Back to the profile of Alessandro De PalmaRobustness to Perturbations in the Frequency Domain: Neural Network Verification and Certified Training
Abstract: Deploying neural networks in safety critical applications such as autonomous driving requires assurance on their robustness. Deterministic robustness assessment can be made using formal verification. Existing frameworks for network verification and certified training verify and robustify networks against specifications capturing specific transformations or perturbations in the pixel or latent space. However recent works highlight the vulnerability of networks to perturbations and attacks in the frequency domain which cannot be precisely captured by the existing specifications. Therefore we present a framework to encode verify and robustly train frequency-characterised specifications. Our approach defines input specifications in the Fourier domain and propagates them using an inverse Fourier-transform encoding network prepended to the network to be verified. We demonstrate the ability of our framework to encode perturbations across the spectrum from the low-frequency intensity changes up to the high-frequency white noise kernel-based and domain changes. We then use SoA verifiers to verify differently-trained networks for non-trivial robustness guarantees against some of these practically relevant specifications. Finally we integrate our framework within existing certified training schemes to enhance network's verified robustness against the proposed specifications by up to 50%.
Loading