Recent works have tried to increase the verifiability of adversarially trained networks by running the attacks over domains larger than the original perturbations and adding various regularization terms to the objective. However, these algorithms either underperform or require complex and expensive stage-wise training procedures, hindering their practical applicability. We present IBP-R, a novel verified training algorithm that is both simple and effective. IBP-R induces network verifiability by coupling adversarial attacks on enlarged domains with a regularization term, based on inexpensive interval bound propagation, that minimizes the gap between the non-convex verification problem and its approximations. By leveraging recent branch-and-bound frameworks, we show that IBP-R obtains state-of-the-art verified robustness-accuracy trade-offs for small perturbations on CIFAR-10 while training significantly faster than relevant previous work. Additionally, we present UPB, a novel branching strategy that, relying on a simple heuristic based on $\beta$-CROWN, reduces the cost of state-of-the-art branching algorithms while yielding splits of comparable quality.
翻译:最近的工作试图通过在比最初的扰动更大的领域进行攻击,并增加各种正规化条件,提高经过敌对训练的网络的可核查性。然而,这些算法要么表现不佳,要么需要复杂和昂贵的分阶段培训程序,从而妨碍其实际适用性。我们介绍了IBP-R,这是一套经过核实的、简单和有效的新颖培训算法。IMB-R通过在基于廉价的间隙传播的正规化术语基础上对扩大的域进行对抗性攻击,将对抗性攻击合并起来,从而最大限度地缩小非集装箱核查问题与其近似之间的差距。我们利用最近的分支和约束框架,表明IMB-R在对CIFAR-10进行小规模扰动时获得了最新且经过核实的稳健性准确性交易,而培训速度大大快于相关的先前工作。此外,我们介绍了UPB,这是一项新的分支战略,依靠基于$\beta$-CROWN的简单超自然论,从而降低了国家分支化的分法的成本,同时产生可比质量的分裂。