% SAIV Extended Abstract
% Page Limit: No Limit
% Deadline: Mi, 30.4. 12:00 UTC

% This is samplepaper.tex, a sample chapter demonstrating the
% LLNCS macro package for Springer Computer Science proceedings;
% Version 2.21 of 2022/01/12
%
\documentclass[runningheads]{llncs}
%
\usepackage[T1]{fontenc}
% T1 fonts will be used to generate the final print and online PDFs,
% so please use T1 fonts in your manuscript whenever possible.
% Other font encondings may result in incorrect characters.
%
\usepackage{graphicx}
% Used for displaying a sample figure. If possible, figure files should
% be included in EPS format.
%
% If you use the hyperref package, please uncomment the following two lines
% to display URLs in blue roman font according to Springer's eBook style:
%\usepackage{color}
%\renewcommand\UrlFont{\color{blue}\rmfamily}
%\urlstyle{rm}
%
\usepackage{xcolor}
\usepackage[T1]{fontenc}
\usepackage{graphicx}
\usepackage{booktabs}
\usepackage[misc]{ifsym}
\newcommand{\corr}{(\Letter)}

%\usepackage{caption}
% \usepackage{subcaption}
%\usepackage{multirow}
\usepackage{listings,chngcntr}
\usepackage{xcolor} % For custom colors in code

% Define a style for your code
\lstset{
  language=Python,                 % Choose the language of the code
  basicstyle=\ttfamily\small,      % Code font size and family
  keywordstyle=\color{blue},       % Style for keywords
  stringstyle=\color{red},         % Style for strings
  commentstyle=\color{gray},       % Style for comments
  numberstyle=\tiny\color{gray},   % Style for line numbers
  stepnumber=1,                    % Number every line
  numbersep=5pt,                   % Distance of line numbers from code
  backgroundcolor=\color{lightgray!20}, % Background color for code block
  frame=single,                    % Add a frame around code
  tabsize=2,                       % Default tab size
  captionpos=b,                    % Caption position (b for bottom)
  breaklines=true,                 % Break long lines
  breakatwhitespace=true,          % Break lines at white space
  showspaces=false,                % Don't show spaces
  showstringspaces=false,          % Don't show spaces in strings
  showtabs=false,                  % Don't show tabs
  numbers=left                     % Line numbers on the left
}
\renewcommand{\lstlistingname}{Code Example}

\usepackage[flushleft]{threeparttable}

\usepackage{array}
\usepackage[caption=false]{subfig}
\usepackage{tabularx}
\usepackage{xcolor}
\usepackage{amsfonts}       % blackboard math symbols
\usepackage{amsmath,amssymb}
\usepackage{url}
\usepackage{float}
\newfloat{Listing}{htbp}{lop}[section]
\floatname{Listing}{Listing}
\newcommand{\hide}[1]{}

\definecolor{kkcolor}{rgb}{0.4,0.6,0.2}
\definecolor{hhcolor}{rgb}{0.2,0.6,0.6}
\definecolor{todocolor}{rgb}{0.9,0.1,0.1}
\definecolor{mkcolor}{rgb}{0.6,0.4,0.2}
\colorlet{hscolor}{blue!100}

\definecolor{changedcolor}{rgb}{0,0,1}

\newcommand{\nbc}[3]{
	{\colorbox{#3}{\bfseries\sffamily\scriptsize\textcolor{white}{#1}}}
	{\textcolor{#3}{\sf\small$\blacktriangleright$\textit{#2}$\blacktriangleleft$}}
}

\newcommand{\hh}[1]{
	\nbc{HH}{#1}{hhcolor}
}
\newcommand{\mk}[1]{
	\nbc{MK}{#1}{mkcolor}
}
\newcommand{\kk}[1]{
	\nbc{KK}{#1}{kkcolor}
}
\newcommand{\hs}[1]{\nbc{hs}{#1}{hscolor}}

\newcommand{\todo}[1]{
	\nbc{TODO}{#1}{todocolor}
}
\newcommand{\changed}[1]{
	\nbc{CHANGED}{#1}{changedcolor}
	% #1
}

%comment out the first and last line of the following block to hide all comments and markup:
% \hide{
	\renewcommand{\kk}[1]{}
	\renewcommand{\hh}[1]{}
	\renewcommand{\mk}[1]{}
	\renewcommand{\todo}[1]{}
	% \renewcommand{\changed}[1]{}
        \renewcommand{\changed}[1]{#1}
% }


\begin{document}
\counterwithin{lstlisting}{section}


\title{CTRAIN - A Training Library for \\ Certifiably Robust Neural Networks}
%
%\titlerunning{Abbreviated paper title}
% If the paper title is too long for the running head, you can set
% an abbreviated paper title here
%
\author{Konstantin Kaulen\inst{1} \and
% Hadar Shavit \inst{2,3}\orcidID{1111-2222-3333-4444} \and
Holger H. Hoos\inst{1,2}}
%
\authorrunning{Konstantin Kaulen and Holger H. Hoos}
% First names are abbreviated in the running head.
% If there are more than two authors, 'et al.' is used.
%
\institute{Chair for AI Methodology, RWTH Aachen University, Germany \and
LIACS, Leiden University, The Netherlands \\
\email{\{kaulen,hh\}@aim.rwth-aachen.de}}
%
\maketitle              % typeset the header of the contribution
%

