Deep neural networks (DNNs) are known to be vulnerable to adversarial geometric transformation. This paper aims to verify the robustness of large-scale DNNs against the combination of multiple geometric transformations with a provable guarantee. Given a set of transformations (e.g., rotation, scaling, etc.), we develop GeoRobust, a black-box robustness analyser built upon a novel global optimisation strategy, for locating the worst-case combination of transformations that affect and even alter a network's output. GeoRobust can provide provable guarantees on finding the worst-case combination based on recent advances in Lipschitzian theory. Due to its black-box nature, GeoRobust can be deployed on large-scale DNNs regardless of their architectures, activation functions, and the number of neurons. In practice, GeoRobust can locate the worst-case geometric transformation with high precision for the ResNet50 model on ImageNet in a few seconds on average. We examined 18 ImageNet classifiers, including the ResNet family and vision transformers, and found a positive correlation between the geometric robustness of the networks and the parameter numbers. We also observe that increasing the depth of DNN is more beneficial than increasing its width in terms of improving its geometric robustness. Our tool GeoRobust is available at https://github.com/TrustAI/GeoRobust.

翻译：深度神经网络（DNN）已知易受对抗性几何变换攻击。本文旨在验证大规模DNN在多种几何变换组合下的鲁棒性，并提供可证明的保证。给定一组变换（如旋转、缩放等），我们开发了GeoRobust——一种基于新型全局优化策略的黑盒鲁棒性分析工具，用于定位影响甚至改变网络输出的最坏情况变换组合。GeoRobust基于Lipschitz理论的最新进展，能够为寻找最坏情况组合提供可证明的保证。由于采用黑盒设计，GeoRobust可部署于任意架构、激活函数及神经元数量的大规模DNN上。在实践中，GeoRobust能在平均数秒内为ImageNet上的ResNet50模型高精度定位最坏情况几何变换。我们检查了18个ImageNet分类器（包括ResNet系列和视觉Transformer），发现网络几何鲁棒性与参数量呈正相关。同时观察到，提升深度比增加宽度更有利于改善几何鲁棒性。我们的工具GeoRobust开源地址为：https://github.com/TrustAI/GeoRobust。