TY - GEN
T1 - CARE
T2 - 2023 IEEE Conference on Secure and Trustworthy Machine Learning, SaTML 2023
AU - Zhang, Jiawei
AU - Li, Linyi
AU - Zhang, Ce
AU - Li, Bo
N1 - Funding Information:
VII. CONCLUSION In this work, we propose the first scalable certifiably robust machine learning pipeline CARE by integrating knowledge to enable reasoning ability for reliable prediction. We show that when combining learning with reasoning, CARE can effectively scale to large datasets and achieve both high certified robustness and empirical robustness. We believe our observations and findings will inspire interesting future directions on leveraging domain knowledge to improve ML robustness. ACKNOWLEDGMENT This work is partially supported by NSF grant No.1910100, NSF CNS No.2046726, a C3.ai DTI Award, and the Alfred P. Sloan Foundation.
Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Despite great recent advances achieved by deep neural networks (DNNs), they are often vulnerable to adversarial attacks. Intensive research efforts have been made to improve the robustness of DNNs; however, most empirical defenses can be adaptively attacked again, and the theoretically certified robustness is limited, especially on large-scale datasets. One potential root cause of such vulnerabilities for DNNs is that although they have demonstrated powerful expressiveness, they lack the reasoning ability to make robust and reliable predictions. In this paper, we aim to integrate domain knowledge to enable robust learning with the reasoning paradigm. In particular, we propose a certifiably robust learning with reasoning pipeline (CARE), which consists of a learning component and a reasoning component. Concretely, we use a set of standard DNNs to serve as the learning component to make semantic predictions (e.g., whether the input is furry), and we leverage the probabilistic graphical models, such as Markov logic networks (MLN), to serve as the reasoning component to enable knowledge/logic reasoning (e.g., IsPanda} \Longrightarrow \text{IsFurry}$). However, it is known that the exact inference of MLN (reasoning) is #P-complete, which limits the scalability of the pipeline. To this end, we propose to approximate the MLN inference via variational inference based on an efficient expectation maximization algorithm. In particular, we leverage graph convolutional networks (GCNs) to encode the posterior distribution during variational inference and update the parameters of GCNs (E-step) and the weights of knowledge rules in MLN (M-step) iteratively. We conduct extensive experiments on different datasets such as AwA2, Word50, GTSRB, and PDF malware, and we show that CARE achieves significantly higher certified robustness (e.g., the certified accuracy is improved from 36.0% to 61.8% under $\ell_{2}$ radius 2.0 on AwA2) compared with the state-of-the-art baselines. We additionally conducted different ablation studies to demonstrate the empirical robustness of CARE and the effectiveness of different knowledge integration. The official code is available at https://github.com/javyduck/CARE.
AB - Despite great recent advances achieved by deep neural networks (DNNs), they are often vulnerable to adversarial attacks. Intensive research efforts have been made to improve the robustness of DNNs; however, most empirical defenses can be adaptively attacked again, and the theoretically certified robustness is limited, especially on large-scale datasets. One potential root cause of such vulnerabilities for DNNs is that although they have demonstrated powerful expressiveness, they lack the reasoning ability to make robust and reliable predictions. In this paper, we aim to integrate domain knowledge to enable robust learning with the reasoning paradigm. In particular, we propose a certifiably robust learning with reasoning pipeline (CARE), which consists of a learning component and a reasoning component. Concretely, we use a set of standard DNNs to serve as the learning component to make semantic predictions (e.g., whether the input is furry), and we leverage the probabilistic graphical models, such as Markov logic networks (MLN), to serve as the reasoning component to enable knowledge/logic reasoning (e.g., IsPanda} \Longrightarrow \text{IsFurry}$). However, it is known that the exact inference of MLN (reasoning) is #P-complete, which limits the scalability of the pipeline. To this end, we propose to approximate the MLN inference via variational inference based on an efficient expectation maximization algorithm. In particular, we leverage graph convolutional networks (GCNs) to encode the posterior distribution during variational inference and update the parameters of GCNs (E-step) and the weights of knowledge rules in MLN (M-step) iteratively. We conduct extensive experiments on different datasets such as AwA2, Word50, GTSRB, and PDF malware, and we show that CARE achieves significantly higher certified robustness (e.g., the certified accuracy is improved from 36.0% to 61.8% under $\ell_{2}$ radius 2.0 on AwA2) compared with the state-of-the-art baselines. We additionally conducted different ablation studies to demonstrate the empirical robustness of CARE and the effectiveness of different knowledge integration. The official code is available at https://github.com/javyduck/CARE.
KW - certified robustness
KW - graph convolutional network
KW - Markov logic network
KW - Robust learning with reasoning
KW - variational inference
UR - http://www.scopus.com/inward/record.url?scp=85163192069&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85163192069&partnerID=8YFLogxK
U2 - 10.1109/SaTML54575.2023.00043
DO - 10.1109/SaTML54575.2023.00043
M3 - Conference contribution
AN - SCOPUS:85163192069
T3 - Proceedings - 2023 IEEE Conference on Secure and Trustworthy Machine Learning, SaTML 2023
SP - 554
EP - 574
BT - Proceedings - 2023 IEEE Conference on Secure and Trustworthy Machine Learning, SaTML 2023
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 8 February 2023 through 10 February 2023
ER -