\setcounter{footnote}{0}% Reset footnote counter

\begin{abstract}
Despite their widespread success, neural networks are susceptible to \textit{adversarial examples}, severely limiting their responsible deployment in safety-critical scenarios.
To address this, \textit{neural network verification} techniques have been proposed that rigorously prove 
the  robustness of a given network
% \hh{incorrect possessive}
against specific 
% \hh{minor edit:} 
threats.
However, the scalability of these methods remains a major challenge, with networks trained for empirical robustness still 
% \hh{minor edit:} 
proving difficult to verify.
Thus, \textit{certified training} has been proposed to produce networks more amenable to formal robustness verification.
However, there is currently no comprehensive framework allowing easy access to these training methods.
To address this, we introduce \texttt{CTRAIN}, a new Python library built upon the \texttt{auto\_LiRPA} package, which reimplements state-of-the-art certified training methods in 
a unified, modular and comprehensive manner, while offering user-friendly interfaces, enhancing accessibility for both researchers and practitioners.
% \hh{Is user-friendly the best we can say?}
Additionally, \texttt{CTRAIN} integrates \texttt{SMAC3} for hyperparameter optimisation and $\alpha\beta$-CROWN for complete verification, empowering users to 
exploit these systems to achieve state-of-the-art certified robustness.
% achieve state-of-the-art results.
% \hh{The last part of this sentence is a bit vague -- can you make it crisper? state-of-the-art what?}
We provide code, documentation, examples and usage instructions at \url{github.com/ada-research/CTRAIN}.
% \hh{Only the code or also examples for using CTRAIN? At least a quick-start guide?}
% \keywords{First keyword  \and Second keyword \and Another keyword.}
\end{abstract}
%
%
%
\section{Introduction}
In recent years, neural networks have shown remarkable performance across various application domains, ranging from computer vision \cite{dosovitskiy2021an} to protein structure prediction \cite{jumper2021highly}.
At the same time, it became evident that neural networks are typically not robust, as adversarially crafted, yet imperceptible, changes in the input can lead to 
to incorrect
% changes in their 
% \hh{I'd rather say: to incorrect}
predictions \cite{szegedy2013intriguing}.
This circumstance severely limits the responsible deployment of machine learning models in safety-critical use cases.
% \hh{Better: use cases}
% To evaluate a network's robustness empirically, \textit{adversarial attacks}~\cite{goodfellow2014explaining}, \emph{i.e.}, methods that aim to find adversarial examples that violate robustness properties, have been proposed.
% However, the absence of adversarial examples does not \textit{prove} robustness against a given threat model.
To mitigate this issue, \textit{neural network verification} techniques have been proposed, which provide provable robustness guarantees using rigorous mathematical frameworks~\cite{katz2017reluplex,tjeng2018evaluating}.
Generally, these can be divided into two families; cheap incomplete methods attempt to solve the robustness verification problem by bounding the outputs of a network, but may not be able to prove a property due to overly loose bounds.
Complete methods will, in principle, always return a result but have to solve an expensive $\mathcal{NP}$-complete problem~\cite{salzer2021reachability,li2023sok}. 
Despite several algorithmic advancements, \emph{e.g.}, the inclusion of sophisticated network over-approximations \cite{DBLP:journals/jmlr/PalmaBBTK24,muller2022prima,singh2019abstract,wang2021beta,zhang2022general} or search techniques \cite{bunel2020branch}, the scalability of complete verification remains a major challenge.

Concurrently, specialised training methods were developed that aim to produce robust neural networks.
While state-of-the-art empirical robustness can be achieved using \textit{adversarial training} (see, \emph{e.g.}, \cite{DBLP:conf/iclr/MadryMSTV18,pmlr-v97-zhang19p}), 
% \hh{Should this be a `see, e.g., ...' citation?}
the resulting networks remain hard to verify.
Thus, there has been a surge of training methods that yield robust neural networks amenable to formal verification, therefore mitigating the challenge of limited scalability, giving rise to the concept of \textit{certified training}~\cite{mirman2018differentiable,gowal2019scalable}.
These methods employ an over-approximation of the worst case adversarial loss using cheap incomplete robustness verification methods as the training objective to be minimised.
Several certified loss functions
% \hh{sounds awkward ... certified loss functions?}
leveraging this concept have been proposed, gradually advancing the state-of-the-art regarding the number of input samples 
% \hh{input samples, right?}
for which the resulting networks are provably robust~\cite{DePalmaConexCombinations,gowal2019scalable,DBLP:conf/nips/MaoM0V23,SABR,DBLP:conf/nips/ShiWZYH21}.
However, the community to date lacks a comprehensive library that makes these techniques accessible to potentially inexperienced end users.

Therefore, we propose \texttt{CTRAIN}, an extensive Python library for certified training.
We provide, for the first time, implementations of all current state-of-the-art methods, based on the popular neural network bounding library \texttt{auto-LiRPA}~\cite{XuAutoLirpa}, and make these accessible via a Python package.
Further, \texttt{CTRAIN} provides user-friendly interfaces to certifiably train neural networks based on the PyTorch framework~\cite{NEURIPS2019_bdbca288}.
Therefore, \texttt{CTRAIN} easily integrates into existing PyTorch training pipelines, neural network architecture specifications 
% \hh{better: specifications?}
and datasets.
Furthermore, we natively support sophisticated hyperparameter optimisation for certified training via the state-of-the-art optimiser \texttt{SMAC3}~\cite{lindauer2022smac3}.
Last but not least, \texttt{CTRAIN} includes several possibilities for robustness evaluation using adversarial attacks, incomplete verification and the state-of-the-art complete neural network verification system $\alpha\beta$-CROWN~\cite{wang2021beta,xu2020fast,zhang2018efficient}.

\section{Related Work}
In the following, we provide an overview of 
% \hh{slightly modified:}
work related to \texttt{CTRAIN}, focusing on tools that provide functionalities for training robust neural networks.
% Since it became apparent that neural networks exhibit a lack of robustness, the research community acknowledged the need for easy and intuitive ways to train models that are more resistant against adversarial perturbations. 
To date, several easy-to-use and performant libraries have been proposed that implement adversarial training methods.
% \hh{I wouldn't use italics here.}
% \hh{modified:}
Among these, the \texttt{Adversarial Robustness Toolbox} (ART)~\cite{ART} and \texttt{DeepRobust} \cite{Li_Jin_Xu_Tang_2021} constitute the most extensive and popular libraries, having accumulated over five thousand\footnote{\url{github.com/Trusted-AI/adversarial-robustness-toolbox}} and one thousand\footnote{\url{github.com/DSE-MSU/DeepRobust}} stars 
% \hh{perhaps it would be better to state what the stars are (not everyone might now)}
on GitHub, respectively.
These stars allow users to indicate interest in a repository and to bookmark it.
Both implement multiple adversarial training methods, \emph{e.g.}, training for robustness on examples created through the \textit{Projected Gradient Descent} (PGD) method~\cite{DBLP:conf/iclr/MadryMSTV18}, a strong iterative adversarial attack.
However, these libraries lack proper support for methods that focus on producing easily verifiable networks.
% through certified training. 
Specifically, ART only supports early advancements from the field that do not constitute the state of the art anymore \cite{gowal2019scalable,mirman2018differentiable}, while \texttt{DeepRobust} implements no certified trainings method at all.

