Provable Certificates for Adversarial Examples: Fitting a Ball in the Union of Polytopes
This addresses the challenge of certifying neural network robustness for security-critical applications, representing a novel method for a known bottleneck.
The authors tackled the problem of computing exact pointwise robustness for deep neural networks against adversarial examples, proposing GeoCert, an algorithm that efficiently finds the largest norm ball around an input where the network's output class remains unchanged, and empirically demonstrated tighter distance lower bounds compared to prior work.
We propose a novel method for computing exact pointwise robustness of deep neural networks for all convex $\ell_p$ norms. Our algorithm, GeoCert, finds the largest $\ell_p$ ball centered at an input point $x_0$, within which the output class of a given neural network with ReLU nonlinearities remains unchanged. We relate the problem of computing pointwise robustness of these networks to that of computing the maximum norm ball with a fixed center that can be contained in a non-convex polytope. This is a challenging problem in general, however we show that there exists an efficient algorithm to compute this for polyhedral complices. Further we show that piecewise linear neural networks partition the input space into a polyhedral complex. Our algorithm has the ability to almost immediately output a nontrivial lower bound to the pointwise robustness which is iteratively improved until it ultimately becomes tight. We empirically show that our approach generates distance lower bounds that are tighter compared to prior work, under moderate time constraints.