Training Robust Neural Networks Using Lipschitz Bounds

Due to their susceptibility to adversarial perturbations, neural networks (NNs) are hardly used in safety-critical applications. One measure of robustness to such perturbations in the input is the Lipschitz constant of the input-output map defined by an NN. In this letter, we propose a framework to...

Full description

Saved in:
Bibliographic Details
Published inIEEE control systems letters Vol. 6; pp. 121 - 126
Main Authors Pauli, Patricia, Koch, Anne, Berberich, Julian, Kohler, Paul, Allgower, Frank
Format Journal Article
LanguageEnglish
Published IEEE 2022
Subjects
Artificial neural networks
Estimation
Linear matrix inequalities
neural networks
Neurons
Perturbation methods
Robustness
Training
Upper bound
Online AccessGet full text

Cover

Abstract Due to their susceptibility to adversarial perturbations, neural networks (NNs) are hardly used in safety-critical applications. One measure of robustness to such perturbations in the input is the Lipschitz constant of the input-output map defined by an NN. In this letter, we propose a framework to train multi-layer NNs while at the same time encouraging robustness by keeping their Lipschitz constant small, thus addressing the robustness issue. More specifically, we design an optimization scheme based on the Alternating Direction Method of Multipliers that minimizes not only the training loss of an NN but also its Lipschitz constant resulting in a semidefinite programming based training procedure that promotes robustness. We design two versions of this training procedure. The first one includes a regularizer that penalizes an accurate upper bound on the Lipschitz constant. The second one allows to enforce a desired Lipschitz bound on the NN at all times during training. Finally, we provide two examples to show that the proposed framework successfully increases the robustness of NNs.
AbstractList Due to their susceptibility to adversarial perturbations, neural networks (NNs) are hardly used in safety-critical applications. One measure of robustness to such perturbations in the input is the Lipschitz constant of the input-output map defined by an NN. In this letter, we propose a framework to train multi-layer NNs while at the same time encouraging robustness by keeping their Lipschitz constant small, thus addressing the robustness issue. More specifically, we design an optimization scheme based on the Alternating Direction Method of Multipliers that minimizes not only the training loss of an NN but also its Lipschitz constant resulting in a semidefinite programming based training procedure that promotes robustness. We design two versions of this training procedure. The first one includes a regularizer that penalizes an accurate upper bound on the Lipschitz constant. The second one allows to enforce a desired Lipschitz bound on the NN at all times during training. Finally, we provide two examples to show that the proposed framework successfully increases the robustness of NNs.
Author Berberich, Julian
Pauli, Patricia
Allgower, Frank
Koch, Anne
Kohler, Paul
Author_xml – sequence: 1
  givenname: Patricia
  orcidid: 0000-0001-5677-7095
  surname: Pauli
  fullname: Pauli, Patricia
  email: patricia.pauli@ist.uni-stuttgart.de
  organization: Institute for Systems Theory and Automatic Control, University of Stuttgart, Stuttgart, Germany
– sequence: 2
  givenname: Anne
  orcidid: 0000-0002-8213-2247
  surname: Koch
  fullname: Koch, Anne
  email: anne.koch@ist.uni-stuttgart.de
  organization: Institute for Systems Theory and Automatic Control, University of Stuttgart, Stuttgart, Germany
– sequence: 3
  givenname: Julian
  orcidid: 0000-0001-6366-6238
  surname: Berberich
  fullname: Berberich, Julian
  email: julian.berberich@ist.uni-stuttgart.de
  organization: Institute for Systems Theory and Automatic Control, University of Stuttgart, Stuttgart, Germany
– sequence: 4
  givenname: Paul
  orcidid: 0000-0003-4699-0735
  surname: Kohler
  fullname: Kohler, Paul
  email: paulkohler@posteo.de
  organization: Institute for Systems Theory and Automatic Control, University of Stuttgart, Stuttgart, Germany
– sequence: 5
  givenname: Frank
  orcidid: 0000-0002-3702-3658
  surname: Allgower
