Training verified learners with learned verifiers
This addresses the challenge of ensuring reliable and secure neural networks in adversarial settings, representing a significant advance in verifiable machine learning.
The paper tackles the problem of training neural networks that are verifiably robust to adversarial examples by proposing a predictor-verifier framework, achieving state-of-the-art verified robustness on datasets like MNIST and SVHN with shorter training times and scaling to produce the first verifiably robust networks for CIFAR-10.
This paper proposes a new algorithmic framework, predictor-verifier training, to train neural networks that are verifiable, i.e., networks that provably satisfy some desired input-output properties. The key idea is to simultaneously train two networks: a predictor network that performs the task at hand,e.g., predicting labels given inputs, and a verifier network that computes a bound on how well the predictor satisfies the properties being verified. Both networks can be trained simultaneously to optimize a weighted combination of the standard data-fitting loss and a term that bounds the maximum violation of the property. Experiments show that not only is the predictor-verifier architecture able to train networks to achieve state of the art verified robustness to adversarial examples with much shorter training times (outperforming previous algorithms on small datasets like MNIST and SVHN), but it can also be scaled to produce the first known (to the best of our knowledge) verifiably robust networks for CIFAR-10.