The vulnerability of deep learning-based systems to adversarial attacks and distribution shifts continues to pose a substantial security risk in real-world applications. Many approaches designed to improve the robustness of neural networks are only motivated heuristically, while their mathematical understanding as well as their precise robustification effect remain unclear. As a result, the majority of defenses that have been proposed in the past have been shown to be ineffective by subsequent third-party evaluations. One of the few truly robust defenses is Adversarial Training (AT) which is also backed by a developing mathematical theory. However, AT suffers from a trade-off between the generalization ability of the model on clean data and its robustness against adversarial attacks. Additional data can enhance the performance of adversarial training. However, current approaches to further improve robustness by scaling the number of training samples and the model size are prohibitively expensive and theoretically poorly understood. In the GeoMAR project we aim to develop a mathematical theory for creating effective robustification approaches. Beyond theoretical insights, we plan to transfer the developed knowledge to practical algorithms. The key objectives of GeoMAR are to analyze the geometry of robustness, tackle the accuracy-robustness trade-off, analyze and compare the geometric properties of classifiers using a novel test-time approach, and reach scalability to large datasets. To achieve this, we will view robustness through a geometric lens and model it as a geometric regularity property of the decision boundary of a classifier. We will use this framework to develop novel geometrically motivated robust training methods and solve them using tailored optimization methods. The robustness of these approaches will be quantified with novel test-time methods, and we shall scale them by leveraging generative models for the computation of attacks. The desired outcomes of GeoMAR are geometric, interpretable, and scalable training methods that provably mitigate the trade-off between accuracy and robustness. This way our project will promote the mathematical understanding of robustness in machine learning and generate efficient algorithms for training deep learning systems for real-world applications.

DFG Programme Priority Programmes

Subproject of SPP 2298:  Theoretical Foundations of Deep Learning

International Connection Canada, USA

Cooperation Partners Professor Gauthier Gidel, Ph.D.; Professor Ryan Murray, Ph.D.