Recently, \texttt{CTBench}, a novel and unified library for certified training, has been proposed~\cite{mao2024ctbench}.
\texttt{CTBench} implements several state-of-the-art protocols, including SABR~\cite{SABR} and MTL-IBP \cite{DePalmaConexCombinations}, and the authors reported very strong results using their implementation. 
% \hh{modified:}
Nonetheless, \texttt{CTBench} cannot be easily integrated into existing code, since it relies on independent training scripts, 
and a Python package providing convenient options for running the \texttt{CTBench} training code does not exist.
In addition, \texttt{CTBench} employs the verification system MN-BaB \cite{ferrari2022complete} to evaluate the certifiable robustness of trained neural networks, which has been shown to be consistently outperformed by $\alpha\beta$-CROWN~\cite{wang2021beta,xu2020fast,zhang2018efficient} in recent studies and competitions~\cite{konig_jmlr,muller2022third}.
While we acknowledge the importance of \texttt{CTBench}, we believe that researchers as well as end users will profit from easy-to-use alternative implementations based on the popular \texttt{auto\_LiRPA} library.
In addition, we believe that the use of $\alpha\beta$-CROWN will lead to more precise assessments of certified training methods.

% Given these related works, we are confident that \texttt{CTRAIN} is a valuable addition to the landscape of robust training libraries.

\section{Overview of \texttt{CTRAIN}}
In the following, we describe the key components and features of the \texttt{CTRAIN} library, including supported certified training methods, 
% \hh{slightly reworded:}
affordances for evaluating the empirical and certified robustness of neural networks, and native support for hyperparameter optimisation of  certified training methods.

\subsection{Certified Training with \texttt{CTRAIN}}
\textbf{Selected Certified Training Methods.}
\noindent\texttt{CTRAIN} implements several state-of-the-art algorithms for certified training.
% \hh{modified:}
In selecting these, we focused on methods that provide \textit{deterministic} robustness guarantees against all possible perturbations included in the $l_\infty$ norm balls with radius $\epsilon$ around input images.
These perturbations constitute the properties typically examined in the neural network verification literature (see, \emph{e.g.},~\cite{brix2023first,konig_jmlr}).
Furthermore, we excluded methods that rely on non-standard neural network components not natively supported by the PyTorch library \cite{NEURIPS2019_bdbca288}.
% such as \textit{SortNet} \cite{DBLP:conf/nips/ZhangJH022}, a special architecture designed to be inherently robust.

The best-peforming losses 
% \hh{better: loss functions? (your call, if we make the change, we should do it everywhere)}
for deterministic certified training are based on Interval Bound Propagation (IBP)~\cite{gowal2019scalable}, the conceptually simplest incomplete verification method.
IBP employs interval arithmetic to bound the outputs of a neural network which, in turn, can be used to calculate a sound upper bound of the worst-case loss on adversarial examples.
% Generally, these techniques require a specialised training schedule called $\epsilon$-\textit{annealing}, where the perturbation magnitude $\epsilon$ is gradually increased~\cite{gowal2019scalable}.
The closely related \textit{CROWN-IBP}~\cite{zhang2019towards} relies on the tighter bounding method CROWN~\cite{zhang2018efficient} in combination with IBP to improve on standard IBP-based certified training.
Shi et al.~\cite{DBLP:conf/nips/ShiWZYH21} propose further improvements to IBP through an initialisation procedure and loss regularisers that are specifically crafted to stabilise certified training.
% \hh{Please review guidelines on the use of which vs that. I've changed it here, but you should learn about and adopt the correct use.}

Recently, significant advancements have been made by combining PGD-based adversarial training with IBP-based certified training.
Those methods rely on unsound approximations of the worst-case adversarial loss, but yield strongly improved performance.
% Here, the state-of-the-art is constituted by SABR \cite{SABR}, TAPS and STAPS \cite{DBLP:conf/nips/MaoM0V23} and MTL-IBP \cite{DePalmaConexCombinations}.
\textit{SABR}~\cite{SABR} uses PGD to identify adversarial examples in the $l_\infty$ norm ball around the training instance, which are in turn used as the centre of a smaller norm ball.
This smaller input region is then employed in standard IBP bounding to obtain the overall training loss. 
\textit{TAPS}~\cite{DBLP:conf/nips/MaoM0V23} combines adversarial and certified training by first propagating an input region through the feature extractor of a network using IBP, and by then adversarially training the classifier using latent adversarial examples that lie in the output region of the feature extractor.
\textit{STAPS}~\cite{DBLP:conf/nips/MaoM0V23} works similarly to TAPS, but uses SABR instead of IBP to obtain intermediate bounds.
% \hh{network bounds sounds a bit odd ... just bounds?}
Finally, \textit{MTL-IBP}~\cite{DePalmaConexCombinations} is a representative member of the family of \textit{expressive losses}, \emph{i.e.}, losses that combine adversarial and certified losses through convex combinations.
The MTL-IBP loss consists of the weighted sum of the certified loss obtained using IBP and the PGD-based adversarial loss.
% , weighted according to a trade-off parameter $\alpha$.

% \hh{slightly modified:}
In \texttt{CTRAIN}, we have included all previously mentioned certified training methods, \emph{i.e.}, IBP, CROWN-IBP, SABR, TAPS, STAPS and MTL-IBP,
ensuring comprehensive coverage of established approaches.
This selection provides users with a diverse and relevant set of techniques, since
% With these, we are confident to have included a relevant set of protocols for a potential user.
% \hh{The previous sentence sounds vague. Can you make it crisper? Also, the term `protocols' sounds odd in this context. Finally, the next sentence doesn't connect well to the previous, so this paragraph needs work.}
methods combining adversarial and certified losses have shown the strongest results in recent literature and thus constitute the state-of-the-art (see, \emph{e.g.},~\cite{DePalmaConexCombinations,mao2024ctbench,DBLP:conf/iclr/MaoM0V24}).
While standard IBP and CROWN-IBP training was surpassed performance-wise, they remain the most computationally efficient and, thus, represent viable alternatives when potent hardware is not available.

% \subsection{Certified Training with \texttt{CTRAIN}}
% In this section, we lay out the key components of the certified training workflow as supported by \texttt{CTRAIN}.

