Abstract:Geometric image transformations that arise in the real world, such as scaling and rotation, have been shown to easily deceive deep neural networks (DNNs). Hence, training DNNs to be certifiably robust to these perturbations is critical. However, no prior work has been able to incorporate the objective of deterministic certified robustness against geometric transformations into the training procedure, as existing verifiers are exceedingly slow. To address these challenges, we propose the first provable defense for deterministic certified geometric robustness. Our framework leverages a novel GPU-optimized verifier that can certify images between 60$\times$ to 42,600$\times$ faster than existing geometric robustness verifiers, and thus unlike existing works, is fast enough for use in training. Across multiple datasets, our results show that networks trained via our framework consistently achieve state-of-the-art deterministic certified geometric robustness and clean accuracy. Furthermore, for the first time, we verify the geometric robustness of a neural network for the challenging, real-world setting of autonomous driving.

What problem does this paper attempt to address?

The core problem that this paper attempts to solve is: **How to train deep neural networks (DNNs) to ensure their provably deterministic robustness to geometric transformations?** Specifically, the paper focuses on the problem that geometric image transformations in the real world (such as scaling and rotation) can easily deceive DNNs, and proposes a new framework to address this challenge. ### Problem Background 1. **The Deceptiveness of Geometric Transformations**: - Geometric transformations (such as scaling, rotation, etc.) are very common in the real world, but these transformations can easily deceive deep neural networks, leading to classification errors. - This problem is particularly serious in safety - critical fields such as autonomous driving and medical imaging. 2. **Limitations of Existing Methods**: - Existing verifiers are very slow when dealing with geometric transformations and cannot be used during the training process. - Probabilistic verifiers are more efficient, but may be unreliable in safety - critical applications because they may incorrectly mark adversarial regions as robust. ### Main Contributions of the Paper 1. **Proposing the Certified Geometric Training (CGT) Framework**: - The CGT framework consists of two main parts: - **Fast Geometric Verifier (FGV)**: A novel GPU - optimized verifier that can be 60 to 42,600 times faster than existing geometric robustness verifiers. - **Efficient Loss Functions**: These loss functions embed the FGV into the training process, enabling the network to maintain geometric robustness during training. 2. **Empirical Results**: - On multiple datasets (such as MNIST, CIFAR10, Tiny ImageNet, and the Udacity self - driving dataset), the networks trained by CGT have achieved state - of - the - art levels in both clean accuracy and certified robustness. - For the first time, the geometric robustness of neural networks has been verified in real - world self - driving scenarios. ### Key Technical Challenges - **Complexity of Geometric Transformations**: - The adversarial regions of geometric transformations are highly non - uniform and difficult to be directly represented as convex shapes by symbolic formulas. - Calculating these adversarial input regions is the main computational bottleneck of existing geometric robustness verifiers. - **Parameter Splitting**: - In order to improve verification accuracy, it is necessary to divide the entire parameter range into multiple small intervals and independently verify each interval. ### Summary By proposing the CGT framework, the paper solves the problem of geometric transformations deceiving DNNs and provides a fast and effective training method, making DNNs provably deterministic robust under geometric transformations. This not only improves the robustness of the model but also shows excellent performance on multiple datasets.

Provable Defense Against Geometric Transformations

Verification of Geometric Robustness of Neural Networks via Piecewise Linear Approximation and Lipschitz Optimisation

Globally-Robust Neural Networks

General Lipschitz: Certified Robustness Against Resolvable Semantic Transformations via Transformation-Dependent Randomized Smoothing

GSmooth: Certified Robustness against Semantic Transformations via Generalized Randomized Smoothing

Fast Training of Provably Robust Neural Networks by SingleProp

Robustness Certification for Point Cloud Models

GOAT: GPU Outsourcing of Deep Learning Training With Asynchronous Probabilistic Integrity Verification Inside Trusted Execution Environment

Shared Certificates for Neural Network Verification

Towards Certifying the Asymmetric Robustness for Neural Networks: Quantification and Applications

Online Verification of Deep Neural Networks under Domain Shift or Network Updates

Boosting Verified Training for Robust Image Classifications via Abstraction

SoK: Certified Robustness for Deep Neural Networks

Provable Defenses against Spatially Transformed Adversarial Inputs: Impossibility and Possibility Results

Optimistic Verifiable Training by Controlling Hardware Nondeterminism

Lost in Translation: Modern Neural Networks Still Struggle With Small Realistic Image Transformations

Improving the Robustness of Adversarial Attacks Using an Affine-Invariant Gradient Estimator

Set-Based Training for Neural Network Verification

Certifying Semantic Robustness of Deep Neural Networks

TSS - Transformation-Specific Smoothing for Robustness Certification.

Provably Robust Adversarial Examples