Training more secure neural networks by using local linearity regularization

What is claimed is: 1. A method of training a more secure neural network having a plurality of network parameters, the method comprising: obtaining a plurality of training inputs and, for each of the plurality of training inputs, a respective target output for the training input; and training the neural network on each of the plurality of training inputs, comprising: processing each of the training inputs using the neural network and in accordance with current values of the network parameters to generate a respective network output for each of the training inputs; computing a respective loss for each of the training inputs by evaluating a loss function, wherein the loss function measures a difference between (i) an output generated by the neural network by processing an input in an input-output pair and (ii) an output in the input-output pair, and wherein computing the loss for each of the training inputs comprises evaluating the loss function at the input-output pair that includes the training input and the target output for the training input; identifying, from a plurality of possible perturbations, a maximally non-linear perturbation, wherein the maximally non-linear perturbation is a perturbation for which the loss function is most non-linear when evaluated at an input-output pair that includes (i) a perturbed training input generated by applying the possible perturbation to a given training input and (ii) a target output for the given training input; and determining an update to the current values of the parameters of the neural network by performing an iteration of a neural network training procedure to decrease the respective losses for the training inputs and to decrease the non-linearity of the loss function for the identified maximally non-linear perturbation. 2. The method of claim 1 , wherein the training inputs are images. 3. The method of claim 1 , wherein identifying the maximally non-linear perturbation comprises: initializing a perturbation; for each of one or more iterations: for each of the training inputs, generating a respective perturbed training input by applying the perturbation to the training input; for each of the training inputs, processing the perturbed training input using the neural network and in accordance with the current values of the network parameters to generate a network output for the perturbed training input; for each of the training inputs, determining, using the network output for the perturbed training input, a gradient of a local linearity measure with respect to the perturbation and evaluated at the perturbed input for the training input, wherein the local linearity measure measures how non-linear the loss function is when evaluated at an input-output pair that includes (i) the perturbed training input and (ii) the target output for the training input; generating an averaged gradient of the local linearity measure by averaging the gradients for the training inputs; and updating the perturbation using the averaged gradient; and selecting the perturbation after the last iteration of the one or more iterations as the maximally non-linear perturbation. 4. The method of claim 3 , wherein the local linearity measure is an absolute difference between (1) the loss function evaluated at the input-output pair that includes (i) the perturbed training input and (ii) the target output for the training input and (2) a first-order Taylor expansion of the loss function evaluated at the input-output pair. 5. The method of claim 1 , wherein determining the update to the current values of the parameters of the neural network comprises: performing the iteration of the neural network training procedure to minimize a local linearity regularized loss function that measures at least the respective losses for the plurality of training inputs and the non-linearity for the identified maximally non-linear perturbation. 6. The method of claim 5 , wherein performing the iteration of the neural network training procedure comprises: determining a respective gradient with respect to the network parameters of the local linearity regularized loss function for each of the plurality of training examples; determining an averaged gradient with respect to the network parameters from the respective gradients for the plurality of training examples; determining an update to the current values of the network parameters from the averaged gradient; and generating updated values of the network parameters by applying the update to the current values of the network parameters. 7. The method of claim 5 , wherein the local linearity regularized loss function includes a first term that measures an average loss for the plurality of training examples. 8. The method of claim 5 , wherein the local linearity regularized loss function includes a second term that measures an average across the plurality of training inputs of an absolute difference between (i) the loss function evaluated at an input-output pair that includes 1) the training input perturbed with the maximally non-linear perturbation and 2) the target output for the training input and (ii) a first-order Taylor expansion of the loss function evaluated at the input-output pair that includes 1) the training input perturbed with the maximally non-linear perturbation and 2) the target output for the training input. 9. The method of claim 5 , wherein the local linearity regularized loss function includes a third term that measures an average across the plurality of training inputs of an absolute value of a dot product between the maximally non-linear perturbation and a gradient with respect to the training input of the loss function evaluated at the input-output pair that includes the training input and the target output for the training input. 10. A system comprising one or more computers and one or more storage devices storing instructions that when executed by the one or more computers cause the one or more computers to perform operations of training a more secure neural network having a plurality of network parameters, the method comprising: obtaining a plurality of training inputs and, for each of the plurality of training inputs, a respective target output for the training input; and training the neural network on each of the plurality of training inputs, comprising: processing each of the training inputs using the neural network and in accordance with current values of the network parameters to generate a respective network output for each of the training inputs; computing a respective loss for each of the training inputs by evaluating a loss function, wherein the loss function measures a difference between (i) an output generated by the neural network by processing an input in an input-output pair and (ii) an output in the input-output pair, and wherein computing the loss for each of the training inputs comprises evaluating the loss function at the input-output pair that includes the training input and the target output for the training input; identifying, from a plurality of possible perturbations, a maximally non-linear perturbation, wherein the maximally non-linear perturbation is a perturbation for which the loss function is most non-linear when evaluated at an input-output pair that includes (i) a perturbed training input generated by applying the possible perturbation to a given training input and (ii) a target output for the given training input; and determining an update to the current values of the parameters of the neural network by performing an iteration of a neural network training procedure to decrease the respective losses for the training inputs and to decrease the non-linearity of the loss function for the identified maximally