A Provable Defense for Deep Residual Networks
This addresses the critical issue of robustness in deep learning for security-sensitive applications, representing a notable advance in scalable verification.
The paper tackles the problem of provably defending large neural networks like ResNet-34 and DenseNet-100 against adversarial attacks, achieving significant scalability improvements over prior methods.
We present a training system, which can provably defend significantly larger neural networks than previously possible, including ResNet-34 and DenseNet-100. Our approach is based on differentiable abstract interpretation and introduces two novel concepts: (i) abstract layers for fine-tuning the precision and scalability of the abstraction, (ii) a flexible domain specific language (DSL) for describing training objectives that combine abstract and concrete losses with arbitrary specifications. Our training method is implemented in the DiffAI system.