Robustness Certification Research on Deep Learning Models: A Survey

In the era of big data, breakthroughs in theories and technologies of deep learning have provided strong support for artificial intelligence at the data and the algorithm level, as well as have promoted the development of scale and industrialization of deep learning in a large number of tasks, such as image classification, object detection, semantic segmentation, natural language processing and speech recognition. However, though deep learning models have excellent performance in many real-world applications, they still suffer many security threats. For instance, it is now known that deep neural networks are fundamentally vulnerable to malicious manipulations, such as adversarial examples that force target deep neural networks to misbehave. In recent years, a plethora of work has focused on constructing adversarial examples in various domains. The phenomenon of adversarial examples demonstrates the inherent lack of robustness of deep neural networks, which limits their use in security-critical applications. In order to build a safe and reliable deep learning system and eliminate the potential security risks of deep learning models in real-world applications, the security issue of deep learning has attracted extensive attention from academia and industry. Thus far, intensive research has been devoted to improving the robustness of DNNs against adversarial attacks. Unfortunately, most defenses are based on heuristics and thus lack any theoretical guarantee, which can often be defeated or circumvented by more powerful attacks. Therefore, defenses only showing empirical success against attacks, are difficult to be concluded robust. Aiming to end the constant arms race between adversarial attacks and defenses, the concept of robustness certification is proposed to provide guaranteed robustness by formally verifying whether a given region surrounding a data point admits any adversarial example. Robustness certification, the functionality of verifying whether the given region surrounding a data point admits any adversarial example, provides guaranteed security for deep neural networks deployed in adversarial environments. Within the certified robustness bound, any possible perturbation would not impact the prediction of a deep neural network. A large number of researchers have conducted in-depth research on the model robustness certification from the perspective of complete and incomplete, and proposed a series of certification methods. These methods can be generally categorized as exact certification methods and relaxed certification methods. Exact certification methods are mostly based on satisfiability modulo theories or mixed-integer linear program solvers. Though these methods are able to certify the exact robustness bound, they are usually computationally expensive. Hence, it is difficult to scale them even to medium size networks. Relaxed certification methods include the convex polytope methods, reachability analysis methods, and abstract interpretation methods, etc. These methods are usually efficient but cannot provide precise robustness bounds as exact certification methods do. Nevertheless, considering the expensive computational cost, relaxed certification methods are shown to be more promising in practical applications, especially for large networks. In this survey, we review the current challenges of model robustness certification problem, systematically and scientifically summarize existing research work, and clarify the advantages and disadvantages of current research. Finally, we explore future research directions of model robustness certification research. © 2022, Science Press. All right reserved.