% The core of certified training is the loss function which we allow the user to configu
% For each hyperparameter, we provide an explanation of its purpose along with a reference to its name as mentioned in the original publication in \texttt{CTRAIN}'s documentation.
% In addition, we also provide sensible default values for the training parameters.

% Generally, to train models with \texttt{CTRAIN} users must specify a neural network architecture, an $\epsilon$ value defining the perturbation magnitude
% % that defines the $l_\infty$ perturbation magnitude the model should be hardened against
% % , the certified training method that should be used
% , the number of epochs for which the network should be trained and a PyTorch \texttt{data loader} that holds the inputs of the training set.
% The neural network definition must implement the \texttt{nn.Module} base class from the PyTorch library.

% Usually, when providing experimental results, $\epsilon$ values are given in an unstandardised form (see, \emph{e.g.},~\cite{brix2023first,konig_jmlr}).
% However, when the dataset is standardised, $\epsilon$ values must be scaled accordingly, which might represent a common pitfall for inexperienced users.
% Thus, \texttt{CTRAIN} automatically scales $\epsilon$ values based on mean and standard deviation values that may be provided through additional attributes of the \texttt{data loader} objects. \hs{add that the standardisation is a common practice (citation) and maybe some formula on how it is actually computed}
% \texttt{CTRAIN} provides data loading functions for common datasets that set those attributes automatically when standardisation is desired.
% If those attributes are not set, \texttt{CTRAIN} examines the transforms applied to the data loader and uses the mean and standard deviation of the \texttt{tranforms.Normalize} operation, if it is present.
% Otherwise, the data must lie between 0 and 1 and the $\epsilon$ value is not scaled.

% At the start of the training process, we always incorporate an $\epsilon$-annealing phase for an user-specified duration. 
% used during annealing and thereafter.
% To schedule the current $\epsilon$ value for each batch, we use the \texttt{SmoothedScheduler} from the \texttt{autoLiRPA} package \cite{XuAutoLirpa}.
% Optionally, the annealing phase may also be preceded by a warm-up phase, where the network is trained on the clean loss.
% for a defined number of epochs.

\noindent\textbf{Key Features of \texttt{CTRAIN}.}
In \texttt{CTRAIN} we provide, for the first time, an unified implementation of the state-of-the-art in certified training based on the \texttt{auto\_LiRPA}~\cite{XuAutoLirpa} library.
This package serves as the backbone of the state-of-the-art verification tool $\alpha\beta$-CROWN~\cite{xu2020fast,wang2021beta}, is actively maintained, implements a variety of incomplete verification techniques and is popular among the neural network verification community, testified by over 250 GitHub stars\footnote{github.com/Verified-Intelligence/auto\_LiRPA}.
Furthermore, it provides extensive support for many popular
% \hh{can this be strengthened? many popular?}
network architectures, ranging from convolutional networks to transformers.

%\hh{The wording in the following should be improved: In CTRAIN, we implemented the previouysly mentioned ... closely following ... Furthermore, we unified ...}
In \texttt{CTRAIN}, we implemented the previously mentioned certified training methods closely following the original literature and codebases, but reimplemented all relevant parts of certified training in a modular and highly configurable fashion.
Furthermore, we unified varying implementations of network bounding, loss calculation and adversarial attacks into one comprehensive code base.
Therefore, \texttt{CTRAIN} enhances comparability between methods by standardising their shared
% \hh{shared?}
components, such as IBP bounding or regularisation.
Additionally, all components of \texttt{CTRAIN} are implemented using PyTorch \cite{NEURIPS2019_bdbca288};
thus, the package integrates well into common machine learning pipelines and 
PyTorch components such as optimisers, regularisers, and data augmentations can be seamlessly incorporated.

% Throughout all method implementations, we apply the initialisation and regularisation procedures proposed by Shi et al.~\cite{DBLP:conf/nips/ShiWZYH21}.
% The regularisers are only added to the training objective during the annealing phase and may be weighted according to user preferences.


% For the optimisation of the network parameters, users may provide any optimiser that implements the \texttt{torch.optim.Optimizer} class.
% By default, the \textit{Adam}~\cite{DBLP:journals/corr/KingmaB14} optimiser is employed.
% % In addition, users should specify a learning rate used for the optimisation of the training objective.
% Optionally, the learning rate can be decayed by a given factor at predefined epochs.

% Last but not least, we also make method-specific parameters configurable by users, \emph{e.g.}, the trade-off parameter $\alpha$ used in MTL-IBP~\cite{DePalmaConexCombinations} or the subselection ratio $\lambda$ employed by SABR~\cite{SABR}.

\subsection{Evaluation}
% The training of certifiably robust models is only one part of the process required to provide certifiably safe neural networks.
To assess whether the network actually adheres to desired robustness properties, users require easy and extensive possibilities to evaluate neural networks 
% \hh{Awkward: `the obtained neural networks' -- please reword. Also, obtained from what/where?}
regarding their certified and empirical robustness, which \texttt{CTRAIN} provides.
Notably, \texttt{CTRAIN} can also be used to evaluate models that were trained 
% \hh{modified -- check:}
outside of its training workflow and, thus, also represents a valuable tool for users that 
do only desire to use the evaluation capabilities of \texttt{CTRAIN}.
% \hh{Bring back the part of the sentence currently commented out?}

% Generally, all evaluation methods require the user to pass the network that should be evaluated, 
% the perturbation magnitude $\epsilon$ 
% % that defines the robustness property 
% and a data loader, which holds the inputs for which the robustness should be assessed.
% Since the evaluation procedure may be costly, especially when employing complete verification, users may also provide a number of samples for which the evaluation is carried out.
% The evaluation methods return the accuracy for which the network is certifiably or empirically robust respectively as well as the robustness result for each investigated input sample.
\smallskip
\noindent\textbf{Empirical Robustness.}
To evaluate the robustness of a given network against adversarial attacks, 
% \hh{please consistently use past tense to talk about work accomplished, observations made, etc. (except for `eternal truths'.}
we implemented the \textit{PGD} attack \cite{DBLP:conf/iclr/MadryMSTV18}, which to date is the \emph{de-facto} standard method to assess empirical robustness.
For example, state-of-the-art verification tools such as $\alpha\beta$-CROWN \cite{wang2021beta} or MN-BaB \cite{ferrari2022complete} use this attack to identify counter-examples.
% that prove the violation of robustness properties.
% Users can decide on the number of restarts, the number of steps and the step size of the attack.
% Furthermore, if desired, the attack can stop early, as soon as it finds an adversarial example, to save computation.
% \hh{computation?}
% By default, we evaluate using 5 restarts with 40 steps each and a step size of $0.1 \epsilon$.

