In order to train networks for verified adversarial robustness, previous work typically over-approximates the worst-case loss over (subsets of) perturbation regions or induces verifiability on top of adversarial training. The key to state-of-the-art performance lies in the expressivity of the employed loss function, which should be able to match the tightness of the verifiers to be employed post-training. We formalize a definition of expressivity, and show that it can be satisfied via simple convex combinations between adversarial attacks and IBP bounds. We then show that the resulting algorithms, named CC-IBP and MTL-IBP, yield state-of-the-art results across a variety of settings in spite of their conceptual simplicity. In particular, for $\ell_\infty$ perturbations of radius $\frac{1}{255}$ on TinyImageNet and downscaled ImageNet, MTL-IBP improves on the best standard and verified accuracies from the literature by from $1.98\%$ to $3.92\%$ points while only relying on single-step adversarial attacks.

翻译：为训练具有可验证对抗鲁棒性的网络，先前工作通常对扰动区域（子集）上的最坏情况损失进行过近似，或在对抗训练基础上诱导可验证性。实现最先进性能的关键在于所用损失函数的表达能力——其应能匹配训练后验证器的紧致性。本文形式化定义了表达能力，并证明通过对抗攻击与IBP边界间的简单凸组合即可满足该定义。进而表明，尽管所提算法CC-IBP和MTL-IBP概念简洁，但在多种场景下均取得了最先进结果。特别地，对于TinyImageNet和降采样ImageNet上半径$\frac{1}{255}$的$\ell_\infty$扰动，MTL-IBP在仅依赖单步对抗攻击的情况下，将文献中的最优标准精度与可验证精度分别提升了$1.98\%$至$3.92\%$。