  fullname: Allgower, Frank
  email: frank.allgower@ist.uni-stuttgart.de
  organization: Institute for Systems Theory and Automatic Control, University of Stuttgart, Stuttgart, Germany
BookMark eNp9j9FKwzAUhoNMcM69gN70BTrPSZM0udShUygKbrvwqqRpqtHajiRD9Ond3BDxwqv_wM93fr5jMuj6zhJyijBBBHVeTOeP8wkFipMMODDGDsiQspynyLgY_LqPyDiEFwBASXOgakjEwmvXue4peeirdYjJnV173W4ivvf-NSTLsC0Ltwrm2cXP5LJfd3U4IYeNboMd73NEltdXi-lNWtzPbqcXRWqoyGMqqlpxbtA03CpeGyGBKVqbugGJmUCpUTZMKquEpjTnWiiOFAzDyuai1tmI0N1f4_sQvG3KlXdv2n-UCOVWvvyWL7fy5V5-A8k_kHFRR9d3cSPb_o-e7VBnrf3ZUhkqVDL7AkX-aPQ
CODEN ICSLBO
CitedBy_id crossref_primary_10_1109_LCSYS_2022_3150719
crossref_primary_10_1016_j_automatica_2023_111487
crossref_primary_10_1109_TAC_2021_3069388
crossref_primary_10_1016_j_neunet_2024_107086
crossref_primary_10_1016_j_ifacol_2024_10_193
crossref_primary_10_1103_PhysRevResearch_6_043326
crossref_primary_10_1109_MCS_2024_3466448
crossref_primary_10_1007_s11760_023_02931_2
crossref_primary_10_1137_22M1504573
crossref_primary_10_1145_3635159
crossref_primary_10_1109_LCSYS_2023_3285720
crossref_primary_10_1137_22M149689X
crossref_primary_10_1049_cth2_12719
crossref_primary_10_2298_CSIS220703019Z
crossref_primary_10_1016_j_conengprac_2024_106041
crossref_primary_10_1109_OJAP_2022_3170798
crossref_primary_10_1007_s11590_022_01958_7
crossref_primary_10_2139_ssrn_4217092
crossref_primary_10_1016_j_cam_2023_115667
crossref_primary_10_1016_j_automatica_2023_111237
crossref_primary_10_1115_1_4063474
crossref_primary_10_3390_math11112466
crossref_primary_10_1109_TCSI_2024_3386506
crossref_primary_10_1016_j_automatica_2023_111233
crossref_primary_10_1109_OJCSYS_2022_3186838
crossref_primary_10_1109_TSG_2023_3239548
crossref_primary_10_1016_j_robot_2024_104901
crossref_primary_10_1109_ACCESS_2024_3434617
crossref_primary_10_1109_JBHI_2024_3404883
crossref_primary_10_3390_electronics13142721
crossref_primary_10_1016_j_ifacol_2023_10_1219
crossref_primary_10_3389_frsip_2022_794469
crossref_primary_10_1016_j_ifacol_2022_07_306
crossref_primary_10_1017_S0960129523000142
crossref_primary_10_1109_TRO_2024_3392079
crossref_primary_10_1007_s10515_022_00337_x
crossref_primary_10_1016_j_compchemeng_2023_108365
crossref_primary_10_1016_j_patcog_2022_108889
crossref_primary_10_1145_3648351
crossref_primary_10_1137_22M151861X
crossref_primary_10_1016_j_sysconle_2024_105753
crossref_primary_10_1109_TAC_2023_3294101
crossref_primary_10_1109_TAC_2022_3218944
crossref_primary_10_1002_rnc_6560
crossref_primary_10_1109_ACCESS_2022_3189363
Cites_doi 10.1137/19M1272780
10.1109/SP.2016.41
10.1007/s10915-018-0757-z
10.1038/nature14539
10.1561/2200000016
10.1109/CACSD.2004.1393890
ContentType Journal Article
DBID 97E
RIA
RIE
AAYXX
CITATION
DOI 10.1109/LCSYS.2021.3050444
DatabaseName IEEE All-Society Periodicals Package (ASPP) 2005-present
IEEE All-Society Periodicals Package (ASPP) 1998-Present
IEEE Electronic Library (IEL)
CrossRef
DatabaseTitle CrossRef
DatabaseTitleList
Database_xml – sequence: 1
  dbid: RIE
  name: IEEE Electronic Library (IEL)
  url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
EISSN 2475-1456
EndPage 126
ExternalDocumentID 10_1109_LCSYS_2021_3050444
9319198
Genre orig-research
GrantInformation_xml – fundername: Patricia Pauli, Anne Koch
– fundername: International Max Planck Research School for Intelligent Systems (IMPRS-IS)
– fundername: Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) through Germany’s Excellence Strategy—EXC
  grantid: 2075 - 390740016
  funderid: 10.13039/501100001659
GroupedDBID 0R~
6IK
97E
AAJGR
AASAJ
AAWTH
ABAZT
ABJNI
ABQJQ
ABVLG
ACGFS
AGQYO
AHBIQ
AKJIK
ALMA_UNASSIGNED_HOLDINGS
ATWAV
BEFXN
BFFAM
BGNUA
BKEBE
BPEOZ
EBS
EJD
IFIPE
IPLJI
JAVBF
OCL
RIA
RIE
AAYXX
CITATION
RIG
ID FETCH-LOGICAL-c267t-6bd955c1cf5e95dc680492dcdf0813618a18f489e96a2275a695120c41be76da3
IEDL.DBID RIE
ISSN 2475-1456
IngestDate Thu Apr 24 23:07:50 EDT 2025
Tue Jul 01 04:06:36 EDT 2025
Wed Aug 27 02:26:22 EDT 2025
IsPeerReviewed true
IsScholarly true
Language English
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c267t-6bd955c1cf5e95dc680492dcdf0813618a18f489e96a2275a695120c41be76da3
ORCID 0000-0002-8213-2247
0000-0001-6366-6238
0000-0003-4699-0735
0000-0002-3702-3658
0000-0001-5677-7095
PageCount 6
ParticipantIDs ieee_primary_9319198
