Robustness Certification for Structured Prediction with General Inputs via Safe Region Modeling in the Semimetric Output Space

Many real-world machine learning problems involve structured prediction beyond categorical labels. However, most existing robustness certification works are devoted to the classification case. It remains open for robustness certification for more general outputs. In this paper, we propose a novel framework of robustness certification for structured prediction problems, where the output space is modeled as a semimetric space with a distance function that satisfies non-negativity and symmetry but not necessarily the triangle inequality. We further develop our tailored certification methods for binary, numerical, and hybrid inputs in structured prediction. Experiment results show that our method achieves tighter robustness guarantees than the SOTA structured certification baseline for numerical inputs (for which it only supports) with ℓ2 norm perturbation when outputs are measured by intersection over union (IoU) similarity, total variation distance, and perceptual distance. Moreover, we achieve good robustness certification for binary inputs with ℓ0 norm perturbation and hybrid inputs with corresponding perturbation when outputs are measured by Manhattan distance.

[1]  Aleksandar Bojchevski,et al.  Randomized Message-Interception Smoothing: Gray-box Certificates for Graph Neural Networks , 2023, NeurIPS.

[2]  Christoph H. Lampert,et al.  Almost-Orthogonal Layers for Efficient General-Purpose Lipschitz Networks , 2022, European Conference on Computer Vision.

[3]  M. Arnaudon,et al.  Riemannian data-dependent randomized smoothing for neural networks certification , 2022, ArXiv.

[4]  Junchi Yan,et al.  Appearance and Structure Aware Robust Deep Visual Graph Matching: Attack, Defense and Beyond , 2022, 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[5]  Ruoxin Chen,et al.  Input-Specific Robustness Certification for Randomized Smoothing , 2021, AAAI.

[6]  Philip H. S. Torr,et al.  ANCER: Anisotropic Certification via Sample-wise Volume Maximization , 2021, Trans. Mach. Learn. Res..

[7]  Martin T. Vechev,et al.  Scalable Certified Segmentation via Randomized Smoothing , 2021, ICML.

[8]  Cho-Jui Hsieh,et al.  Beta-CROWN: Efficient Bound Propagation with Per-neuron Split Constraints for Neural Network Robustness Verification , 2021, NeurIPS.

[9]  Aounon Kumar,et al.  Center Smoothing: Certified Robustness for Networks with Structured Outputs , 2021, NeurIPS.

[10]  B. Wen,et al.  Recent Advances in Adversarial Training for Adversarial Robustness , 2021, IJCAI.

[11]  Charu Aggarwal,et al.  Adversarial Attacks and Defenses on Graphs , 2021, SIGKDD Explor..

[12]  Bernard Ghanem,et al.  Data Dependent Randomized Smoothing , 2020, UAI.

[13]  Rui Hu,et al.  Certified Robustness of Graph Classification against Topology Attack with Randomized Smoothing , 2020, GLOBECOM 2020 - 2020 IEEE Global Communications Conference.

[14]  Stephan Günnemann,et al.  Efficient Robustness Certificates for Discrete Data: Sparsity-Aware Randomized Smoothing for Graphs, Images and More , 2020, ICML.

[15]  Jinyuan Jia,et al.  Certified Robustness of Graph Neural Networks against Adversarial Structural Perturbation , 2020, KDD.

[16]  Jianli Zhou,et al.  Manifold Projection for Adversarial Defense on Face Recognition , 2020, ECCV.

[17]  Tom Goldstein,et al.  Detection as Regression: Certified Object Detection by Median Smoothing , 2020, ArXiv.

[18]  Samuel Henrique Silva,et al.  Opportunities and Challenges in Deep Learning Adversarial Robustness: A Survey , 2020, ArXiv.

[19]  Junchi Yan,et al.  Learning for Graph Matching and Related Combinatorial Optimization Problems , 2020, IJCAI.

[20]  Junchi Yan,et al.  Unifying Offline and Online Multi-Graph Matching via Finding Shortest Paths on Supergraph , 2020, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[21]  Andreas Bär,et al.  Improved Noise and Attack Robustness for Semantic Segmentation by Using Multi-Task Training with Self-Supervised Depth Estimation , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[22]  Cho-Jui Hsieh,et al.  Automatic Perturbation Analysis for Scalable Certified Robustness and Beyond , 2020, NeurIPS.

[23]  Bo Li,et al.  Improving Robustness of Deep-Learning-Based Image Reconstruction , 2020, ICML.

