[论文解读] Evaluating Robustness of Neural Networks with Mixed Integer Programming
该论文将分段线性神经网络的鲁棒性验证问题形式化为一个 MILP 求解问题,实现了巨大速度提升,并能够对包含超过 10^5 个 ReLU 的网络以及在 epsilon=0.1 时对 MNIST 的对抗鲁棒性进行精确验证。
Neural networks have demonstrated considerable success on a wide variety of real-world problems. However, networks trained only to optimize for training accuracy can often be fooled by adversarial examples - slightly perturbed inputs that are misclassified with high confidence. Verification of networks enables us to gauge their vulnerability to such adversarial examples. We formulate verification of piecewise-linear neural networks as a mixed integer program. On a representative task of finding minimum adversarial distortions, our verifier is two to three orders of magnitude quicker than the state-of-the-art. We achieve this computational speedup via tight formulations for non-linearities, as well as a novel presolve algorithm that makes full use of all information available. The computational speedup allows us to verify properties on convolutional networks with an order of magnitude more ReLUs than networks previously verified by any complete verifier. In particular, we determine for the first time the exact adversarial accuracy of an MNIST classifier to perturbations with bounded $l_\infty$ norm $ε=0.1$: for this classifier, we find an adversarial example for 4.38% of samples, and a certificate of robustness (to perturbations with bounded norm) for the remainder. Across all robust training procedures and network architectures considered, we are able to certify more samples than the state-of-the-art and find more adversarial examples than a strong first-order attack.
研究动机与目标
- 在对 heuristic 攻击之外提供 principled 鲁棒性评估的动机。
- 将神经网络鲁棒性验证建模为针对分段线性网络的完整 MILP 问题。
- 开发更紧的 ReLU 和最大函数等价形式以及一个渐进式界限收紧的预求解以扩展到大规模网络。
- 证明能够在 MNIST 和 CIFAR-10 上证实鲁棒性并发现对抗样本。
- 为 MIPVerify 提供开源工具,促进鲁棒性验证领域的进一步研究。
提出的方法
- 在输入域内的对抗多面体上将鲁棒性建模为可行性问题。
- 将分段线性网络组件(ReLU、max、线性层)表达为 MILP 约束,采用紧致的形式。
- 引入渐进式界限收紧(ia 和 lp)以在求解前收紧变量界限。
- 利用受限输入域 G(x) 和不对称界限来减少非线性性。
- 与基于 SMT 的验证器(Reluplex)及其他验证器进行比较,展示显著的加速。
- 在 https://github.com/vtjeng/MIPVerify.jl 上提供代码。
实验结果
研究问题
- RQ1一个完整的 MILP 验证器是否能够高效地证明大型分段线性网络(包括卷积网络和 ResNet)在有界扰动下的鲁棒性?
- RQ2与基于 SMT 的和不完整的验证器相比,MILP 验证器在速度和鲁棒性证书的严格性方面如何?
- RQ3对于 MNIST,在 l_infinity 扰动下以 epsilon=0.1 时能够达到的精确对抗准确率是多少,与诸如 PGD 的攻击相比如何?
- RQ4鲁棒训练方法和网络架构如何影响可验证性和鲁棒性证书?
- RQ5在对 MNIST 和 CIFAR-10 进行鲁棒性认证时,哪些因素决定验证时间和放大规模?
主要发现
| 数据集 | 网络 | ε | 测试误差 | 对抗误差的认证下界(Lower) | 对抗误差的认证上界(Upper) | 无缝隙? | 平均时间 / s(每个样本) |
|---|---|---|---|---|---|---|---|
| MNIST | LP d - cnn b | 0.1 | 1.19% | 2.62% | 2.73% | 4.45% [1] | 46.33 |
| MNIST | LP d - cnn a | 0.1 | 1.89% | 4.11% | 4.38% | 4.38% | 3.52 |
| MNIST | Adv- cnn a | 0.1 | 0.96% | 4.10% | 4.21% | — | 135.74 |
| MNIST | Adv- mlp b | 0.1 | 4.02% | 9.03% | 9.74% | 15.41% | 3.69 |
| MNIST | SDP d - mlp a | 0.1 | 4.18% | 11.51% | 14.36% | 34.77% | 312.43 |
| MNIST | LP d - cnn a | 0.2 | 4.23% | 9.54% | 10.68% | 17.50% | 7.32 |
| MNIST | LP d - cnn b | 0.3 | 11.16% | 19.70% | 24.12% | 41.98% | 98.79 |
| MNIST | LP d - cnn a | 0.3 | 11.40% | 22.70% | 25.79% | 35.03% | 5.13 |
| MNIST | LP d - cnn a | 0.4 | 26.13% | 39.22% | 48.98% | 62.49% | 5.07 |
| CIFAR-10 | LP d - cnn a | 2/255 | 39.14% | 48.23% | 49.84% | 53.59% [1] | 22.41 |
| CIFAR-10 | LP d - res | 8/255 | 72.93% | 76.52% | 77.29% | 78.52% [1] | 15.23 |
- MILP 验证器在最小对抗扰动任务上比 Reluplex 快两个到三个数量级。
- 它可以验证拥有超过 100,000 个 ReLUs 的网络,包括卷积层和残差层。
- 对于 MNIST,epsilon=0.1 时作者获得了精确的对抗准确率:对 4.38% 的样本存在对抗样本,其余样本有鲁棒性证据。
- 在 MNIST 和 CIFAR-10 下,该方法比以前的最先进方法证实更多样本并发现更多对抗样本。
- 该方法对对抗误差的上下界给出了比先前方法更紧的界限,并可扩展到更大规模的架构(如 LP_d_res,单位数 107,496)。
- 作者提供了开源工具(MIPVerify.jl)以复现和扩展结果。
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。