no code implementations • 13 Oct 2023 • Ravi Mangal, Klas Leino, Zifan Wang, Kai Hu, Weicheng Yu, Corina Pasareanu, Anupam Datta, Matt Fredrikson
There are three layers to this inquiry, which we address in this paper: (1) why do we care about robustness research?
1 code implementation • 4 Oct 2023 • Kai Hu, Klas Leino, Zifan Wang, Matt Fredrikson
A key challenge, supported both theoretically and empirically, is that robustness demands greater network capacity and more data than standard training.
2 code implementations • NeurIPS 2023 • Kai Hu, Andy Zou, Zifan Wang, Klas Leino, Matt Fredrikson
We show that fast ways of bounding the Lipschitz constant for conventional ResNets are loose, and show how to address this by designing a new residual block, leading to the \emph{Linear ResNet} (LiResNet) architecture.
no code implementations • 21 Jan 2023 • Klas Leino
Certified defenses against small-norm adversarial examples have received growing attention in recent years; though certified accuracies of state-of-the-art methods remain far below their non-robust counterparts, despite the fact that benchmark datasets have been shown to be well-separated at far larger radii than the literature generally attempts to certify.
1 code implementation • 1 Jun 2022 • Ravi Mangal, Zifan Wang, Chi Zhang, Klas Leino, Corina Pasareanu, Matt Fredrikson
We present \emph{cascade attack} (CasA), an adversarial attack against cascading ensembles, and show that: (1) there exists an adversarial input for up to 88\% of the samples where the ensemble claims to be certifiably robust and accurate; and (2) the accuracy of a cascading ensemble under our attack is as low as 11\% when it claims to be certifiably robust and accurate on 97\% of the test set.
no code implementations • ICLR 2022 • Emily Black, Klas Leino, Matt Fredrikson
Recent work has shown that models trained to the same objective, and which achieve similar measures of accuracy on consistent test data, may nonetheless behave very differently on individual predictions.
no code implementations • 29 Sep 2021 • Klas Leino, Chi Zhang, Ravi Mangal, Matt Fredrikson, Bryan Parno, Corina Pasareanu
Certifiably robust neural networks employ provable run-time defenses against adversarial examples by checking if the model is locally robust at the input under evaluation.
1 code implementation • 23 Jul 2021 • Klas Leino, Aymeric Fromherz, Ravi Mangal, Matt Fredrikson, Bryan Parno, Corina Păsăreanu
These constraints relate requirements on the order of the classes output by a classifier to conditions on its input, and are expressive enough to encode various interesting examples of classifier safety specifications from the literature.
1 code implementation • NeurIPS 2021 • Klas Leino, Matt Fredrikson
Certifiable local robustness, which rigorously precludes small-norm adversarial examples, has received significant attention as a means of addressing security concerns in deep learning.
2 code implementations • 16 Feb 2021 • Klas Leino, Zifan Wang, Matt Fredrikson
We show that widely-used architectures can be easily adapted to this objective by incorporating efficient global Lipschitz bounds into the network, yielding certifiably-robust models by construction that achieve state-of-the-art verifiable accuracy.
no code implementations • ACL 2020 • Kaiji Lu, Piotr Mardziel, Klas Leino, Matt Fedrikson, Anupam Datta
LSTM-based recurrent neural networks are the state-of-the-art for many natural language processing (NLP) tasks.
no code implementations • ICLR 2021 • Aymeric Fromherz, Klas Leino, Matt Fredrikson, Bryan Parno, Corina Păsăreanu
Local robustness ensures that a model classifies all inputs within an $\ell_2$-ball consistently, which precludes various forms of adversarial inputs.
no code implementations • 27 Jun 2019 • Klas Leino, Matt Fredrikson
Membership inference (MI) attacks exploit the fact that machine learning algorithms sometimes leak information about their training data through the learned model.
no code implementations • ICLR 2019 • Klas Leino, Emily Black, Matt Fredrikson, Shayak Sen, Anupam Datta
This overestimation gives rise to feature-wise bias amplification -- a previously unreported form of bias that can be traced back to the features of a trained model.
2 code implementations • ICLR 2018 • Klas Leino, Shayak Sen, Anupam Datta, Matt Fredrikson, Linyi Li
We study the problem of explaining a rich class of behavioral properties of deep neural networks.