[24]  Ilya P. Razenshteyn,et al.  Randomized Smoothing of All Shapes and Sizes , 2020, ICML.

[25]  Binghui Wang,et al.  Certified Robustness for Top-k Predictions against Adversarial Perturbations via Randomized Smoothing , 2019, ICLR.

[26]  Junchi Yan,et al.  Neural Graph Matching Network: Learning Lawler’s Quadratic Assignment Problem With Extension to Hypergraph and Multiple-Graph Matching , 2019, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[27]  Greg Yang,et al.  Provably Robust Deep Learning via Adversarially Trained Smoothed Classifiers , 2019, NeurIPS.

[28]  J. Zico Kolter,et al.  Certified Adversarial Robustness via Randomized Smoothing , 2019, ICML.

[29]  Yoshua Bengio,et al.  Machine Learning for Combinatorial Optimization: a Methodological Tour d'Horizon , 2018, Eur. J. Oper. Res..

[30]  Cho-Jui Hsieh,et al.  Efficient Neural Network Robustness Certification with General Activation Functions , 2018, NeurIPS.

[31]  Jeff Donahue,et al.  Large Scale GAN Training for High Fidelity Natural Image Synthesis , 2018, ICLR.

[32]  Cem Anil,et al.  Sorting out Lipschitz function approximation , 2018, ICML.

[33]  Masashi Sugiyama,et al.  Lipschitz-Margin Training: Scalable Certification of Perturbation Invariance for Deep Neural Networks , 2018, NeurIPS.

[34]  Suman Jana,et al.  Certified Robustness to Adversarial Examples with Differential Privacy , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[35]  Alexei A. Efros,et al.  The Unreasonable Effectiveness of Deep Features as a Perceptual Metric , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[36]  J. Zico Kolter,et al.  Provable defenses against adversarial examples via the convex outer adversarial polytope , 2017, ICML.

[37]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[38]  Hongyuan Zha,et al.  A Short Survey of Recent Advances in Graph Matching , 2016, ICMR.

[39]  Yu Qiao,et al.  Joint Face Detection and Alignment Using Multitask Cascaded Convolutional Networks , 2016, IEEE Signal Processing Letters.

[40]  Forrest N. Iandola,et al.  SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and <1MB model size , 2016, ArXiv.

[41]  Vladimir Shenmaier,et al.  Complexity and approximation of the Smallest k-Enclosing Ball problem , 2015, Eur. J. Comb..

[42]  Xiaogang Wang,et al.  Deep Learning Face Attributes in the Wild , 2014, 2015 IEEE International Conference on Computer Vision (ICCV).

[43]  Andrew Zisserman,et al.  Very Deep Convolutional Networks for Large-Scale Image Recognition , 2014, ICLR.

[44]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[45]  L. Deng,et al.  The MNIST Database of Handwritten Digit Images for Machine Learning Research [Best of the Web] , 2012, IEEE Signal Processing Magazine.

[46]  Ryan P. Adams,et al.  Ranking via Sinkhorn Propagation , 2011, ArXiv.

[47]  Minsu Cho,et al.  Reweighted Random Walks for Graph Matching , 2010, ECCV.

[48]  Jitendra Malik,et al.  Poselets: Body part detectors trained using 3D human pose annotations , 2009, 2009 IEEE 12th International Conference on Computer Vision.

[49]  Gökhan BakIr,et al.  Predicting Structured Data , 2008 .

[50]  Martial Hebert,et al.  A spectral technique for correspondence problems using pairwise constraints , 2005, Tenth IEEE International Conference on Computer Vision (ICCV'05) Volume 1.

[51]  Wallace Alvin Wilson,et al.  On Semi-Metric Spaces , 1931 .

[52]  Valentina Pedoia,et al.  Addressing The False Negative Problem of Deep Learning MRI Reconstruction Models by Adversarial Attacks and Robust Training , 2020, MIDL.

[53]  Xiaojiang Du,et al.  Adversarial Attacks for Image Segmentation on Multiple Lightweight Models , 2020, IEEE Access.

[54]  Abdel Nasser,et al.  A Survey of the Quadratic Assignment Problem , 2014 .

[55]  Christopher K. I. Williams,et al.  International Journal of Computer Vision manuscript No. (will be inserted by the editor) The PASCAL Visual Object Classes (VOC) Challenge , 2022 .