Our group will present four papers at this year's NeurIPS. The works cover graph neural networks, ML robustness/certification and TPPs. Links to the papers/preprints will follow soon!
- Yan Scholten, Jan Schuchardt, Aleksandar Bojchevski, Stephan Günnemann
Hierarchical Randomized Smoothing
Randomized smoothing is one of the most promising frameworks for certifying robustness of machine learning models. Despite its extremely wide applicability, real-world data is often more complex and often consists of objects that can be decomposed into multiple entities, for example images can be decomposed into pixels and graphs into interconnected nodes. Certifying robustness on such complex data via randomized smoothing is more challenging when adversaries do not arbitrarily perturb entire objects (e.g. images) but only a subset of their entities (e.g. pixels). To verify the robustness of models for such more complex data types, we generalize the theory of two robustness certificates based on randomized smoothing. This new theory serves as the basis for new robustness certificates and enables the development of better ML classifiers that are both - certifiably robust to perturbations and accurate.
- Jan Schuchardt, Yan Scholten, Stephan Günnemann
Provable Adversarial Robustness for Group Equivariant Tasks:
Graphs, Point Clouds, Molecules, and More
The study of robust deep learning has its origins in computer vision, but has since been expanded to a variety of geometric machine learning tasks, such as graph or point cloud classification. We identify that most of these works are conceptually flawed, since they simply transplant notions of robustness from image classification onto geometric machine learning tasks while neglecting their defining property: Equivariance. To resolve this shortcoming, we develop a sound notion of robustness for group equivariant tasks. We then address the problem of achieving provable robustness under this notion. In particular, we consider how to exploit that the design of geometric machine learning models is informed by the same equivariances that govern the tasks they are used for. Overall, this work serves as a sound foundation for future work at the intersection of robust and geometric machine learning.
- Lukas Gosch, Simon Geisler, Daniel Sturm, Bertrand Charpentier, Daniel Zügner, Stephan Günnemann
Adversarial Training for Graph Neural Networks: Pitfalls, Solutions, and New Directions
Despite its success in the image domain, adversarial training does not (yet) stand out as an effective defense for Graph Neural Networks (GNNs) against graph structure perturbations. In the pursuit of fixing adversarial training (1) we show and overcome fundamental theoretical as well as practical limitations of the adopted graph learning setting in prior work; (2) we reveal that more flexible GNNs based on learnable graph diffusion are able to adjust to adversarial perturbations, while the learned message passing scheme is naturally interpretable; (3) we introduce the first attack for structure perturbations that, while targeting multiple nodes at once, is capable of handling global (graph-level) as well as local (node-level) constraints. Including these contributions, we demonstrate that adversarial training is a state-of-the-art defense against adversarial structure perturbations.
-