IBP Regularization for Verified Adversarial Robustness via Branch-and-Bound
This work addresses the challenge of making adversarially trained networks more verifiable for practical applications, offering an incremental improvement over existing methods.
The paper tackles the problem of improving verified adversarial robustness in neural networks by introducing IBP-R, a simple and effective training algorithm that couples adversarial attacks with interval bound propagation regularization, achieving state-of-the-art verified robustness-accuracy trade-offs on CIFAR-10 with small perturbations and faster training times.
Recent works have tried to increase the verifiability of adversarially trained networks by running the attacks over domains larger than the original perturbations and adding various regularization terms to the objective. However, these algorithms either underperform or require complex and expensive stage-wise training procedures, hindering their practical applicability. We present IBP-R, a novel verified training algorithm that is both simple and effective. IBP-R induces network verifiability by coupling adversarial attacks on enlarged domains with a regularization term, based on inexpensive interval bound propagation, that minimizes the gap between the non-convex verification problem and its approximations. By leveraging recent branch-and-bound frameworks, we show that IBP-R obtains state-of-the-art verified robustness-accuracy trade-offs for small perturbations on CIFAR-10 while training significantly faster than relevant previous work. Additionally, we present UPB, a novel branching strategy that, relying on a simple heuristic based on $β$-CROWN, reduces the cost of state-of-the-art branching algorithms while yielding splits of comparable quality.