Towards Verifying the Geometric Robustness of Large-Scale Neural Networks

TY - GEN

T1 - Towards Verifying the Geometric Robustness of Large-Scale Neural Networks

AU - Wang, Fu

AU - Xu, Peipei

AU - Ruan, Wenjie

AU - Huang, Xiaowei

N1 - © 2023, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved.

PY - 2023/6/26

Y1 - 2023/6/26

N2 - Deep neural networks (DNNs) are known to be vulnerable to adversarial geometric transformation. This paper aims to verify the robustness of large-scale DNNs against the combination of multiple geometric transformations with a provable guarantee. Given a set of transformations (e.g., rotation, scaling, etc.), we develop GeoRobust, a black-box robustness analyser built upon a novel global optimisation strategy, for locating the worst-case combination of transformations that affect and even alter a network's output. GeoRobust can provide provable guarantees on finding the worst-case combination based on recent advances in Lipschitzian theory. Due to its black-box nature, GeoRobust can be deployed on large-scale DNNs regardless of their architectures, activation functions, and the number of neurons. In practice, GeoRobust can locate the worst-case geometric transformation with high precision for the ResNet50 model on ImageNet in a few seconds on average. We examined 18 ImageNet classifiers, including the ResNet family and vision transformers, and found a positive correlation between the geometric robustness of the networks and the parameter numbers. We also observe that increasing the depth of DNN is more beneficial than increasing its width in terms of improving its geometric robustness. Our tool GeoRobust is available at https://github.com/TrustAI/GeoRobust.

AB - Deep neural networks (DNNs) are known to be vulnerable to adversarial geometric transformation. This paper aims to verify the robustness of large-scale DNNs against the combination of multiple geometric transformations with a provable guarantee. Given a set of transformations (e.g., rotation, scaling, etc.), we develop GeoRobust, a black-box robustness analyser built upon a novel global optimisation strategy, for locating the worst-case combination of transformations that affect and even alter a network's output. GeoRobust can provide provable guarantees on finding the worst-case combination based on recent advances in Lipschitzian theory. Due to its black-box nature, GeoRobust can be deployed on large-scale DNNs regardless of their architectures, activation functions, and the number of neurons. In practice, GeoRobust can locate the worst-case geometric transformation with high precision for the ResNet50 model on ImageNet in a few seconds on average. We examined 18 ImageNet classifiers, including the ResNet family and vision transformers, and found a positive correlation between the geometric robustness of the networks and the parameter numbers. We also observe that increasing the depth of DNN is more beneficial than increasing its width in terms of improving its geometric robustness. Our tool GeoRobust is available at https://github.com/TrustAI/GeoRobust.

U2 - 10.1609/aaai.v37i12.26773

DO - 10.1609/aaai.v37i12.26773

M3 - Conference contribution

VL - 37

T3 - Proceedings of the AAAI Conference on Artificial Intelligence

SP - 15197

EP - 15205

BT - Proceedings of the 37th AAAI Conference on Artificial Intelligence

PB - AAAI Press

T2 - 37th AAAI Conference on Artificial Intelligence

Y2 - 7 February 2023 through 14 February 2023

ER -