Certified Robustness Training: Closed-Form Certificates via CROWN

Download PDF

ICLR 2026 Conference Submission8055 Authors

16 Sept 2025 (modified: 08 Oct 2025)ICLR 2026 Conference SubmissionEveryoneRevisionsBibTeXCC BY 4.0
Keywords: certified robustness, adversarial training, geometric robustness, CROWN, margin-over-slope, neural network verification, randomized smoothing, DC optimal power flow, safety–accuracy trade-off
TL;DR: We propose a geometric training method that optimizes certified robustness directly via CROWN bounds, achieving higher certified accuracy than adversarial training and randomized smoothing, and demonstrating controllable robustness trade-offs.
Abstract: Adversarial training reshapes neural network decision boundaries by pushing them away from adversarial examples, but this approach ignores a crucial geometric factor: the local curvature that determines how steeply network outputs change with input perturbations. We introduce a fundamentally different approach that optimizes certified robustness by directly reshaping decision boundary geometry during training. Our key insight is that CROWN's linear bounds encode both the safety margin and input sensitivity needed for closed-form certified radius computation, transforming expensive verification into efficient geometric analysis. We derive differentiable expressions that enable direct optimization of the margin-over-slope ratio underlying certified robustness, creating networks with inherently robust decision regions rather than boundaries hardened against specific attacks. Our hybrid training method combines adversarial training's broad coverage with geometric certified objectives applied to hard examples, achieving 98.33% clean accuracy and 71.1% certified robustness at epsilon = 0.03 on MNIST — outperforming both PGD adversarial training (61.7%) and randomized smoothing (53.1%) in ReLU-based networks. On DC optimal power flow regression, we demonstrate controllable accuracy–safety trade-offs critical for engineering applications. By making certified robustness certificates both computationally tractable and differentiable, our approach enables robustness-aware learning that produces networks robust by geometric design rather than adversarial accident.
Primary Area: unsupervised, self-supervised, semi-supervised, and supervised representation learning
Submission Number: 8055