Go to ICLR 2026 Conference homepageTight Robustness Certificates and Wasserstein Distributional Attacks for Deep Neural Networks
Keywords: Robust Optimization, Adversarial Attack, Wasserstein distributionally robust optimization
TL;DR: We leverage ReLU networks' piecewise-affine structure for exact WDRO characterization and propose distributional attacks that construct worst-case distributions, achieving tighter robustness certificates than existing methods.
Abstract: Wasserstein distributionally robust optimization (WDRO) provides a framework for adversarial robustness, yet existing methods based on global Lipschitz continuity or strong duality often yield loose upper bounds or require prohibitive computation. In this work, we address these limitations by introducing a primal approach and adopting a notion of exact Lipschitz certificate to tighten this upper bound of WDRO. In addition, we propose a novel Wasserstein distributional attack (WDA) that directly constructs a candidate for the worst-case distribution. Compared to existing point-wise attack and its variants, our WDA offers greater flexibility in the number and location of attack points. In particular, by leveraging the piecewise-affine structure of ReLU networks on their activation cells, our approach results in an \textit{exact} tractable characterization of the corresponding WDRO problem. Extensive evaluations demonstrate that our method achieves competitive robust accuracy against state-of-the-art baselines while offering tighter certificates than existing methods.
Primary Area: optimization
Submission Number: 18274
Loading