LIMITATIONS OF PIECEWISE LINEARITY FOR EFFICIENT ROBUSTNESS CERTIFICATION

Abstract

Certified defenses against small-norm adversarial examples have received growing attention in recent years; though certified accuracies of state-of-the-art methods remain far below their non-robust counterparts, despite the fact that benchmark datasets have been shown to be well-separated at far larger radii than the literature generally attempts to certify. In this work, we offer insights that identify potential factors in this performance gap. Specifically, our analysis reveals that piecewise linearity imposes fundamental limitations on the tightness of leading certification techniques. These limitations are felt in practical terms as a greater need for capacity in models hoped to be certified efficiently. Moreover, this is in addition to the capacity necessary to learn a robust boundary, studied in prior work. However, we argue that addressing the limitations of piecewise linearity through scaling up model capacity may give rise to potential difficulties-particularly regarding robust generalization-therefore, we conclude by suggesting that developing smooth activation functions may be the way forward for advancing the performance of certified neural networks.

1. INTRODUCTION

Since the discovery of adversarial examples (Szegedy et al., 2014) , defenses against malicious input perturbations to deep learning systems have received notable attention. While many early-proposed defenses-such as adversarial training (Madry et al., 2018) -are heuristic in nature, a growing body of work seeking provable defenses has arisen (Cohen et al., 2019; Croce et al., 2019; Fromherz et al., 2021; Huang et al., 2021; Jordan et al., 2019; Lee et al., 2020; Leino & Fredrikson, 2021; Leino et al., 2021; Li et al., 2019; Singla et al., 2022; Trockman & Kolter, 2021; Wong et al., 2018; Zhang et al., 2018) . Generally, such defenses attempt to provide a certificate of local robustness (given formally in Definition 1), which guarantees a network's prediction on a given point is stable under small perturbations (typically in Euclidean or sometimes ∞ space); this precludes the possibility of small-norm adversarial examples on certified points. The success of a certified defense is typically measured empirically using verified robust accuracy (VRA), which reflects the fraction of points that are both (i) classified correctly and (ii) certified as locally robust. Despite the fact that perfect robust classification (i.e., 100% VRA) is known to be possible on standard datasets at the adversarial perturbation budgets used in the literature (Yang et al., 2020b) , this possibility is far from realized in the current state of the art. For example, on the benchmark dataset CIFAR-10, state-of-the-art methods offering deterministic guarantees of 2 robustnessfoot_0 have remained at approximately 60% VRA (Huang et al., 2021; Leino et al., 2021; Singla et al., 2022; Trockman & Kolter, 2021) , while non-robust models handily eclipse 95% accuracy. It is difficult to precisely account for this discrepancy; though among other reasons, state-of-the-art methods typically use loose bounds to perform certification-as exact certification is (for general ReLU networks) NP-complete (Katz et al., 2017; Sinha et al., 2018) -which conceivably leads to falsely flagging truly robust points or to over-regularization of the learned model. While conservative approximations may be necessary to perform efficient certification (and to facilitate efficient robust training), it is certainly possible that they foil reasonable hopes for "optimality." In this work, we offer further insight into the shortcomings of modern certification techniques by analyzing their limitations in the context of the architectural settings in which they are conventionally employed. In particular, we find that piecewise linearity-a practically ubiquitous property of neural networks considered in the certification literature (e.g., standard ReLU and the more recently popularized "MinMax" (Anil et al., 2019) activations are both piecewise linear)-fundamentally limits the power of Lipschitz-based 2 local robustness certification. In effect, we argue, this means that extra capacity is needed simply for facilitating efficient certification-in addition to whatever capacity may be required for learning a robust boundary (e.g., as examined by Bubeck & Sellke ( 2021)). On the other hand, perhaps surprisingly, we prove that free from the constraint of piecewise linearity, Lipschitz-based certification is powerful enough to perform complete certification on any decision boundary, provided the implementation of the function giving rise to the boundary is under the learner's control (indeed, this is consistent with the fact that the highest performing certified defenses incorporate Lipschitz-based certification into training). These latter findings suggest that continued progress towards improving state-of-the-art VRA may be enabled through carefully chosen smooth activation functions,foot_1 which do not inherently limit the power of what are currently the most promising forms of efficient local robustness certification. In summary, the primary contributions of this work are as follows: (1) we show that piecewise linearity imposes inherent limitations on the tightness of efficient robustness certification-our primary focus is Lipschitz-based certification, but we discuss similar limitations of other methods in Appendix B; (2) we prove that Lipschitz-based certification is fundamentally powerful for tight robustness certification, provided (i) the robust learning procedure has power over the implementation of the classifier, and (ii) the hypothesis class is not limited to piecewise linear networks; and (3) we demonstrate that tight Lipschitz-based certification may require significant capacity overhead in piecewise-linear networks. These findings offer a new perspective on the sticking points of modern certified training methods, and suggest possible paths forward. We begin in Section 2 by introducing the limitations piecewise linearity imposes on robustness certification, starting generally, and narrowing our focus specifically to Lipschitz-based certification. We then discuss the role that capacity plays in mitigating these limitations in Section 3, which concludes with a discussion of the implications of our findings, both retrospectively and prescriptively. Finally, we discuss related work in Section 4, and offer our concluding remarks in Section 5.

2. LIMITATIONS OF PIECEWISE LINEARITY

The main insights in this work stem from the simple, yet crucial observation that the points lying at a fixed Euclidean distance from a piecewise-linear decision boundary, in general, do not themselves comprise a piecewise-linear surface. Therefore, in order for a certification procedure to precisely recover the set of robust points-those which lie a distance of at least from the decision boundary-it must be capable of producing a boundary between robust and non-robust points that is not piecewise-linear, even on networks that are. However, as we will see, Lipschitz-based certification, for example, is in fact constrained to produce a piecewise-linear "certified frontier" on piecewise-linear networks, as the set of just-certifiable points essentially corresponds to a level curve in the output of the network being certified. On the other hand, if the level curves of the function being certified correspond (up to some constant factor) to their distance from the decision boundary (and must therefore include smooth curves), Lipschitz-based certification identifies precisely the points that are truly -locally robust, provided a tight bound on the Lipschitz constant. As we will make clear, this has important implications regarding the power of Lipschitz-based certification in properly suited network architectures. In the remainder of this section, we formalize this intuition and discuss some of its implications. Section 2.1 introduces our main theorem regarding the limitations imposed by piecewise linearity, along with the necessary background and definitions. Section 2.2 narrows the focus to Lipschitzbased certification, showing that despite being powerful in general, it is fundamentally limited within the hypothesis class of piecewise linear networks. Finally, Section 2.3 presents a thought experiment that provides basic intuition about the possible scale of the problems caused by these limitations.



In this work we primarily consider certified defenses that provide a deterministic guarantee of local robustness, as opposed to a statistical guarantee. For further discussion of this point, see Section 4. Or at least, activation functions which enable learning curved (as opposed to piecewise linear) functions.

