The threat of adversarial examples has motivated work on training certifiably
robust neural networks, to facilitate efficient verification of local
robustness at inference time. We formalize a notion of global robustness, which
captures the operational properties of on-line local robustness certification
while yielding a natural learning objective for robust training. We show that
widely-used architectures can be easily adapted to this objective by
incorporating efficient global Lipschitz bounds into the network, yielding
certifiably-robust models by construction that achieve state-of-the-art
verifiable and clean accuracy. Notably, this approach requires significantly
less time and memory than recent certifiable training methods, and leads to
negligible costs when certifying points on-line; for example, our evaluation
shows that it is possible to train a large tiny-imagenet model in a matter of
hours. We posit that this is possible using inexpensive global bounds —
despite prior suggestions that tighter local bounds are needed for good
performance — because these models are trained to achieve tighter global
bounds. Namely, we prove that the maximum achievable verifiable accuracy for a
given dataset is not improved by using a local bound.

Go to Source of this post
Author Of this post: <a href="http://arxiv.org/find/cs/1/au:+Leino_K/0/1/0/all/0/1">Klas Leino</a>, <a href="http://arxiv.org/find/cs/1/au:+Wang_Z/0/1/0/all/0/1">Zifan Wang</a>, <a href="http://arxiv.org/find/cs/1/au:+Fredrikson_M/0/1/0/all/0/1">Matt Fredrikson</a>

By admin