Adversarial Training of Two-Layer Polynomial and ReLU Activation Networks via Convex Optimization

1. To clarify, it seems to me that the program (12) is equivalent to the first two constriants in program (15) since (14) is an iff condition, is that correct? Moreover, is there an optimality guarantee or error analysis for the program (16)? Additionally, I’m curious about how many samples from [P] would be sufficient to obtain an adequately approximate solution. Further discussion or empirical results on this would be valuable.

2. Is there a specific reason why bias terms are omitted? What are the main challenges in considering bias terms? Furthermore, did the authors encounter any difficulties in generalizing the results to deeper networks (even without bias terms)? I assume the program would become significantly more complicated, but technically it feels feasible...?

3. How were $\beta$ and $r$ chosen in the experiments? Perhaps I missed it, but did authors report the values of the tuning parameters $\rho$ for (16)? Also, why were different $r$ values selected for polynomial and ReLU activations? Any justifications would be helpful. The authors mention, "polynomial activation networks excel when data is scarce... For applications where data is more abundant, the ReLU formulation is cheaper and likely to provide better results," but there is no direct comparison between adversarial ReLU and adversarial polynomial in abundant-data settings. Could the authors elaborate on this point?

4. Is there a specific reason why the results for adversarial polynomial are reported only on 1% of CIFAR-10? Is this due to computational costs? It would be helpful if the authors could report training times across all results, particularly the run time comparisons of adversarial polynomial, adversarial ReLU, and other adversarial benchmarks.

• Could the authors consider additional convex activation functions and derive their corresponding reformulations? This would be a valuable contribution.
• The trade-off between clean accuracy and adversarial robustness has always been a critical issue in adversarial training. The authors are advised to report the accuracy of their adversarial trained models on clean samples.
• The experiment results on CIFAR-10 demonstrate that the adversarial trained network achieves approximately 40% accuracy against FGSM attacks ($l_\infty=8/255$). However, many state-of-the-art defense methods achieve better results. It would be beneficial for the authors to explain whether this relates to any conflicts with the optimality of their proofs.

I have plenty of questions about the paper, which leads me to believe that the paper is not ready for publication.

The main contribution of the paper is Theorem 3.1, which proves that the optimal solutions to the adversarial training objective (Equation 10) can be recovered from the optimal solutions to its convex reformulation (Equation 11) with polynomial activation networks and $\ell_2$ perturbations. The motivation for proving such a result seems to originate from a previous work (Bai et al. 2022), claiming that convexly trained neural networks enjoy greater interpretability and reproducibility. Although this claim intuitively makes sense, it is not well-explained in the context of learning an adversarially robust neural network. Generally speaking, there is a lack of detailed discussions and results regarding the implications of Theorem 3.1. To my knowledge, it is unclear whether this is potentially an important contribution to advancing the research field of adversarial machine learning. Besides, it’s recommended for the authors to discuss their assumptions, e.g., whether Theorem 3.1 can be applied to general $\ell_p$ perturbations and ReLU-activated neural nets.

Regarding the experiments, Section 4 considers FGSM attacks for $\ell_\infty$ perturbations. There is an obvious gap compared with the setting considered for Theorem 3.1. It has been shown in the literature that FGSM tends to underestimate the adversarial power with respect to $\ell_\infty$ perturbations - FGSM attack simply cannot approximate the worst-case in many cases. It is suggested that the adversarial robustness should be evaluated using stronger attacks, such as PGD attack [1] and Auto Attack [2]. $\ell_2$ perturbations should also be tested, which is more aligned with the theoretical settings. In addition, I think the authors should provide comparison results of their adversarial convex program with adversarial training [1], showcasing whether both lead to a similar set of model weights and comparable robustness performance. From my point of view, the set of presented experiments is fairly limited, which does not support the main argument of the paper well.

[1] Towards Deep Learning Models Resistant to Adversarial Attacks, https://arxiv.org/pdf/1706.06083

[2] Reliable Evaluation of Adversarial Robustness with an Ensemble of Diverse Parameter-free Attacks, https://arxiv.org/pdf/2003.01690

Other Comments and Questions:

1. The authors should do a better literature review on adversarially robust learning. There are only a few citations and fairly limited discussions of existing works, making it difficult for readers to see the paper's position within the relevant literature clearly.

2. A line of existing work develops certified methods to train an adversarially robust network, e.g., [3, 4]. They also reformulate the problem into a convex optimization problem. Can the authors provide some discussions?

3. The presentation of the paper should be largely improved. Sections 2 and 3 contain too many mathematical notations and equations, which take up lots of space. These equations should be simplified and replaced by other important discussions or results. In the title, there is even a typo regarding the word “Polyomial.” The authors should really proofread their manuscript more carefully before submitting the paper.

[3] Certified defenses against adversarial examples, https://arxiv.org/pdf/1801.09344

[4] Provable defenses against adversarial examples via the convex outer adversarial polytope, https://arxiv.org/pdf/1711.00851

N/A