{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,2,21]],"date-time":"2025-02-21T07:30:55Z","timestamp":1740123055956,"version":"3.37.3"},"reference-count":29,"publisher":"Springer Science and Business Media LLC","issue":"7","license":[{"start":{"date-parts":[[2022,3,16]],"date-time":"2022-03-16T00:00:00Z","timestamp":1647388800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,3,16]],"date-time":"2022-03-16T00:00:00Z","timestamp":1647388800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"BMW AG"},{"DOI":"10.13039\/501100005713","name":"Technische Universit\u00e4t M\u00fcnchen","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100005713","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Mach Learn"],"published-print":{"date-parts":[[2022,7]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Neural networks are known to be sensitive to adversarial perturbations. To investigate this undesired behavior we consider the problem of computing the distance to the decision boundary (DtDB) from a given sample for a deep neural net classifier. In this work we present a procedure where we solve a convex quadratic programming (QP) task to obtain a lower bound on the DtDB. This bound is used as a robustness certificate of the classifier around a given sample. We show that our approach provides better or competitive results in comparison with a wide range of existing techniques.<\/jats:p>","DOI":"10.1007\/s10994-022-06132-9","type":"journal-article","created":{"date-parts":[[2022,3,16]],"date-time":"2022-03-16T22:03:33Z","timestamp":1647468213000},"page":"2407-2433","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Robustness verification of ReLU networks via quadratic programming"],"prefix":"10.1007","volume":"111","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3674-7010","authenticated-orcid":false,"given":"Aleksei","family":"Kuvshinov","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Stephan","family":"G\u00fcnnemann","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2022,3,16]]},"reference":[{"key":"6132_CR1","first-page":"4790","volume":"31","author":"RR Bunel","year":"2018","unstructured":"Bunel, R. R., Turkaslan, I., Torr, P., Kohli, P., & Mudigonda, P. K. (2018). A unified view of piecewise linear neural network verification. Advances in Neural Information Processing Systems, 31, 4790\u20134799.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"6132_CR2","doi-asserted-by":"crossref","unstructured":"Carlini, N., & Wagner, D. (2017). Towards evaluating the robustness of neural networks. In 2017 IEEE symposium on security and privacy (SP) (pp 39\u201357).","DOI":"10.1109\/SP.2017.49"},{"key":"6132_CR3","unstructured":"Croce, F., Andriushchenko, M., & Hein, M. (2019). Provable robustness of ReLU networks via maximization of linear regions. In AISTATS."},{"key":"6132_CR4","unstructured":"Dua, D., & Graff, C. (2017). UCI machine learning repository. http:\/\/archive.ics.uci.edu\/ml."},{"key":"6132_CR5","doi-asserted-by":"publisher","unstructured":"Dutta, S., Jha, S., Sankaranarayanan, S., & Tiwari, A. (2018). Output range analysis for deep feedforward neural networks. In NASA formal methods (pp. 121\u2013138). https:\/\/doi.org\/10.1007\/978-3-319-77935-5_9.","DOI":"10.1007\/978-3-319-77935-5_9"},{"key":"6132_CR6","unstructured":"Dvijotham, K., Stanforth, R., Gowal, S., Mann, T. A., & Kohli, P. (2018). A dual approach to scalable verification of deep networks. In Proceedings of the conference on uncertainty in artificial intelligence. http:\/\/auai.org\/uai2018\/proceedings\/papers\/204.pdf."},{"key":"6132_CR7","unstructured":"Dvijotham, K., Stanforth, R., Gowal, S., Qin, C., De, S., & Kohli, P. (2019). Efficient neural network verification with exactness characterization. In Proceedings of the conference on uncertainty in artificial intelligence. http:\/\/auai.org\/uai2019\/proceedings\/papers\/164.pdf."},{"key":"6132_CR8","doi-asserted-by":"crossref","unstructured":"Ehlers, R. (2017). Formal verification of piece-wise linear feed-forward neural networks. In Automated technology for verification and analysis (pp. 269\u2013286). Springer","DOI":"10.1007\/978-3-319-68167-2_19"},{"key":"6132_CR9","unstructured":"Goodfellow, I., Shlens, J., & Szegedy, C. (2015). Explaining and harnessing adversarial examples. In International conference on learning representations. arXiv:1412.6572."},{"key":"6132_CR10","unstructured":"Gurobi Optimization L. (2018). Gurobi optimizer reference manual. http:\/\/www.gurobi.com."},{"key":"6132_CR11","first-page":"2266","volume":"30","author":"M Hein","year":"2017","unstructured":"Hein, M., & Andriushchenko, M. (2017). Formal guarantees on the robustness of a classifier against adversarial manipulation. Advances in Neural Information Processing Systems, 30, 2266\u20132276.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"6132_CR12","unstructured":"Jordan, M., Lewis, J., & Dimakis, A. G. (2018). Provable certificates for adversarial examples: Fitting a ball in the union of polytopes. In Advances in neural information processing systems 33."},{"key":"6132_CR13","doi-asserted-by":"crossref","unstructured":"Katz, G., Barrett, C., Dill, D. L., Julian, K., & Kochenderfer, M. J. (2017). Reluplex: An efficient SMT solver for verifying deep neural networks. In Computer aided verification (pp. 97\u2013117).","DOI":"10.1007\/978-3-319-63387-9_5"},{"key":"6132_CR14","unstructured":"Kurakin, A., Goodfellow, I. J., & Bengio, S. (2016). Adversarial examples in the physical world. In International conference on learning representations. arXiv:1607.02533."