$ with an asymmetrically scaled $\ell_1$-like polytope, and that this hull yields nearly identical volumes to the polytope in high dimensions. A linear bound propagation is derived to compute exact min/max of linear functions over the hull, yielding tighter bounds than those from box or $\ell_1$-ball relaxations, and this bound is extended to multi-channel inputs. The method is integrated into GPUPoly to boost CoVerD, the state-of-the-art complete $\ell_0$-robustness verifier, achieving speedups of $1.24$ to $7.07$ times (geometric mean $3.16$) on challenging benchmarks across MNIST, Fashion-MNIST, and CIFAR-10. This work enables scalable, tighter verification for $\ell_0$ perturbations, broadening the practical safety guarantees of neural classifiers under sparse adversarial modifications.

Abstract

Few-pixel attacks mislead a classifier by modifying a few pixels of an image. Their perturbation space is an $\ell_0$-ball, which is not convex, unlike $\ell_p$-balls for $p\geq1$. However, existing local robustness verifiers typically scale by relying on linear bound propagation, which captures convex perturbation spaces. We show that the convex hull of an $\ell_0$-ball is the intersection of its bounding box and an asymmetrically scaled $\ell_1$-like polytope. The volumes of the convex hull and this polytope are nearly equal as the input dimension increases. We then show a linear bound propagation that precisely computes bounds over the convex hull and is significantly tighter than bound propagations over the bounding box or our $\ell_1$-like polytope. This bound propagation scales the state-of-the-art $\ell_0$ verifier on its most challenging robustness benchmarks by 1.24x-7.07x, with a geometric mean of 3.16.

Figures (9)

• Figure 1: Illustration of the perturbation space, for $\mathcal{D}=\prod_{i=1}^k[a_i,b_i]=[-1,1]^3$ and $t=2$. Left: The $\ell_0$-ball of an input $\bar{x}$, $\mathcal{B}_0^t(\bar{x})$. Middle: Its convex hull. Right: The convex hull as the intersection of $\mathcal{D}$ and an $\ell_1$-like polytope (\ref{['thm:single_channel_conv_hull']}), $\widetilde{\mathcal{B}}_1^t(\bar{x})=\{y\in\mathbb{R}^k \mid \sum_{i=1}^k\delta_{\bar{x}}^i(y)\leq t\}$ (see \ref{['eq:delta']}). The plots show $\bar{x}$ as a black dot and the corners of the $\ell_0$-ball as blue dots.
• Figure 2: The relative excess volumes.
• Figure 3: The three approaches for bound propagation over $\mathcal{B}_0^{t}(\bar{x})$, where $\bar{x}=(-0.3,0,0.65)$, $\mathcal{D}=[-1,1]^3$, and $t=2$.
• Figure 4: The success rate of the three bound propagations over $\mathcal{B}_0^t(\bar{x})$ for different choices of $\mathcal{K}\subseteq [v]$, as a function of $k=|\mathcal{K}|$.
• Figure 5: CoVerD + top-$t$-GP compared to CoVerD on its most challenging benchmarks.

Theorems & Definitions (17)

• Theorem 1
• proof
• Theorem 2
• proof : Proof outline (proof is in the appendix)
• Theorem 3
• Lemma 1
• proof
• Lemma 2
• proof
• Theorem 3