keywords: deep learning, robustness, adversarial examples, adversarial training, certified defense
This repository is the official implementation of BCP (Box Constraint Propagation) by Sungyoon Lee, Jaewook Lee, and Saerom Park.
BCP is a certified adversarial defense method against l2-norm (or lp-norm, p>0) bounded perturbations.
It propagates a box constraint in addition to the Lipschitz outer bound to obtain a tighter outer bound.
The propagation scheme is briefly illustrated as follows:
By introducing an additional box constraint, we can cut off the area below the red line from the Lipschitz outer bound (the elliptic area) in the following visualization.
To install requirements, modify environment.yml and run this command:
conda env create -f environment.yml
To train a certifiably robust model with the proposed method, run this command:
python train_mnist.py
python train_cifar10.py
See demo_cifar10.ipynb for more details.
The trained model will be saved in ./models/mnist/ or ./models/cifar10.
You can download pretrained models here:
To evaluate the pretrained model, run:
python evaluate_mnist.py --test_pth pretrained/mnist_save.pth
python evaluate_cifar10.py --test_pth pretrained/cifar10_save.pth
Our model achieves the following performance against l2-perturbation compared to state-of-the-art methods (CAP, LMT, IBP) :
vertical line: ε2=36/255
| Model name | Standard | PGD^100 | Verification |
|---|---|---|---|
| BCP | 92.54% | 66.23% | 48.20% |
| CAP | 88.39% | 62.25% | 43.95% |
| LMT | 86.48% | 53.56% | 40.55% |
| Model name | Standard | PGD^100 | Verification |
|---|---|---|---|
| BCP | 28.76% | 26.64% | 20.08% |
@article{lee2020lipschitz,
title={Lipschitz-Certifiable Training with a Tight Outer Bound},
author={Lee, Sungyoon and Lee, Jaewook and Park, Saerom},
journal={Advances in Neural Information Processing Systems},
volume={33},
year={2020}
}
keywords: deep learning, robustness, adversarial examples, adversarial training, certified defense