\smallskip
\noindent\textbf{Incomplete Verification}
To give provable guarantees of the robustness of neural networks, \texttt{CTRAIN} implements 
% \hh{Here, present tense is OK, since it is an eternal truth.}
several incomplete verification methods using \texttt{auto\_LiRPA}.
More specifically, the incomplete bounding methods \textit{IBP} \cite{gowal2019scalable}, \textit{CROWN-IBP} \cite{zhang2019towards} and \textit{CROWN} \cite{zhang2022general} are included.
These methods differ in the tightness of 
% \hh{awkward wording:} 
the network bounds they compute, 
but also in their computational complexity. 
\textit{IBP} is the cheapest and loosest incomplete method, \textit{CROWN-IBP} gives tighter bounds at the cost of increased computational costs, and \textit{CROWN} is the tightest and most expensive method.
% \hh{Please review the comma rules for dependent and independent clauses. I've fixed it here, but you should know.}
Users can decide whether all inputs that should be investigated are verified using one method, or whether verfication is performed in an \textit{adaptive} fashion. 
In the latter case, the supported methods are progressively applied to input samples in increasing order of their computational costs.
Therefore, easy verification problems are solved with cheap methods, while computationally expensive methods are only applied to problems where their tightness is required to obtain a solution
(see, \emph{e.g.}, \cite{DePalmaConexCombinations,mao2024ctbench}).
% \hh{This sounds like something you've done in CTRAIN ... is this a new idea? If so, call it out; if not, refer to the literature.}


\smallskip
\noindent\textbf{Complete Verification}
Finally, \texttt{CTRAIN} also provides an interface to the state-of-the-art complete verification system $\alpha\beta$-CROWN.
Complete verification provides the most accurate assessment of the certified robustness of a given network at the cost of significantly increased computational requirements.
Especially, networks trained using recent methods based on surrogate losses,
% like MTL-IBP or SABR, 
require complete verification to obtain precise robustness measurements \cite{DePalmaConexCombinations,SABR}.

To save computational resources, \texttt{CTRAIN} first attempts to obtain a solution to the verification query by applying its included incomplete verification techniques and by running the \textit{PGD} adversarial attack, before invoking $\alpha\beta$-CROWN~\cite{DePalmaConexCombinations,mao2024ctbench}.
% If those attempts do not succeed, \texttt{CTRAIN} invokes $\alpha\beta$-CROWN.
% \hh{Is this a new idea? If so, call it out; if not, refer to the literature.}


\subsection{Hyperparameter Optimisation}

All certified training methods are parametrised by a extensive and diverse set of hyperparameters, such as the number of $\epsilon$-annealing epochs or the settings of the PGD attack.
% \emph{e.g.} the number of $\epsilon$-annealing epochs or the number of steps carried out during the PGD attack.
Furthermore, the values chosen for those parameters influence the training outcome strongly, ranging from training collapse to state-of-the-art results.
Recent works tackle the hyperparameter optimisation problem by employing manual \cite{DePalmaConexCombinations} or grid search~\cite{mao2024ctbench} over an expert-designed configuration space.
In any case, these approaches to hyperparameter tuning for certified training currently require extensive domain knowledge to identify suitable parameter choices.
% \hh{Slightly reworded:}
To mitigate this prerequisite and to therefore make hyperparameter tuning more accessible 
% to users with varying degrees of background knowledge
to potentially inexperienced practitioners
, \texttt{CTRAIN} implements preconfigured hyperparameter optimisation as one of its core components.

We employ the state-of-the-art hyperparameter optimisation system \texttt{SMAC3} \cite{lindauer2022smac3} for the tuning task, since it has demonstrated remarkable performance across various recent benchmarks~\cite{DBLP:conf/nips/EggenspergerMMF21,pmlr-v188-pfisterer22a}.
For each of the implemented certified training methods, we provide a configuration space, out of which \texttt{SMAC3} attempts to find the best-performing configuration. 
Thus, when using \texttt{CTRAIN}, users do not require domain knowledge to achieve state-of-the-art results on novel datasets for which no well-performing configurations are known.

% To carry out the hyperparameter optimisation task, users must provide a training data loader, on which the networks are trained, and a validation data loader on which the trained neural network is then evaluated.

By default, \texttt{CTRAIN} aims to optimise the sum of natural, certified and adversarial accuracy, since all of these metrics represent desirable properties of a certifiably trained neural network, \emph{i.e.} strong performance on natural and adversarial inputs and easy verifiability.
Nevertheless, the accuracy values that should be included in the optimisation objective can be weighted according to user preferences.
To keep the evaluation overhead manageable, these values are by default computed on the first 1000 samples of the validation dataset, using \textit{CROWN}.

The \texttt{CTRAIN} hyperparameter optimisation procedure begins by exploring the search space through a random search for the number of iterations determined by the number of hyperparameters in the configuration space.
Compared to the default of \texttt{SMAC3}, we limit this number, to avoid overspending on random configurations, since training and evaluation is costly.
In addition, \texttt{CTRAIN} allows users to specify a pre-defined configuration, which is assumed to performing well.
This modification to the SMAC3 optimisation procedure facilitates the exploitation of expert user knowledge.
Subsequently, \texttt{CTRAIN} continues with the optimisation procedure until the budget is exhausted.
% \hh{This last sentence should be modified. It sounds like it really just runs SMAC3 as is done usually.}


\section{Implementation}
% \hs{user interface? you already described implementation on 3.1}
In the following, we explain the architectural details and implementation of the \texttt{CTRAIN} library, highlighting its modular and well-structured design as well as its easy usability.

First and foremost, we designed \texttt{CTRAIN} as a Python library that can easily be installed and set up using package management tools such as \texttt{pip}.
Furthermore, we made sure that \texttt{CTRAIN} seamlessly integrates into common machine learning workflows without the need to run separate scripts or to set up different environments. We implemented \texttt{CTRAIN} in Python 3, currently using \texttt{torch} in version 2.2.2 and \texttt{auto\_LiRPA} in version 0.50 as its core libraries.
Our implementation can be accessed at \url{github.com/ada-research/CTRAIN}.

