Certified defenses based on convex relaxations are an established technique for training provably robust models. The key component is the choice of relaxation, varying from simple intervals to tight polyhedra. Paradoxically, however, training with tighter relaxations can often lead to worse certified robustness. The poor understanding of this paradox has forced recent state-of-the-art certified defenses to focus on designing various heuristics in order to mitigate its effects. In contrast, in this paper we study the underlying causes and show that tightness alone may not be the determining factor. Concretely, we identify two key properties of relaxations that impact training dynamics: continuity and sensitivity. Our extensive experimental evaluation demonstrates that these two factors, observed alongside tightness, explain the drop in certified robustness for popular relaxations. Further, we investigate the possibility of designing and training with relaxations that are tight, continuous and not sensitive. We believe the insights of this work can help drive the principled discovery of new and effective certified defense mechanisms.
翻译:以康韦克斯放松为基础的经认证的辩护是训练稳健模型的既定技术。 关键组成部分是选择放松, 从简单的间隔到紧凑的聚己体。 然而,自相矛盾的是, 更严格放松的培训往往会导致更糟糕的经认证的稳健性。 对这一悖论的不理解迫使最近最先进的经认证的辩护侧重于设计各种休养术,以减轻其影响。 相反,我们在本文件中研究根本原因,并表明光是紧凑可能不是决定性因素。 具体地说,我们确定了影响培训动态的放松的两个关键特性:连续性和敏感性。 我们的广泛实验性评估表明,这两个因素与紧凑一起观察的,可以解释民众放松的经认证的稳健性下降的原因。 此外,我们调查了以紧凑、连续和不敏感的放松措施设计和培训的可能性。 我们相信,这项工作的洞察力有助于推动有原则地发现新的和有效的经认证的防御机制。
相关内容
Source: Apple - iOS 8
微信扫码咨询专知VIP会员