},{"key":"6132_CR15","unstructured":"LeCun, Y., Cortes, C., & Burges, C. J. (1999). The MNIST database of handwritten digits. http:\/\/yann.lecun.com\/exdb\/mnist\/."},{"key":"6132_CR16","unstructured":"Lomuscio, A., & Maganti, L. (2017). An approach to reachability analysis for feed-forward ReLU neural networks. arXiv e-prints arXiv:1706.07351."},{"key":"6132_CR17","unstructured":"Madry, A., Makelov, A., Schmidt, L., Tsipras, D., & Vladu, A. (2017). Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:170606083."},{"key":"6132_CR18","doi-asserted-by":"crossref","unstructured":"Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z. B., & Swami, A. (2016). The limitations of deep learning in adversarial settings. In 2016 IEEE European symposium on security and privacy (EuroS&P) (pp. 372\u2013387).","DOI":"10.1109\/EuroSP.2016.36"},{"key":"6132_CR19","unstructured":"Raghunathan, A., Steinhardt, J., & Liang, P. (2018a). Certified defenses against adversarial examples. In International conference on learning representations."},{"key":"6132_CR20","first-page":"10877","volume":"31","author":"A Raghunathan","year":"2018","unstructured":"Raghunathan, A., Steinhardt, J., & Liang, P. S. (2018b). Semidefinite relaxations for certifying robustness to adversarial examples. Advances in Neural Information Processing Systems, 31, 10877\u201310887.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"6132_CR21","first-page":"9832","volume":"32","author":"H Salman","year":"2019","unstructured":"Salman, H., Yang, G., Zhang, H., Hsieh, C. J., & Zhang, P. (2019). A convex relaxation barrier to tight robustness verification of neural networks. Advances in Neural Information Processing Systems, 32, 9832\u20139842.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"6132_CR22","unstructured":"Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2014). Intriguing properties of neural networks. In International conference on learning representations. arXiv:1312.6199."},{"key":"6132_CR23","unstructured":"Tjeng, V., Xiao, K., & Tedrake, R. (2017). Evaluating robustness of neural networks with mixed integer programming. arXiv preprint arXiv:171107356."},{"key":"6132_CR24","first-page":"6541","volume":"31","author":"Y Tsuzuku","year":"2018","unstructured":"Tsuzuku, Y., Sato, I., & Sugiyama, M. (2018). Lipschitz-margin training: Scalable certification of perturbation invariance for deep neural networks. Advances in Neural Information Processing Systems, 31, 6541\u20136550.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"6132_CR25","unstructured":"Wang, S., Chen, Y., Abdou, A., & Jana, S. (2018). MixTrain: Scalable training of verifiably robust neural networks. arXiv preprint arXiv:181102625."},{"key":"6132_CR26","unstructured":"Weng, L., Zhang, H., Chen, H., Song, Z., Hsieh, C. J., Daniel, L., Boning, D., & Dhillon, I. (2018). Towards fast computation of certified robustness for ReLU networks. In Proceedings of the 35th international conference on machine learning (Vol. 80, pp. 5276\u20135285)."},{"key":"6132_CR27","unstructured":"Wong, E., & Kolter, Z. (2018). Provable defenses against adversarial examples via the convex outer adversarial polytope. In Proceedings of the 35th international conference on machine learning (Vol. 80, pp. 5286\u20135295)."},{"key":"6132_CR28","unstructured":"Xiao, H., Rasul, K., & Vollgraf, R. (2017). Fashion-MNIST: A novel image dataset for benchmarking machine learning algorithms. CoRR arXiv:1708.07747."},{"key":"6132_CR29","first-page":"4939","volume":"31","author":"H Zhang","year":"2018","unstructured":"Zhang, H., Weng, T. W., Chen, P. Y., Hsieh, C. J., & Daniel, L. (2018). Efficient neural network robustness certification with general activation functions. Advances in Neural Information Processing Systems, 31, 4939\u20134948.","journal-title":"Advances in Neural Information Processing Systems"}],"container-title":["Machine Learning"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10994-022-06132-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10994-022-06132-9\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10994-022-06132-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,7,5]],"date-time":"2022-07-05T21:05:53Z","timestamp":1657055153000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10994-022-06132-9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,3,16]]},"references-count":29,"journal-issue":{"issue":"7","published-print":{"date-parts":[[2022,7]]}},"alternative-id":["6132"],"URL":"https:\/\/doi.org\/10.1007\/s10994-022-06132-9","relation":{},"ISSN":["0885-6125","1573-0565"],"issn-type":[{"type":"print","value":"0885-6125"},{"type":"electronic","value":"1573-0565"}],"subject":[],"published":{"date-parts":[[2022,3,16]]},"assertion":[{"value":"2 May 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 October 2021","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"6 February 2022","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"16 March 2022","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"Not applicable, the authors have no conflicts of interest to declare that are relevant to the content of this article.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"The authors approve that the research presented in this paper is conducted following the principles of ethical and professional conduct.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}},{"value":"The authors consent to participate in ECML PKDD 2022 conference.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Informed consent"}},{"value":"Not applicable, the authors use publicly available data only and provide the corresponding references.","order":5,"name":"Ethics","group":{"name":"EthicsHeading","label":"Consent for publication"}}]}}