\smallskip
\noindent\texttt{CTRAIN.model\_wrappers.}
As a result of our considerations for the design of \texttt{CTRAIN}, we provide a package implementing \textit{model wrappers} that can be easily included into existing code.
These wrappers encapsulate predefined or pretrained neural networks and expose core functionalities in an accessible manner.

We show an example of the usage of the model wrappers provided by \texttt{CTRAIN} in Code Example \ref{lst:example}.
For each of the supported training methods, there is one separate wrapper.
These objects take the neural network, which must inherit from the PyTorch \texttt{nn.Module} class, the perturbation magnitude $\epsilon$ that defines the training and verification objectives, and the method-specific training hyperparameters as arguments.
Since using a higher $\epsilon$ during training compared to evaluation might be beneficial (see, \emph{e.g.},~\cite{DePalmaConexCombinations,zhang2019towards}), users can define a multiplier to scale the training $\epsilon$.
Training is invoked via the \texttt{train\_model} function, while an evaluation of natural, robust and certified performance can be carried out using the \texttt{evaluate} or \texttt{evaluate\_complete} functions, respectively.
% \hh{Respectively is always preceded by comma; fixed now.}
The hyperparameter optimisation procedure is implemented in the \texttt{hpo} function, for which an optimisation budget should be provided that specifies for how long the optimisation procedure runs. 
Furthermore, the user may pass a default configuration to be investigated during the optimisation process.

The \texttt{model\_wrappers} package is easily extensible, since all wrappers inherit from the common base class \texttt{CTRAINWrapper}, which implements method-independent functionalities such as evaluation, checkpoint saving and hyperparameter optimisation.
In addition, it was of paramount importance for \texttt{CTRAIN} to be compatible with common \texttt{PyTorch} operations.
Therefore, the base class inherits from the \texttt{nn.Module} class and, thus, all wrappers can be used in existing training and evaluation workflows.

\begin{Listing}[t]
\begin{lstlisting}[language=Python, label={lst:example}, caption={
% \hh{slightly modified:}
\texttt{CTRAIN} is easy to use for certifiably training and evaluating neural networks:
In twelve lines of code, users can load a dataset, define the standard CNN7 network architecture proposed by Shi et al. \cite{DBLP:conf/nips/ShiWZYH21}, certifiably train the network using IBP and evaluate it, using adversarial attacks and incomplete verification.
}]
from CTRAIN.model_definitions import CNN7_Shi
from CTRAIN.data_loaders import load_cifar10
from CTRAIN.model_wrappers import ShiIBPModelWrapper

train_loader, test_loader = load_cifar10(val_split=False)
in_shape = [3, 32, 32]

model = CNN7_Shi(in_shape=in_shape)
wrapped_model = ShiIBPModelWrapper(model=model, input_shape=in_shape, eps=2/255, num_epochs=160)

wrapped_model.train_model(train_loader)
std_acc, cert_acc, adv_acc = wrapped_model.evaluate(test_loader)
\end{lstlisting}
\end{Listing}
\smallskip
\noindent\texttt{CTRAIN.bound.}
The \texttt{bound} module implements all bounding operations required during training and incomplete verification, based on the \texttt{auto\_LiRPA} package.
More specifically, it implements the sound bounding operations IBP, CROWN-IBP and CROWN as well as the unsound SABR and TAPS bounds.

\smallskip
\noindent\texttt{CTRAIN.data.}
Although \texttt{CTRAIN} is fully compatible with standard \texttt{PyTorch} data loaders, we provide functions that load the common vision datasets MNIST~\cite{lecun1998mnist}, CIFAR-10~\cite{krizhevsky2009learning} and TinyImageNet~\cite{tinyimagenet}.
% \texttt{CTRAIN} sets the mean and standard deviation values used during standardisation as separate attributes of the data loaders, to automatically scale the perturbation magnitude $\epsilon$ accordingly.

\smallskip
\noindent\texttt{CTRAIN.eval.}
The \texttt{eval} package provides all functions required to evaluate standard, robust and certified accuracy of neural networks, including functions to carry out incomplete and complete verification as well as adversarial attacks.
Generally, all evaluation methods require the user to pass the network that should be evaluated, 
the perturbation magnitude $\epsilon$ 
% that defines the robustness property 
and a data loader, which holds the inputs for which the robustness should be assessed.
Since the evaluation procedure may be costly, especially when employing complete verification, users may also provide a number of samples 
for which the evaluation is carried out in the given order of the evaluation set.
% for which the evaluation is carried out.
% \hh{how does is this number used in selecting the inputs to be used? in order? random sampling with/without replacement?}
To utilise complete verification, users must pass, in addition to the arguments generally required for evaluation, the allowed maximum running time per verification query and the number of CPU cores $\alpha\beta$-CROWN may utilise.
In addition, a dictionary including configuration values for $\alpha\beta$-CROWN 
that adhere to its documentation may be provided.

\smallskip
\noindent\texttt{CTRAIN.complete\_verification.}
Since $\alpha\beta$-CROWN is not intended to be executed directly from external libraries or codebases, \texttt{CTRAIN} implements several steps to ensure seamless integration in 
% \hh{with?} the 
its
\texttt{abCROWN} subpackage.
First, \texttt{CTRAIN} exports the network in \texttt{ONNX} format \cite{bai2019} and saves the resulting file to a temporary folder.
Then, it formulates the verification property
% including the allowed input values and the desired output specification
in the standardised \texttt{VNN-LIB} format \cite{demarchi2023supporting} and also saves the resulting file.
Thereafter, \texttt{CTRAIN} generates a configuration file for $\alpha\beta$-CROWN that specifies the cutoff time and further parameters set by the user as well as the verification property, defined through the previously generated \texttt{ONNX} and \texttt{VNN-LIB} files.
Finally, \texttt{CTRAIN} invokes $\alpha\beta$-CROWN by calling the function that serves as the entry point of the verification system, passing along the configuration file.
% As outlined previously, the included verification system $\alpha\beta$-CROWN requires special handling to be called from Python code.
% We implement this functionality within the \texttt{abCROWN} subpackage.

