2020
DOI: 10.48550/arxiv.2004.00570
|View full text |Cite
Preprint
|
Sign up to set email alerts
|

Tightened Convex Relaxations for Neural Network Robustness Certification

Abstract: In this paper, we consider the problem of certifying the robustness of neural networks to perturbed and adversarial input data. Such certification is imperative for the application of neural networks in safety-critical decisionmaking and control systems. Certification techniques using convex optimization have been proposed, but they often suffer from relaxation errors that void the certificate. Our work exploits the structure of ReLU networks to improve relaxation errors through a novel partition-based certifi… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1

Citation Types

1
3
0

Year Published

2020
2020
2020
2020

Publication Types

Select...
3

Relationship

2
1

Authors

Journals

citations
Cited by 3 publications
(4 citation statements)
references
References 18 publications
1
3
0
Order By: Relevance
“…If the deterministic robustness level is nonnegative, then Y ⊆ S, which implies that the random output Y = f (X) is safe with probability one. This notion of robustness coincides with that used when considering adversarial inputs [19], [10], [11].…”
Section: B Various Notions Of Robustnesssupporting
confidence: 60%
See 1 more Smart Citation
“…If the deterministic robustness level is nonnegative, then Y ⊆ S, which implies that the random output Y = f (X) is safe with probability one. This notion of robustness coincides with that used when considering adversarial inputs [19], [10], [11].…”
Section: B Various Notions Of Robustnesssupporting
confidence: 60%
“…However, this approach has two problems: 1) the output set is generally intractable to compute [6], and 2) certification typically amounts to solving an NPhard, nonconvex optimization over the output set [7]. As a result, these assessment methods have largely been treated separately in the settings of output set estimation (see also, reachability analysis) [6], [8], and robustness certification [9], [10], [11], and these remain active areas of research.…”
Section: Introductionmentioning
confidence: 99%
“…The key difference between partitioning approaches is the strategy for how to split the input set. Some works make one bisection of the input set [15], [16]; [13] splits the input set into a uniform grid. The current state-of-art partitioner, a Simulation-Guided approach (SG) [14], uses a partitioning strategy where Monte Carlo samples of the exact NN output are used as guidance for efficient partitioning of the input set, reducing the amount of computation required for the same level of bound tightness.…”
Section: B Partitionersmentioning
confidence: 99%
“…Much of the literature on robustness certification has revolved around adversarial inputs, i.e., inputs that are designed to cause a worst-case prediction (Wong and Kolter, 2017;Raghunathan et al, 2018;Anderson et al, 2020). However, as argued in Webb et al (2018) and Mangal et al (2019), random input uncertainty better models reality in many cases.…”
Section: Introductionmentioning
confidence: 99%