crossref_primary_10_1109_LCSYS_2021_3050444
crossref_citationtrail_10_1109_LCSYS_2021_3050444
ProviderPackageCode CITATION
AAYXX
PublicationCentury 2000
PublicationDate 20220000
2022-00-00
PublicationDateYYYYMMDD 2022-01-01
PublicationDate_xml – year: 2022
  text: 20220000
PublicationDecade 2020
PublicationTitle IEEE control systems letters
PublicationTitleAbbrev LCSYS
PublicationYear 2022
Publisher IEEE
Publisher_xml – name: IEEE
References wong (ref7) 2018
gouk (ref17) 2018
krogh (ref19) 1991
collobert (ref2) 2011; 12
lee (ref23) 2016
ref10
szegedy (ref4) 2013
fazlyab (ref13) 2019
cisse (ref16) 2017
hein (ref18) 2017
madry (ref8) 2017
lecun (ref3) 2015; 521
ref24
goodfellow (ref5) 2014
ref22
(ref25) 2019
ref21
virmaux (ref11) 2018
weng (ref14) 2018
jordan (ref15) 2020
tsuzuku (ref9) 2018
latorre (ref12) 2020
ref6
krizhevsky (ref1) 2012
fazlyab (ref20) 2019
lecun (ref26) 2020
References_xml – start-page: 950
  year: 1991
  ident: ref19
  article-title: A simple weight decay can improve generalization
  publication-title: Proc NeurIPS
– start-page: 1097
  year: 2012
  ident: ref1
  article-title: Imagenet classification with deep convolutional neural networks
  publication-title: Proc NeurIPS
– volume: 12
  start-page: 2493
  year: 2011
  ident: ref2
  article-title: Natural language processing (almost) from scratch
  publication-title: J Mach Learn Res
– start-page: 2266
  year: 2017
  ident: ref18
  article-title: Formal guarantees on the robustness of a classifier against adversarial manipulation
  publication-title: Proc NeurIPS
– year: 2019
  ident: ref25
  publication-title: The MOSEK optimization toolbox for MATLAB manual Version 9 0
– year: 2019
  ident: ref20
  publication-title: Efficient and accurate estimation of lipschitz constants for deep neural networks
– start-page: 854
  year: 2017
  ident: ref16
  article-title: Parseval networks: Improving robustness to adversarial examples
  publication-title: Proc ICML
– start-page: 3839
  year: 2018
  ident: ref11
  article-title: Lipschitz regularity of deep neural networks: analysis and efficient estimation
  publication-title: Proc NeurIPS
– year: 2018
  ident: ref14
  publication-title: Towards Fast Computation of Certified Robustness for ReLU Networks
– ident: ref10
  doi: 10.1137/19M1272780
– year: 2013
  ident: ref4
  publication-title: Intriguing properties of neural networks
– ident: ref6
  doi: 10.1109/SP.2016.41
– ident: ref22
  doi: 10.1007/s10915-018-0757-z
– year: 2020
  ident: ref26
  publication-title: The MNIST Database of Handwritten Digits
– volume: 521
  start-page: 436
  year: 2015
  ident: ref3
  article-title: Deep learning
  publication-title: Nature
  doi: 10.1038/nature14539
– year: 2020
  ident: ref15
  publication-title: Exactly computing the local Lipschitz constant of ReLU networks
– year: 2018
  ident: ref17
  publication-title: Regularisation of neural networks by enforcing lipschitz continuity
– ident: ref21
  doi: 10.1561/2200000016
– ident: ref24
  doi: 10.1109/CACSD.2004.1393890
– start-page: 5283
  year: 2018
  ident: ref7
  article-title: Provable defenses against adversarial examples via the convex outer adversarial polytope
  publication-title: Proc ICML
– start-page: 11423
  year: 2019
  ident: ref13
  article-title: Efficient and accurate estimation of Lipschitz constants for deep neural networks
  publication-title: Proc NeurIPS
– year: 2017
  ident: ref8
  publication-title: Towards deep learning models resistant to adversarial attacks
– year: 2020
  ident: ref12
  publication-title: Lipschitz constant estimation of neural networks via sparse polynomial optimization
– start-page: 6542
  year: 2018
  ident: ref9
  article-title: Lipschitz-margin training: Scalable certification of perturbation invariance for deep neural networks
  publication-title: Proc NeurIPS
– start-page: 1246
  year: 2016
  ident: ref23
  article-title: Gradient descent only converges to minimizers
  publication-title: Proc COLT
– year: 2014
  ident: ref5
  publication-title: Explaining and Harnessing Adversarial Examples
SSID ssj0001827029
Score 2.567447
Snippet Due to their susceptibility to adversarial perturbations, neural networks (NNs) are hardly used in safety-critical applications. One measure of robustness to...
