Provable Certificates for Adversarial Examples: Fitting a Ball in the Union of Polytopes
share
We propose a novel method for computing exact pointwise robustness of deep neural networks for a number of ℓ_p norms. Our algorithm, GeoCert, finds the largest ℓ_p ball centered at an input point x_0, within which the output class of a given neural network with ReLU nonlinearities remains unchanged. We relate the problem of computing pointwise robustness of these networks to that of growing a norm ball inside a non-convex polytope. This is a challenging problem in general, as we discuss; however, we prove a useful structural result about the geometry of the piecewise linear components of ReLU networks. This result allows for an efficient convex decomposition of the problem. Specifically we show that if polytopes satisfy a technical condition that we call being 'perfectly-glued', then we can find the largest ball inside their union in polynomial time. Our method is efficient and can certify pointwise robustness for any norm where p is greater or equal to 1.
READ FULL TEXT
