Tight Robustness Certificates and Wasserstein Distributional Attacks for Deep Neural Networks
This work addresses adversarial robustness for deep learning models, offering tighter guarantees and more flexible attacks, though it is incremental in improving existing WDRO frameworks.
The authors tackled the problem of loose upper bounds and high computational cost in Wasserstein distributionally robust optimization (WDRO) for deep neural networks by introducing a primal approach with exact Lipschitz certificates and a novel Wasserstein distributional attack (WDA), achieving competitive robust accuracy and tighter certificates than existing methods.
Wasserstein distributionally robust optimization (WDRO) provides a framework for adversarial robustness, yet existing methods based on global Lipschitz continuity or strong duality often yield loose upper bounds or require prohibitive computation. In this work, we address these limitations by introducing a primal approach and adopting a notion of exact Lipschitz certificate to tighten this upper bound of WDRO. In addition, we propose a novel Wasserstein distributional attack (WDA) that directly constructs a candidate for the worst-case distribution. Compared to existing point-wise attack and its variants, our WDA offers greater flexibility in the number and location of attack points. In particular, by leveraging the piecewise-affine structure of ReLU networks on their activation cells, our approach results in an exact tractable characterization of the corresponding WDRO problem. Extensive evaluations demonstrate that our method achieves competitive robust accuracy against state-of-the-art baselines while offering tighter certificates than existing methods. Our code is available at https://github.com/OLab-Repo/WDA