GENERALIZING ROBUSTNESS VERIFICATION FOR MACHINE LEARNING
DownloadThesis PDF (1.805Mb)
Advisor
Daniel, Luca
Terms of use
Metadata
Show full item recordAbstract
Verifying robustness of neural networks given a specified threat model is a fundamental yet challenging task. Although a lot of work has been done to quantify the robustness of DNN’s to ℓₚ norm bounded adversarial attacks there are still a few gaps between available guarantees and those needed in practice. In this thesis we focus on resolving two of these limitations. 1)While current verification methods mainly focus on the ℓₚ-norm threat model of the input instances, robustness verification against semantic adversarial attacks inducing large ℓₚ-norm perturbations, such as color shifting and lighting adjustment, are beyond their capacity. To bridge this gap, we propose a framework Semantify-NN to extend ℓₚ norm verification to semantic verification. 2) Randomized smoothing is a recently proposed defense against adversarial attacks that has achieved state-of-the-art provable robustness against ℓ₂ perturbations. A number of publications have extended the guarantees to other metrics, such as ℓ₁ or ℓ subscript ∞, by using different smoothing measures. Although the current framework has been shown to yield near-optimal ℓₚ radii, the total safety region certified by the current framework can be arbitrarily small compared to the optimal. We provide Higher Order Verification: a general framework to improve the certified safety region for these smoothed classifiers without changing the underlying smoothing scheme which allows the resulting classifier to be provably robust to multiple threat models at once.
Date issued
2021-06Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer SciencePublisher
Massachusetts Institute of Technology