\smallskip
\noindent\texttt{CTRAIN.attacks.}
\texttt{CTRAIN} currently only implements the PGD adversarial attack, which is used in several training losses as well as in the empirical robustness evaluation.
We have made the parameters of the attack, \emph{i.e.}, the number of restarts, the number of steps and the step size, configurable.
Furthermore, users can define \textit{decay milestones} at which the step size is reduced by a specified factor.
When PGD attacks are involved in training,
% , we make its parameters configurable, \emph{i.e.}, the number of restarts, the number of steps and the step size.
% Furthermore, users can define \textit{decay milestones} at which the step size is reduced by a chosen factor.
we set the network to \textit{evaluation} mode when carrying out the attacks, while the loss computation based on the obtained adversarial examples is done in \textit{training} mode.
Therefore, the statistics of batch normalisation layers \cite{batchnorm} are not influenced by the forward and backward passes performed during attacks and employ the mean and variance computed over both unperturbed and perturbed inputs at evaluation time.

\smallskip
\noindent\texttt{CTRAIN.model\_definitions.}
While \texttt{CTRAIN} is, in principle, compatible with a broad range of neural network definitions, models proposed by
% Gowal et al. \cite{gowal2019scalable} and 
Shi et al. \cite{DBLP:conf/nips/ShiWZYH21} emerged as the 
\emph{de-facto} standard architectures for evaluating certified training methods on (see, \emph{e.g.}, \cite{DePalmaConexCombinations,mao2024ctbench,SABR}). 
We provide model definitions of these networks in the \texttt{model\_definitions} package.

\smallskip
\noindent\texttt{CTRAIN.train.certified.}
This package implements all components of certified training in a functional manner. 
In the subpackage \texttt{losses}, we provide functions for calculating the various supported certified losses.
The \texttt{initialisation} and \texttt{regularisation} packages provide implementations of the procedures proposed by Shi et al. \cite{DBLP:conf/nips/ShiWZYH21} as well as an implementation of $l_1$ regularisation.
Finally, we have implemented each supported certified training method as one separate function that is utilised in the respective model wrappers.


\smallskip
\noindent\texttt{CTRAIN.util.}
Finally, we have implemented utility functions, such as seeding the library or exporting networks to \texttt{ONNX}, in the \texttt{util} package.

% \section{Empirical Results}
% \renewcommand*{\thefootnote}{\fnsymbol{footnote}}
% \setcounter{footnote}{0}

% \begin{table}[t]
% \caption{
% Results obtained on the CIFAR-10 dataset with $\epsilon=\frac{2}{255}$ in terms of natural and certified accuracy evaluated on the whole test set.
% We display the median across three seeds, accompanied by an interval encompassing the full range of performances observed.
% We optimised hyperparameters using \texttt{SMAC3} with a budget of 120 hours in wall-clock time. 
% For comparability, we provide the best results reported in the literature.
% }
% \label{tab:results}
% \begin{threeparttable}
% \resizebox{\textwidth}{!}{
% \begin{tabular}{@{}llcclclclclc@{}}
% \toprule
% \multicolumn{1}{c}{\begin{tabular}[c]{@{}c@{}}Training\\ Method\end{tabular}} &  & \multicolumn{2}{c}{Source}                               &  & \multicolumn{3}{c}{Nat. Acc [\%]}      &                      & \multicolumn{3}{c}{Cert. Acc. [\%]}    \\ \cmidrule(r){1-1} \cmidrule(lr){3-4} \cmidrule(lr){6-8} \cmidrule(l){10-12} 
%                                                                               &  &                        &                                 &  & Lit.  &  & Ours                        & \multicolumn{1}{c}{} & Lit.  &  & Ours                        \\
% IBP                                                                           &  & Mao et al. (2024)      & \cite{mao2024ctbench}  &  & 67.49 &  & 71.59 $\pm$ 0.37 & \multicolumn{1}{c}{} & 55.99 &  & 53.02 $\pm$ 0.85         \\
% CROWN-IBP                                                                     &  & Zhang et al. (2020)       & \cite{zhang2019towards}              &  & 71.52 &  & 74.62 $\pm$ 0.25 & \multicolumn{1}{c}{} & 53.97 &  & 60.91 $\pm$ 0.28 \\
% SABR\footnote{}                                                                         &  & Mao et al. (2024)      & \cite{mao2024ctbench}  &  & 77.86 &  & 77.23 $\pm$ 0.07          &                      & 63.61 &  & 60.86 $\pm$ 0.21           \\
% % TAPS                                                                          &  & Mao et al. (2023)      & \cite{DBLP:conf/nips/MaoM0V23}  &  & 75.09 &  & TODO!                       &                      & 61.56 &  & TODO!                       \\
% % STAPS                                                                         &  & Mao et al. (2023)      & \cite{DBLP:conf/nips/MaoM0V23}  &  & 79.76 &  & TODO!                       &                      & 62.98 &  & TODO!                       \\
% MTL-IBP                                                                       &  & Mao et al. (2024) & \cite{mao2024ctbench} &  & 78.82 &  & 79.04 $\pm$ 0.35        &                      & 64.41 &  & 64.54 $\pm$ 0.11 \\ \bottomrule
% \end{tabular}
% }
% \setcounter{footnote}{0}
% \begin{tablenotes}
%     \item[\footnote{}] Results not fully comparable, for details see text.
% \end{tablenotes}
% \end{threeparttable}
% \end{table}

