SLIDE 1
Adversarial Training and Provable Defenses: Bridging the Gap S 0 - - PowerPoint PPT Presentation
Adversarial Training and Provable Defenses: Bridging the Gap S 0 - - PowerPoint PPT Presentation
Adversarial Training and Provable Defenses: Bridging the Gap S 0 1 1 = 1 2 3 Conv + ReLU Conv + ReLU Linear =
SLIDE 2
SLIDE 3
π¦ S0 π¦ βπ = βπ
π β βπ πβ1 β β― β βπ 1
βπ
1
βπ
2
βπ
3
Conv + ReLU Conv + ReLU Linear
π¦β² β π0(π¦) π¦1
β²
π¦2
β²
π¦3
β² = βπ(π¦β²)
SLIDE 4
ππβπ π¦β² + π < 0, βπ¦β² β π0(π¦) βπ
1
βπ
2
βπ
3
Conv + ReLU Conv + ReLU Linear
π¦β² β π0(π¦) π¦1
β²
π¦2
β²
π¦3
β² = βπ(π¦β²)
SLIDE 5
π·0 π¦ = π0(π¦) π·1 π¦ π·2 π¦ π·3 π¦ βπ
1
βπ
2
βπ
3
Conv + ReLU Conv + ReLU
Guarantees: ππβπ π¦β² + π < 0, βπ¦β² β π0(π¦)
Check output condition: πππ¦3
β² + π < 0, βπ¦3 β² β π·3 π¦
Linear
SLIDE 6
β min
π πΉ π¦,π§ ~πΈ
max
π¦β²βπ0(π¦) β(βπ π¦β² , π§)
lower upper
SLIDE 7
- lower
- upper
SLIDE 8
π·0 π¦ = π0(π¦) π·1 π¦ π·2 π¦ π·3 π¦ βπ
1
βπ
2
βπ
3
πππ¦3
β² + π < 0 β certification fails
π¦1
β²
π¦2
β²
π¦1
β²
π¦3
β²
π¦2
β²
π¦3
β²
SLIDE 9
π0(π¦) π·1 π¦ , π·2 π¦ , π·3(π¦)
SLIDE 10
π·0 π¦ = π0(π¦) π·1 π¦ π·2 π¦ π·3 π¦ βπ
1
βπ
2
βπ
3
Conv + ReLU Conv + ReLU Linear
π¦1
β²
π¦2
β²
π¦1
β²
β(π¦3
β², π§)
π¦2
β²
π¦3
β²
πΌπβ(π¦3
β², π§)
SLIDE 11
SLIDE 12
projection
SLIDE 13
π·π π¦ = ππ + π΅ππ π β β1, 1 ππ ππ π΅π πβ π π0 = π¦ π΅0 = ππ½
SLIDE 14
π¦1
β² β 2π1 β π2
π¦2
β² β π1 + π2
π2 π1 π¦2
β²
π¦1
β²
Key idea
π¦β² = ππ + π΅ππ
SLIDE 15
Method Accuracy (%) Certified Robustness (%)
SLIDE 16
Method Accuracy (%) Certified Robustness (%)
SLIDE 17