CNN-Cert: An Efficient Framework for Certifying Robustness of Convolutional Neural Networks

Boopathy, Akhilan; Weng, Tsui-Wei; Chen, Pin-Yu; Liu, Sijia; Daniel, Luca

doi:10.1609/aaai.v33i01.33013240

Cited by 118 publications

(142 citation statements)

References 3 publications

Supporting

Mentioning

141

Contrasting

Order By: Relevance

“…Robustness of models with respect to adversarial examples is an active field of research Boopathy et al 2019;Cisse et al 2017;Gu and Rigazio 2014;Carlini and Wagner 2017b;Metzen et al 2017;Carlini and Wagner 2017a). Arnab et al (2018) evaluate the robustness of semantic segmentation models for adversarial attacks of a wide variety of network architectures (e.g.…”

Section: Related Workmentioning

confidence: 99%

Benchmarking the Robustness of Semantic Segmentation Models with Respect to Common Corruptions

Kamann

Rother

2020

Int J Comput Vis

View full text Add to dashboard Cite

When designing a semantic segmentation model for a real-world application, such as autonomous driving, it is crucial to understand the robustness of the network with respect to a wide range of image corruptions. While there are recent robustness studies for full-image classification, we are the first to present an exhaustive study for semantic segmentation, based on many established neural network architectures. We utilize almost 400,000 images generated from the Cityscapes dataset, PASCAL VOC 2012, and ADE20K. Based on the benchmark study, we gain several new insights. Firstly, many networks perform well with respect to real-world image corruptions, such as a realistic PSF blur. Secondly, some architecture properties significantly affect robustness, such as a Dense Prediction Cell, designed to maximize performance on clean data only. Thirdly, the generalization capability of semantic segmentation models depends strongly on the type of image corruption. Models generalize well for image noise and image blur, however, not with respect to digitally corrupted data or weather corruptions.

show abstract

Section: Related Workmentioning

confidence: 99%

Benchmarking the Robustness of Semantic Segmentation Models with Respect to Common Corruptions

Kamann

Rother

2020

Int J Comput Vis

View full text Add to dashboard Cite

show abstract

“…in the same class by N. Note that, as MSR(N, x) is defined in the embedding space, which is continuous, the perturbation space, Ball(x, ), contains meaningful texts as well as texts that are not syntactically or semantically meaningful. In order to compute l we leverage constraint relaxation techniques developed for CNNs (Boopathy et al, 2019) and LSTMs (Ko et al, 2019), namely CNN-Cert and POPQORN. For an input text x and a hyperbox around Ball(x, ), these techniques find linear lower and upper bounds for the activation functions of each layer of the neural network and use these to propagate an over-approximation of the hyperbox through the network.…”

Section: Lower Bound: Constraint Relaxationmentioning

confidence: 99%

“…In this work, we exploit approximate, scalable, linear constraint relaxation methods (Weng et al, 2018a;Wong and Kolter, 2018), which do not assume Lipschitz continuity. In particular, we adapt the CNN-Cert tool (Boopathy et al, 2019) and its recurrent extension POPQORN (Ko et al, 2019) to compute robustness guarantees for text classification in the NLP domain. We note that NLP robustness has also been addressed using interval bound propagation Jia et al, 2019).…”

Section: Introductionmentioning

confidence: 99%

Assessing Robustness of Text Classification through Maximal Safe Radius Computation

Malfa¹,

Wu²,

Laurenti³

et al. 2020

Findings of the Association for Computational Linguistics: EMNLP 2020

View full text Add to dashboard Cite

Neural network NLP models are vulnerable to small modifications of the input that maintain the original meaning but result in a different prediction. In this paper, we focus on robustness of text classification against word substitutions, aiming to provide guarantees that the model prediction does not change if a word is replaced with a plausible alternative, such as a synonym. As a measure of robustness, we adopt the notion of the maximal safe radius for a given input text, which is the minimum distance in the embedding space to the decision boundary. Since computing the exact maximal safe radius is not feasible in practice, we instead approximate it by computing a lower and upper bound. For the upper bound computation, we employ Monte Carlo Tree Search in conjunction with syntactic filtering to analyse the effect of single and multiple word substitutions. The lower bound computation is achieved through an adaptation of the linear bounding techniques implemented in tools CNN-Cert and POPQORN, respectively for convolutional and recurrent network models. We evaluate the methods on sentiment analysis and news classification models for four datasets (IMDB, SST, AG News and NEWS) and a range of embeddings, and provide an analysis of robustness trends. We also apply our framework to interpretability analysis and compare it with LIME.

show abstract

“…The authors extended their work to overcome the limitation of simple fully-connected (a) (δ, ε)-parameter robustness for δ = 0.005 (b) (δ, ε)-parameter robustness for δ = 0.01 (c) δσ-parameter robustness for δ = 0.005 (d) δσ-parameter robustness for δ = 0.01 layers and ReLU activations to propose CNN-Cert. The new framework can handle various architectures including convolutional layers, max-pooling layers, batch normalization layer, residual blocks, as well as general activation functions and capable of certifying robustness on general convolutional neural networks [3]. Data-centric approaches entail identifying and rejecting perturbed samples, or increasing the training data to handle perturbations appropriately.…”

Section: Related Workmentioning

confidence: 99%

Robustness of Neural Networks to Parameter Quantization

Murthy¹,

Das

Islam

2019

From Reactive Systems to Cyber-Physical Systems

View full text Add to dashboard Cite

Keywords: Neural Networks · Edge Computing · Parameter Quantization · Robustness · Satisfiability Modulo Theories Quantization, a commonly used technique to reduce the memory footprint of a neural network for edge computing, entails reducing the precision of the floating-point representation used for the parameters of the network. The impact of such rounding-off errors on the overall performance of the neural network is estimated using testing, which is not exhaustive and thus cannot be used to guarantee the safety of the model. We present a framework based on Satisfiability Modulo Theory (SMT) solvers to quantify the robustness of neural networks to parameter perturbation. To this end, we introduce notions of local and global robustness that capture the deviation in the confidence of class assignments due to parameter quantization. The robustness notions are then cast as instances of SMT problems and solved automatically using solvers, such as dReal. We demonstrate our framework on two simple Multi-Layer Perceptrons (MLP) that perform binary classification on a two-dimensional input. In addition to quantifying the robustness, we also show that Rectified Linear Unit activation results in higher robustness than linear activations for our MLPs.

show abstract

CNN-Cert: An Efficient Framework for Certifying Robustness of Convolutional Neural Networks

Cited by 118 publications

References 3 publications

Benchmarking the Robustness of Semantic Segmentation Models with Respect to Common Corruptions

Benchmarking the Robustness of Semantic Segmentation Models with Respect to Common Corruptions

Assessing Robustness of Text Classification through Maximal Safe Radius Computation

Robustness of Neural Networks to Parameter Quantization

Contact Info

Product

Resources

About