Robustness Certificates for Neural Networks against Adversarial Attacks
Sara Taheri, Mahalakshmi Sabanayagam, Debarghya Ghoshdastidar, Majid Zamani
TL;DR
This work tackles the lack of formal guarantees for robustness against data poisoning in safety-critical ML by modeling gradient-based training as a discrete-time dynamical system and reframing poisoning robustness as a safety verification problem using barrier certificates. To overcome intractability in high dimensions, it proposes a neural network barrier certificate (NNBC) learned from poisoned trajectories and validated with a scenario convex program (SCP) that yields PAC-style guarantees on a certified robust radius. The framework is model- and attack-agnostic, providing unified certificates for both train-time and test-time perturbations without requiring prior knowledge of the attack or contamination level, and it demonstrates non-trivial certifiable budgets on MNIST, SVHN, and CIFAR-10. The approach advances formal safety guarantees for learning under adversarial data, with practical implications for reliable deployment in real-world systems, and suggests directions for extending to broader threat models and efficiency improvements.
Abstract
The increasing use of machine learning in safety-critical domains amplifies the risk of adversarial threats, especially data poisoning attacks that corrupt training data to degrade performance or induce unsafe behavior. Most existing defenses lack formal guarantees or rely on restrictive assumptions about the model class, attack type, extent of poisoning, or point-wise certification, limiting their practical reliability. This paper introduces a principled formal robustness certification framework that models gradient-based training as a discrete-time dynamical system (dt-DS) and formulates poisoning robustness as a formal safety verification problem. By adapting the concept of barrier certificates (BCs) from control theory, we introduce sufficient conditions to certify a robust radius ensuring that the terminal model remains safe under worst-case ${\ell}_p$-norm based poisoning. To make this practical, we parameterize BCs as neural networks trained on finite sets of poisoned trajectories. We further derive probably approximately correct (PAC) bounds by solving a scenario convex program (SCP), which yields a confidence lower bound on the certified robustness radius generalizing beyond the training set. Importantly, our framework also extends to certification against test-time attacks, making it the first unified framework to provide formal guarantees in both training and test-time attack settings. Experiments on MNIST, SVHN, and CIFAR-10 show that our approach certifies non-trivial perturbation budgets while being model-agnostic and requiring no prior knowledge of the attack or contamination level.