SourceID crossref
ieee
SourceType Enrichment Source
Index Database
Publisher
StartPage 121
SubjectTerms Artificial neural networks
Estimation
Linear matrix inequalities
neural networks
Neurons
Perturbation methods
Robustness
Training
Upper bound
Title Training Robust Neural Networks Using Lipschitz Bounds
URI https://ieeexplore.ieee.org/document/9319198
Volume 6
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1JS8NAFB7anry4UMW6kYM3TZqZZKaZoxZLkbYH20I9hdkCorTFJJf-et9M0rog4i2ENzB8POZ9b0foOqOSC6rg9QOu78dShL7AWexLLUmkTJgJlzEdT9hwHj8u6KKBbne9MMYYV3xmAvvpcvl6pUobKuty0BdwkpuoCY5b1av1GU9JbGcV3_bFhLw76k-fp-ABEhyAUtu5aN9sz5dlKs6WDA7QeHuLqoTkNSgLGajNjwGN_73mIdqvSaV3V2nBEWqYZRuxWb39wXtayTIvPDuHA6QmVeF37rlqAW_0ss5tLmHj3dsNS_kxmg8eZv2hX29J8BVhvcJnUnNKFVYZNZxqxRIg_UQrnYG1jxhOBE6yOOGGM0FIjwoGpIqEKsbS9JgW0QlqLVdLc4o8HQNZwOBXAuuLRci4lFEEr6HBRlCSZB2Et_ilqh4hbjdZvKXOlQh56jBPLeZpjXkH3ezOrKsBGn9Kty2eO8kayrPff5-jPWK7EVxE5AK1ivfSXAJHKOSVU44P0zC4WA
linkProvider IEEE
linkToHtml http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3NS8MwFA9zHvTiB1Ocnz14025N2mTNUYdjareD22CeSpKmIMo2bHvZX-9L2s0PRLyV8gLhxyPv974Rukyp5IIqeP2A67uBFJ4rcBq4MpHEV9pLhc2YDoasPwkepnRaQ9frXhittS0-0y3zaXP5yVwVJlTW5qAv4CRvoE2w-xSX3VqfEZXQ9FbxVWeMx9tRd_Q8Ah-Q4BaotZmM9s36fFmnYq1JbxcNVvcoi0heW0UuW2r5Y0Tjfy-6h3YqWunclHqwj2p61kBsXO1_cJ7msshyx0ziAKlhWfqdObZewIleFpnJJiydW7NjKTtAk97duNt3qz0JriKsk7tMJpxShVVKNaeJYiHQfpKoJAV77zMcChymQcg1Z4KQDhUMaBXxVICl7rBE-IeoPpvP9BFykgDoAgbPEnhfIDzGpfR9eA811oKSMG0ivMIvVtUQcbPL4i22zoTHY4t5bDCPK8yb6Gp9ZlGO0PhTumHwXEtWUB7__vsCbfXHgyiO7oePJ2ibmN4EGx85RfX8vdBnwBhyeW4V5QOjW7uh
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Training+Robust+Neural+Networks+Using+Lipschitz+Bounds&rft.jtitle=IEEE+control+systems+letters&rft.au=Pauli%2C+Patricia&rft.au=Koch%2C+Anne&rft.au=Berberich%2C+Julian&rft.au=Kohler%2C+Paul&rft.date=2022&rft.issn=2475-1456&rft.eissn=2475-1456&rft.volume=6&rft.spage=121&rft.epage=126&rft_id=info:doi/10.1109%2FLCSYS.2021.3050444&rft.externalDBID=n%2Fa&rft.externalDocID=10_1109_LCSYS_2021_3050444
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2475-1456&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2475-1456&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2475-1456&client=summon