TY - JOUR
T1 - Towards Certifying the Asymmetric Robustness for Neural Networks
T2 - Quantification and Applications
AU - Li, Changjiang
AU - Ji, Shouling
AU - Weng, Haiqin
AU - Li, Bo
AU - Shi, Jie
AU - Beyah, Raheem
AU - Guo, Shanqing
AU - Wang, Zonghui
AU - Wang, Ting
N1 - Funding Information:
This work was partly supported by the National Key Research and Development Program of China under Grant 2020AAA0140004, in part by the Zhejiang Provincial Natural Science Foundation for Distinguished Young Scholars under Grant LR19F020003, and NSFC under Grants 61772466 and U1836202.
Publisher Copyright:
© 2004-2012 IEEE.
PY - 2022
Y1 - 2022
N2 - One intriguing property of deep neural networks (DNNs) is their vulnerability to adversarial examples - those maliciously crafted inputs that deceive target DNNs. While a plethora of defenses have been proposed to mitigate the threats of adversarial examples, they are often penetrated or circumvented by even stronger attacks. To end the constant arms race between attackers and defenders, significant efforts have been devoted to providing certifiable robustness bounds for DNNs, which ensures that for a given input its vicinity does not admit any adversarial instances. Yet, most prior works focus on the case of symmetric vicinities (e.g., a hyperrectangle centered at a given input), while ignoring the inherent heterogeneity of perturbation direction (e.g., the input is more vulnerable along a particular perturbation direction). To bridge the gap, in this article, we propose the concept of asymmetric robustness to account for the inherent heterogeneity of perturbation directions, and present Amoeba1, an efficient certification framework for asymmetric robustness. Through extensive empirical evaluation on state-of-the-art DNNs and benchmark datasets, we show that compared with its symmetric counterpart, the asymmetric robustness bound of a given input describes its local geometric properties in a more precise manner, which enables use cases including (i) modeling stronger adversarial threats, (ii) interpreting DNN predictions, and makes it a more practical definition of certifiable robustness for security-sensitive domains.
AB - One intriguing property of deep neural networks (DNNs) is their vulnerability to adversarial examples - those maliciously crafted inputs that deceive target DNNs. While a plethora of defenses have been proposed to mitigate the threats of adversarial examples, they are often penetrated or circumvented by even stronger attacks. To end the constant arms race between attackers and defenders, significant efforts have been devoted to providing certifiable robustness bounds for DNNs, which ensures that for a given input its vicinity does not admit any adversarial instances. Yet, most prior works focus on the case of symmetric vicinities (e.g., a hyperrectangle centered at a given input), while ignoring the inherent heterogeneity of perturbation direction (e.g., the input is more vulnerable along a particular perturbation direction). To bridge the gap, in this article, we propose the concept of asymmetric robustness to account for the inherent heterogeneity of perturbation directions, and present Amoeba1, an efficient certification framework for asymmetric robustness. Through extensive empirical evaluation on state-of-the-art DNNs and benchmark datasets, we show that compared with its symmetric counterpart, the asymmetric robustness bound of a given input describes its local geometric properties in a more precise manner, which enables use cases including (i) modeling stronger adversarial threats, (ii) interpreting DNN predictions, and makes it a more practical definition of certifiable robustness for security-sensitive domains.
UR - http://www.scopus.com/inward/record.url?scp=85117314953&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85117314953&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2021.3116105
DO - 10.1109/TDSC.2021.3116105
M3 - Article
AN - SCOPUS:85117314953
SN - 1545-5971
VL - 19
SP - 3987
EP - 4001
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 6
ER -