BiCert: A Blinear Mixed Integer Programming Formulation for Precise Certified Bounds Against Data Poisoning Attacks

The following weaknesses will be divided into two sections: initially I will discuss major weaknesses that need to be highlighted, before a more general commentary covering indicative examples of issues with presentation and writing.

• Section 2 really doesn't provide much context as to why the authors have taken the approach they have taken, and would be relatively inaccessible to a reader who does not know the field.
• If the motivating threat model is that an attacker could replace data online, that would then be scraped and ingested into a model to induce a poisoning attack - why would an attacker maintain an \ell_p norm bounded perturbation on their input. The threat model would suggest that all inputs would be modified, however this does not align with the actual mechanism of implementing this threat.
• Appears to only applies to ReLU style architectures - highly limited in applicability. I appreciate that the authors are following on from several 2024 works in this same space, which suggests that this is the state of the art in the area - but when randomised approaches do not need to consider such architectural limitations, then this would appear to be a significant step away from what is possible, for questionable gain.
• Perturbation radii are listed at 10^(-4), 10^(-3) and 10^(-2), seemingly without acknowledging the norm of the perturbation? These are shockingly small perturbations. Though obviously there is an impact of perturbations of size 10^(-2) because the reference certifications are affected at this size, but still, these sizes seem pointlessly small. In an image based context for example, changing a single pixel by one value (in pixel space) produces a norm of just under 0.004. That we are talking about changes below the pixel resolution suggests that perturbation inputs are not clipped to feasible inputs, making the poisoning detectable and defeatable by any naive approach.
• Computational times presented in terms of second per epoch makes it difficult to interpret how total training time would be affected. Training over 10 epochs would appear to require 6.8 hours at \epsilon = 0.01
• Computational time comparisons fail to contextualise against the reference techniques they assessed.
• Authors mention they use Gurobi, but the neural network framework and the computational architecture are only referenced in the appendices - both would be important points for understanding and assessing the value of this work as a reader.
• Two-Moons as a sole point of comparison is not within community expectations.

More general weaknesses, with a focus upon providing indicative examples of writing style issues:

• Statements like "one of the most significant threats to the integrity" are made without a) explaining what these poisoning attacks are, and b) explaining why they're a significant threat.
• More broadly the introduction tended to explain the impact of things before explaining what they are, which may make it more difficult to access by a reader who is less familiar with the field. For example data poisoning, attackers, and foundation models are all concepts that are introduced under the assumption that the reader understands them.
• in "their respective reports" - this implies that a singular report is possible from the US, and from Europe. "Both the US and Europe have respectively recognised..." would make more grammatical sense.
• S1 P2 starts off talking about detecting or preventing attacks, and then sentence two is solely focused upon detection - grammatically this doesn't flow.
• "these defences" - but at this stage the subject of the sentence is the attacks, so these is not targeted to the right subject.
• Citations for provably guarantees (see 48-49) for poisoning suggests that this is only something that has come into play in 2024, as both cites are from this year. However there are other, earlier examples, see [1] for example. Moreover there are other non interval, non polyhedral constraint approaches. One could argue that polyhedral based approaches provide deterministic bounds whereas randomised smoothing uses probabilistic (with high confidence) bounds, and this would be a reasonable point if it was explored with nuance. But by failing to acknowledge the existence of other, similar approaches the authors appear to be setting the ground for cherry picked comparisons. That said, the authors do briefly discuss these in Section 2
• L56 "limit the method's scalability for training" cite? The following sentence talks about Lorenz and training time divergence, but this is not necessarily the same issue as scalability.
• Personally I'm not a massive fan of appendix/fig/section/equation being lower case.
• Line 175 "At this stage, we can already see that BiCert's bonds are more precise." - the reader certainly can't. Your next sentence is that you test against IBP to demonstrate a tighter bound.
• Section 3.1 - the authors compare to IBP, but fail to make a strong case as to where the differences betweeen their approach and IBP stem from.
• Line 216 - if you're going to make an isolated statement about this, comments on either a) why it's important or b) when it would not be generally infinite are necessary. Otherwise it's just a single line paragraph with no meaning.
• Line 265 "is the approach to solving eq 5" - grammatically this should be "is our approach for solving". There can be multiple approaches, so a singular the approach is not correct.
• Line 411 "monotone decrease" should be "monotonically decreasing learning rate". The bracketed part of this sentence doesn't make particular sense to me as a reader.