% % \hh{Not a proper sentence ... reword:}
% To demonstrate that \texttt{CTRAIN} achieves 
% \changed{comparable results to the ones reported in the literature, we performed a brief empirical evaluation of its capabilities}.
% Therefore, we trained networks on the CIFAR-10 dataset with different certified training methods using our new library.
% Specifically, we trained the \texttt{CNN7} network from Shi et al. \cite{DBLP:conf/nips/ShiWZYH21} for certifiable robustness against $l_\infty$ perturbations with $\epsilon=\frac{2}{255}$ for 160 epochs \changed{in accordance with previous literature (see, \emph{e.g.}, \cite{DePalmaConexCombinations,DBLP:conf/iclr/MaoM0V24,SABR,DBLP:conf/nips/ShiWZYH21}) }and a batch size of 512.
% % \hh{Readers might wonder how and why those values were chosen. Could this be explained in an appendix or even (briefly) here?}
% For each evaluated method we utilised the hyperparameter optimisation capabilities of \texttt{CTRAIN} with a 120-hour wall-clock budget, using the best configurations from prior studies as predefined user configurations.
% % \hh{modified:}
% For comparability, we followed a common practice in the certified training community \cite{DePalmaConexCombinations,mao2024ctbench,SABR,DBLP:conf/nips/ShiWZYH21} and tuned the hyperparameters directly on the test set.
% We evaluated the final configurations on independent runs with three random seeds 
% % \hh{you mean, independent runs with three random seeds?}
% and assessed the robustness via complete verification, using a per-instance timeout of $300$ seconds, which was chosen lower than those of previous studies that use cutoff times of $1000$ seconds and more \cite{DePalmaConexCombinations,mao2024ctbench,SABR} \changed{, to highlight that $\alpha\beta$-CROWN can achieve comparable results while reducing computational costs}.
% % \hh{Why? Might readers object to this choice?}
% All experiments were run on 
% \changed{a compute cluster node equipped with 28 cores of an Intel Xeon Platinum 8480+ processor, 448GB of RAM and one NVIDIA H100 GPU and running Rocky Linux 9.4.}
% % \hh{Sounds awkward. Better: Were run on a compute cluster whose nodes are equipped with ... and running Rocky Linux 9.4.}

% In Table \ref{tab:results}, we provide results for the training methods IBP, CROWN-IBP, SABR and MTL-IBP.
% Furthermore, we display the best performances achieved to date using the same experimental setup in terms of network architecture, perturbation magnitude and number of training epochs.
% We report median results across \changed{independent runs using three different} seeds, 
% % \hh{see my comment above}
% accompanied by an interval encompassing the full range of performance scores observed.
% On three of the four methods, \texttt{CTRAIN} outperforms previously reported results, partially exceeding those by large margins.
% We assume that results on SABR do not reach reported performances because we did not implement \textit{ReLU} shrinking yet, a technique that has demonstrated beneficial properties solely on the CIFAR-10 benchmark with $\epsilon=\frac{2}{255}$ in prior studies \cite{SABR}, and whose implementation we therefore postponed.
% Most notably, for the CROWN-IBP method, results obtained using \texttt{CTRAIN} exceed those of previous studies by up to $7\%$ in certified accuracy \cite{XuAutoLirpa}. 
% % \todo{is this justified - yes or no?}
% % In addition, the results of the MTL-IBP method set a new benchmark for certified accuracy on CIFAR-10 with $\epsilon=\frac{2}{255}$, representing the highest reported performance to date~\cite{mao2024ctbench,DePalmaConexCombinations}.
% Interestingly, regarding the IBP method, hyperparameter optimisation resulted in a configuration prioritising natural over certified accuracy, highlighting a need for better loss functions regarding hyperparameter tuning.
% % \texttt{CTRAIN} provides an excellent basis for further exploring this.

% % \hh{slightly modified -- check carefully:}
% Overall, these results demonstrate that \texttt{CTRAIN} provides comparably performant implementations of certified training methods.
% We attribute demonstrated gains to the inclusion of sophisticated hyperparameter tuning and the use of $\alpha\beta$-CROWN, which has emerged as the winner in recent competitions~\cite{brix2024fifth,brix2023fourth}.

\section{Conclusions and Future Work}

In this work, we presented \texttt{CTRAIN}, a new Python library for certified training. 
\texttt{CTRAIN} implements several state-of-the-art certified training protocols and makes them accessible via model wrappers that integrate well into existing machine learning workflows based on PyTorch.
Furthermore, \texttt{CTRAIN} provides a broad range of evaluation functions that can assess the robustness of a given network 
% \hh{incorrect possessive; better: the ... of a given ...}
using adversarial attacks as well as incomplete and complete verification. 
Notably, using \texttt{CTRAIN}, it becomes possible to invoke
% \hh{sounds awkward; better: it becomes possible to ...}
the state-of-the-art complete verification system $\alpha\beta$-CROWN using only one function call.
Last but not least, \texttt{CTRAIN} has native support for sophisticated hyperparameter optimisation using \texttt{SMAC3}. 
% \hh{slightly revised:}
% By employing these highly-performant systems
% for complete verification and hyperparameter optimisation, \texttt{CTRAIN} achieves remarkable performance on the CIFAR-10 dataset with $\epsilon=\frac{2}{255}$, outperforming the state-of-the-art \changed{in three out of four cases we've considered in a brief empirical evaluation}.
% \hh{be more concrete: in ?? out of ?? cases we've considered in a brief ...}

In future work, we aim to maintain and further extend the functionalities of \texttt{CTRAIN}.
The modular design of the library 
% \hh{incorrect possessive}
allows for easy addition of adversarial attack mechanisms, such as \textit{AutoAttack} \cite{DBLP:conf/icml/Croce020a}, or of complete verification systems, \emph{e.g.}, \textit{Oval} \cite{DBLP:journals/jmlr/PalmaBBTK24}.
Furthermore, we intend to implement further enhancements to certified training, such as ReLU transformer shrinking \cite{SABR}.
\changed{In addition, we will perform an extensive empirical evaluation of \texttt{CTRAIN}, comparing its performance to reference implementations from the literature and examining potential improvements achieved through the use of \texttt{SMAC3} and $\alpha\beta$-CROWN.}
% or resetting batch norm statistics to those of the training set \cite{mao2024ctbench}.
Finally, we plan to continuously update \texttt{CTRAIN} with new certified training and verification methods, maintaining \texttt{CTRAIN} as a state-of-the-art resource for certified training and its evaluation, valuable to both end-users and researchers.
%
% ---- Bibliography ----
%
% BibTeX users should specify bibliography style 'splncs04'.
% References will then be sorted and formatted in the correct style.
%
{\fontsize{9}{11}\selectfont
\subsubsection*{Acknowledgments.}
The authors would like to express their sincere gratitude to Hadar Shavit for providing valuable feedback, insightful inspiration, and expert knowledge on hyperparameter optimisation.
Holger H. Hoos gratefully acknowledges support through an Alexander-von-Humboldt Professorship in Artifcial Intelligence.
Furthermore, the authors thank the reviewers for their valuable comments.
\subsubsection{Disclosure of Interests.}
The authors have no competing interests to declare that are relevant to the content of this article.
}

\bibliographystyle{splncs04}
\bibliography{bibliography}

\end{document}
