Modern machine learning models are sensitive to the manipulation of both the training data (poisoning attacks) and inference data (adversarial examples). Recognizing this issue, the community has developed many empirical defenses against both attacks and, more recently, provable certification methods against inference-time attacks. However, such guarantees are still largely lacking for training-time attacks. In this work, we present FullCert, the first end-to-end certifier with sound, deterministic bounds, which proves robustness against both training-time and inference-time attacks. We first bound all possible perturbations an adversary can make to the training data under the considered threat model. Using these constraints, we bound the perturbations' influence on the model's parameters. Finally, we bound the impact of these parameter changes on the model's prediction, resulting in joint robustness guarantees against poisoning and adversarial examples. To facilitate this novel certification paradigm, we combine our theoretical work with a new open-source library BoundFlow, which enables model training on bounded datasets. We experimentally demonstrate FullCert's feasibility on two different datasets.

翻译：现代机器学习模型对训练数据（投毒攻击）和推理数据（对抗样本）的操纵均十分敏感。认识到这一问题，学术界已针对这两种攻击提出了许多经验性防御方法，近期更发展出针对推理时攻击的可证明认证方法。然而，针对训练时攻击的此类保证目前仍普遍缺乏。本工作提出首个具备可靠确定性边界的端到端认证方法FullCert，可同时证明模型对训练时与推理时攻击的鲁棒性。我们首先在既定威胁模型下界定攻击者对训练数据可能实施的所有扰动范围。利用这些约束条件，我们进一步界定这些扰动对模型参数的影响边界。最终，我们量化参数变化对模型预测的影响，从而获得针对投毒攻击与对抗样本的联合鲁棒性保证。为支撑这一新型认证范式，我们将理论研究与开源库BoundFlow相结合，该库支持在有界数据集上进行模型训练。我们通过实验在两个不同数据集上验证了FullCert的可行性。