1. The author demonstrates the proposed method only on a basic MLP with ReLU activation and a hinge loss function, without extending it to other commonly used configurations. Specifically, there is no application shown for other activation functions (e.g., tanh, sigmoid, arctan), alternative loss functions (e.g., cross-entropy), or diverse neural structures such as convolutional, attention-based, residual, and recurrent models. This limited scope raises concerns about the broader applicability of the proposed method.
2. The experimental evaluation was conducted on a minimal binary dataset with a simple model containing only 40 neurons. To better validate the effectiveness of the method, experiments in more practical settings are needed, such as using a larger dataset like MNIST and increasing the model complexity.
3. The clean performance of the final model is not reported, and the paper lacks an ablation study examining the influence of hyperparameters. This omission makes it challenging to assess the robustness and adaptability of the method under varied parameter settings.
4. The computational overhead of the proposed method is not thoroughly evaluated, particularly as the baseline computation time without certification is not provided. The available results indicate a potentially very high overhead even in simple settings, which brings into question the practicality of this method for more complex scenarios.

In my view, this paper may still be too preliminary for acceptance at a top-tier conference. Below are some points that I believe should be addressed to strengthen the work:

1. Related Work: The paper does not appear to fully situate itself within the existing body of literature. The primary comparisons are with Lorenz et al. (2024) and Sosnin et al. (2024); however, these works do not thoroughly cover existing research on bound propagation and mixed integer programming for adversarial robustness, which is highly relevant to this study. I recommend reviewing and comparing with additional related work, such as this paper and references therein, to better contextualize the contributions.

2. Problem Statement and Formalism: The paper would benefit from a clearer, more structured problem statement. Currently, the setup is introduced incrementally (e.g., through the example in Section 3.1), without a prior definition of relevant notations and problem terms. It would improve readability to establish the notation, define key spaces and terms, and present the problem formulation explicitly before moving forward with the technical content.

3. Practicality of the Method: The proposed method has only been evaluated on a single, low-dimensional example (Two-Moons), which may be insufficient to convince readers of its practicality. Additional testing on benchmark datasets, such as MNIST or CIFAR, would greatly strengthen the empirical results and demonstrate the method’s broader applicability.

4. Scalability of the Results: While the method achieves better bounds than comparable works, it comes with higher computational costs, especially in later training epochs and with larger perturbation levels. Currently, the method’s significant computational expense, even on a simple dataset, limits its applicability. Future work might consider optimizing the computational load to make the approach more feasible for complex, real-world scenarios.

Even though the proposal is original and well explained, the experimental results do not greatly support the significance of the work.

While the experimental results on larger perturbations than those tested in previous work are appreciated, the considered experimental settings currently does not show the practicability of the proposed algorithm. In particular, the experiments are restricted to the Two-Moons dataset and a very small neural network (a two-layer model with only 20 neurons per layer). This setup is modest compared to the models tested by competitors. For instance, Lorenz et al. (2024) use a three-layer MLP with 40 neurons per layer and the MNIST 1/7 dataset, while Sosnin et al. (2024) includes evaluations on a convolutional neural network with MedMNIST. To demonstrate the broader applicability and significance of the proposed approach, the authors should test BiCert on larger neural networks and datasets, similar to those used in prior work. Moreover, the paper should include a comparison of the time required to certify accuracy for each method, not just the proposed method. This would allow for a more thorough assessment of the trade-off between computational cost and the precision of the analysis, that is already discussed at a high level in Section 6 without supporting experimental evidence.

Minor points There are also some minor points that the authors should address in the next version of their paper, which are detailed in the Questions Section.

Arguments for the score Even though the proposed certification algorithm is original, explained well, and theoretically studied, the experimental evaluation of the paper highlights that this certification algorithm can only be applied to very small neural networks. This fact undermines the significance of the proposal. I am open to increasing my score if the authors address the issues with the experimental evaluation.