[论文解读] Towards Stable and Efficient Training of Verifiably Robust Neural Networks
我们提出 CROWN-IBP,一种将 Interval Bound Propagation (IBP) 与 CROWN 边界相结合的经过认证的鲁棒训练方法,以在 MNIST 和 CIFAR-10 的 ℓ∞ 扰动下实现高效且更紧的可验证鲁棒性,优于以往的 IBP 和线性松弛基线。
Training neural networks with verifiable robustness guarantees is challenging. Several existing approaches utilize linear relaxation based neural network output bounds under perturbation, but they can slow down training by a factor of hundreds depending on the underlying network architectures. Meanwhile, interval bound propagation (IBP) based training is efficient and significantly outperforms linear relaxation based methods on many tasks, yet it may suffer from stability issues since the bounds are much looser especially at the beginning of training. In this paper, we propose a new certified adversarial training method, CROWN-IBP, by combining the fast IBP bounds in a forward bounding pass and a tight linear relaxation based bound, CROWN, in a backward bounding pass. CROWN-IBP is computationally efficient and consistently outperforms IBP baselines on training verifiably robust neural networks. We conduct large scale experiments on MNIST and CIFAR datasets, and outperform all previous linear relaxation and bound propagation based certified defenses in $\\ell_\\infty$ robustness. Notably, we achieve 7.02% verified test error on MNIST at $\\epsilon=0.3$, and 66.94% on CIFAR-10 with $\\epsilon=8/255$. Code is available at https://github.com/deepmind/interval-bound-propagation (TensorFlow) and https://github.com/huanzhang12/CROWN-IBP (PyTorch).
研究动机与目标
- Motivate the need for verifiable robustness in DNNs and analyze limitations of existing linear relaxation and IBP methods.
- Propose a hybrid training method (CROWN-IBP) that combines the strengths of IBP and CROWN to improve training stability and bound tightness.
- Demonstrate scalability and improved verified robustness on standard datasets under ℓ∞ adversarial perturbations.
- Provide insights into trade-offs between standard accuracy and verified accuracy during training.
提出的方法
- Present a hybrid bound propagation framework: a forward IBP pass to obtain loose but scalable bounds, and a backward CROWN-style pass to tighten the bounds for the robust margin.
- Linearize ReLU activations using adaptive relaxation to obtain tractable bounds (Eq. 10–11).
- Compute a combined lower bound for the margin: underline m = IBP_bound + beta * CROWN-IBP_bound (Equation 9) with a tunable beta to balance tightness and efficiency.
- Propagate bounds from the last layer backwards using a sequence of A matrices to construct a linear surrogate of the network (Eq. 12–13).
- Offer computational complexity improvements over standard CROWN/Convex Adversarial Polytope by leveraging the small output size nL, resulting in O(L n^2 nL) backward cost.
- Allow a flexible training objective that blends natural (clean) loss with a robust loss based on the lower bound (Eq. 9).
- Provide practical training strategies including ramp-up schedules for epsilon and tuning of kappa (blend between natural and robust losses) and beta (IBP vs CROWN-IBP contribution).
实验结果
研究问题
- RQ1How can we achieve efficient, scalable training with provable robustness guarantees for neural networks?
- RQ2Can combining IBP with a CROWN-style bound yield tighter verifiable bounds without the heavy cost of full convex relaxations?
- RQ3What is the impact of the hybrid bound on standard accuracy versus verified accuracy across datasets and perturbation levels?
- RQ4How does CROWN-IBP compare to pure IBP and linear-relaxation baselines in terms of training stability and verification tightness?
主要发现
- CROWN-IBP consistently improves verified robustness over IBP baselines across MNIST and CIFAR-10 under ℓ∞ perturbations.
- On MNIST, CROWN-IBP reduces verified error from 8.21% (IBP baseline) to 7.02% at ε=0.3.
- On CIFAR-10, at ε=2/255, CROWN-IBP reduces verified error from 55.88% (IBP) to 46.03%, matching or surpassing convex relaxation methods at larger ε.
- CROWN-IBP achieves state-of-the-art performance among IBP-based methods and outperforms prior IBP results on both MNIST and CIFAR-10.
- CROWN-IBP enables tighter bounds than IBP alone while maintaining scalability and avoiding the over-regularization observed with full linear-relaxation methods.
- The method provides a mechanism to trade off between standard and verified accuracy via the κ parameter and the β parameter in the bound combination.
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。