Skip to main content
QUICK REVIEW

[Paper Review] Automatic Perturbation Analysis for Scalable Certified Robustness and Beyond

Kaidi Xu, Zhouxing Shi|arXiv (Cornell University)|Feb 28, 2020
Adversarial Robustness in Machine Learning53 references92 citations
TL;DR

This paper presents an automatic LiRPA framework that generalizes perturbation analysis to arbitrary neural network graphs, enabling scalable, differentiable, and loss-fusion–enabled certified robustness on large architectures and datasets.

ABSTRACT

Linear relaxation based perturbation analysis (LiRPA) for neural networks, which computes provable linear bounds of output neurons given a certain amount of input perturbation, has become a core component in robustness verification and certified defense. The majority of LiRPA-based methods focus on simple feed-forward networks and need particular manual derivations and implementations when extended to other architectures. In this paper, we develop an automatic framework to enable perturbation analysis on any neural network structures, by generalizing existing LiRPA algorithms such as CROWN to operate on general computational graphs. The flexibility, differentiability and ease of use of our framework allow us to obtain state-of-the-art results on LiRPA based certified defense on fairly complicated networks like DenseNet, ResNeXt and Transformer that are not supported by prior works. Our framework also enables loss fusion, a technique that significantly reduces the computational complexity of LiRPA for certified defense. For the first time, we demonstrate LiRPA based certified defense on Tiny ImageNet and Downscaled ImageNet where previous approaches cannot scale to due to the relatively large number of classes. Our work also yields an open-source library for the community to apply LiRPA to areas beyond certified defense without much LiRPA expertise, e.g., we create a neural network with a probably flat optimization landscape by applying LiRPA to network parameters. Our opensource library is available at https://github.com/KaidiXu/auto_LiRPA.

Motivation & Objective

  • Develop an automatic perturbation analysis framework (LiRPA) that works on general computational graphs beyond feed-forward networks.
  • Enable differentiable, scalable bounds suitable for certified robustness training on complex architectures.
  • Introduce loss fusion to reduce LiRPA computational cost, enabling training on large datasets and many classes.
  • Demonstrate applicability beyond robustness, including perturbations beyond Lp balls and parameter-space analysis.
  • Provide an open-source library for applying LiRPA without architecture-specific derivations.

Proposed method

  • Generalize LiRPA to general computational graphs via forward and backward bound propagation on DAGs.
  • Define forward LiRPA oracle G_i to compute bounds for dependent nodes from input bounds.
  • Define backward LiRPA oracle F_i to propagate output bounds to predecessors and derive A_i matrices.
  • Concretize linear bounds for arbitrary perturbations, including Lp-ball and synonym-based word substitutions using dynamic programming.
  • Introduce loss fusion to compute tight bounds directly on the loss/logit output, reducing dependence on number of classes.
  • Provide an open-source library auto_LiRPA for applying LiRPA to diverse models and perturbation settings.

Experimental results

Research questions

  • RQ1Can LiRPA bounds be automatically derived for any neural network architecture without manual derivations?
  • RQ2How can forward and backward LiRPA propagations be combined to yield provable bounds on a single output node for general graphs?
  • RQ3Does loss fusion reduce the computational burden of LiRPA sufficiently to scale to large datasets with many classes?
  • RQ4Can LiRPA-based certified defense be effectively trained on complex architectures (DenseNet, ResNeXt, Transformers) and large datasets (Tiny ImageNet, Downscaled ImageNet)?
  • RQ5Can perturbation analysis extend beyond traditional Lp-ball inputs to other perturbation types (e.g., synonym substitutions) and even parameter-space analysis?

Key findings

  • The framework achieves state-of-the-art verified defense results on CIFAR-10 with ε=8/255, reporting 66.62% verified error.
  • It enables LiRPA-based certified defense training on DenseNet, ResNeXt, Transformer architectures, previously unsupported due to manual derivations.
  • Loss fusion reduces LiRPA training cost to be only 3-4 times slower than natural training on CIFAR-10 and Tiny ImageNet, enabling scaling to large label counts (200/1000).
  • First LiRPA-based certified defense on Tiny ImageNet and Downscaled ImageNet, demonstrating scalability to datasets with hundreds to thousands of classes.
  • Demonstrates broader utility of LiRPA by enabling perturbation analysis on model parameters and providing a framework for non-Lp perturbations (e.g., synonym-based NLP perturbations).

Better researchstarts right now

From paper design to paper writing, dramatically reduce your research time.

No credit card · Free plan available

This review was created by AI and reviewed by human editors.