Towards Researching On Heuristic Defense And Robustness Certification For Neural Networks

One intriguing property of deep neural networks(DNNs)is their vulnerability to adversarial examples–maliciously crafted inputs that deceive target DNNs.To mitigate the threat raised by adversarial examples,researchers proposed many heuristic defense methods.However,they can be easily broken by adaptive adversary.Aiming to end the arms race between attackers and defenders,significant efforts have been devoted to providing certified robustness bounds for DNNs,which ensures that for a given input its vicinity does not admit any adversarial instances.Yet,prior works focus on the symmetric vicinity for perturbation(a hyperrectangle centered on a given input),while ignoring the inherent heterogeneity of perturbation direction(e.g.,an input is more vulnerable to a certain perturbation direction).In this paper,we first propose a defense method named DeT,which can 1)defend against adversarial examples generated by common attacks,and 2)correctly label adversarial examples with both small and large perturbations.DeT is a transferability-based defense method,which to the best of our knowledge is the first first such attempt.Our experimental results demonstrate that DeT can work well under both black and gray box attacks.To bridge the gap,,we propose the concept of asymmetric robustness bound that accounts for the heterogeneity of perturbation direction,and present an efficient framework called Amoeba~2to certify the asymmetric robustness bounds of given DNNs and inputs.Through extensive empirical evaluation,we show that compared with its symmetric counterpart,an input's asymmetric robust-ness bound describes its local geometric properties in a more precise manner,enabling a range of use cases including(i)enhancing existing attacks,(ii)explaining predictions of DNNs,and(iii)exploring the transferability of adversarial examples.The evaluation reveals that,within the spec-trum from the symmetric robustness bound(easy-to-compute but inaccurate)to the real robustness bound(infeasible-to-compute but precise),the asymmetric robustness bounds strike a balance be-tween computational efficiency and modeling expressiveness,making it a practical measurement for certified robustness.