An Abstract Domain for Certifying Neural Networks Gagandeep Singh - PowerPoint PPT Presentation

An Abstract Domain for Certifying Neural Networks Gagandeep Singh Timon Gehr Markus Püschel Martin Vechev Department of Computer Science 1

Adversarial input perturbations Neural network f 8 𝐽 " Neural network f 7 𝐽 ∈ 𝑀 % (𝐽 ' , 𝜗) Neural network f 9 2 𝐽 ∈ 𝑆𝑝𝑢𝑏𝑢𝑓(𝐽 ' , 𝜗 , 𝛽, 𝛾)

Neural network robustness Challenges Neural network 𝑔: ℝ 5 ⟶ ℝ 7 The size of ℛ 𝐽 ' , 𝜚 grows exponentially Given: Perturbation region ℛ 𝐽 ' , 𝜚 in the number of pixels: • cannot compute f 𝐽 for all 𝐽 separately 𝑀 % 𝐽 ' , 𝜗 : All images 𝐽 where Prior Work pixel values in 𝐽 and 𝐽 ' differ by • Precise but does not scale: Regions: at most 𝜗 • SMT Solving [CAV’17] Rotate( 𝐽 ' , 𝜗 , 𝛽, 𝛾 ): All images 𝐽 in • Input refinement [USENIX’18] 𝑀 % 𝐽 ' , 𝜗 rotated by 𝜄 ∈ [𝛽, 𝛾] • Semidefinite relaxations [ICLR’18] • Scales but imprecise • Linear relaxations [ICML’18] ∀𝐽 ∈ ℛ 𝐽 ' , 𝜚 . 𝑔 𝑑 > 𝑔(𝑘) • Abstract interpretation [S&P’18, T o Prove: where c is the correct output NIPS’18] and j is any other output 3

This work: contributions A new abstract domain combining floating First approach to certify robustness under rotation combined with linear interpolation : point Polyhedra with Intervals: • based on refinement of the abstract input • custom transformers for common functions in • 𝜗 = 0.001, 𝛽 = −45 I , 𝛾 = 65 I neural networks such as affine transforms, ReLU, sigmoid, tanh, and maxpool activations • scalable and precise analysis Network 𝝑 NIPS’18 DeepPoly DeepPoly: • complete and parallelized end-to-end Ø 6 layers 0.035 proves 21% proves 64% implementation based on ELINA Ø 3010 units 15.8 sec 4.8 sec • https://github.com/eth-sri/eran Ø 6 layers 0.3 proves 37% proves 43% Ø 34,688 units 17 sec 88 sec 4

Our Abstract Domain N constraint with each 𝑦 L M and an upper polyhedral 𝑏 L Shape: associate a lower polyhedral 𝑏 L Concretization of abstract element 𝑏: Domain invariant: store auxiliary concrete lower and upper bounds 𝑚 L , 𝑣 L for each 𝑦 L 𝑜: #neurons, 𝑛: # constraints • less precise than Polyhedra, restriction 𝑥 5WX : max #neurons in a layer, 𝑀 : # layers needed to ensure scalability • captures affine transformation precisely Transformer Polyhedra Our domain unlike Octagon, TVPI Ο(𝑜𝑛 U ) U Affine Ο(𝑥 5WX 𝑀) • custom transformers for ReLU, sigmoid, Ο(exp (𝑜, 𝑛)) Ο(1) ReLU tanh, and maxpool activations 5

Example: Analysis of a Toy Neural Network Input layer Hidden layers Output layer 0 0 1 max (0, 𝑦 ^ ) max (0, 𝑦 ` ) [−1,1] 1 1 1 𝑦 ] 𝑦 ^ 𝑦 _ 𝑦 ` 𝑦 a 𝑦 ]] 1 1 0 1 1 1 𝑦 U 𝑦 b 𝑦 c 𝑦 d 𝑦 ]' 𝑦 ]U [−1,1] −1 −1 1 max (0, 𝑦 b ) max (0, 𝑦 d ) 0 0 0 6

0 0 1 max (0, 𝑦 ^ ) max (0, 𝑦 ` ) [−1,1] 1 1 1 𝑦 ] 𝑦 ^ 𝑦 _ 𝑦 ` 𝑦 a 𝑦 ]] 1 1 0 1 1 1 𝑦 U 𝑦 b 𝑦 c 𝑦 d 𝑦 ]' 𝑦 ]U [−1,1] −1 −1 1 max (0, 𝑦 b ) max (0, 𝑦 d ) 0 0 0 7

ReLU activation Pointwise transformer for 𝑦 g ≔ 𝑛𝑏𝑦(0, 𝑦 L ) that uses 𝑚 L , 𝑣 L M = 𝑏 g N = 0, 𝑚 g = 𝑣 g = 0, 𝑗𝑔 𝑣 L ≤ 0, 𝑏 g max (0, 𝑦 ^ ) M = 𝑏 g N = 𝑦 L , 𝑚 g = 𝑚 L , 𝑣 g = 𝑣 L , 𝑦 ^ 𝑦 _ 𝑗𝑔 𝑚 L ≥ 0, 𝑏 g 𝑗𝑔 𝑚 L < 0 𝑏𝑜𝑒 𝑣 L > 0 𝑦 b 𝑦 c max (0, 𝑦 b ) choose (b) or (c) depending on the area Constant runtime 8

Affine transformation after ReLU 𝑦 _ 1 0 𝑦 ` 𝑦 c 1 N Imprecise upper bound 𝑣 ` by substituting 𝑣 _ , 𝑣 c for 𝑦 _ and 𝑦 c in 𝑏 ` 9

Backsubstitution 𝑦 _ 1 0 𝑦 ` 𝑦 c 1 10

0 max (0, 𝑦 ^ ) 1 𝑦 ] 𝑦 _ 𝑦 ^ 1 1 0 𝑦 ` 1 𝑦 c 1 𝑦 b 𝑦 U −1 max (0, 𝑦 b ) 0 U Affine transformation with backsubstitution is pointwise, complexity: Ο 𝑥 5WX 𝑀 11

0 0 1 max (0, 𝑦 ^ ) max (0, 𝑦 ` ) [−1,1] 1 1 1 𝑦 ] 𝑦 ^ 𝑦 _ 𝑦 ` 𝑦 a 𝑦 ]] 1 1 0 1 1 1 𝑦 U 𝑦 b 𝑦 c 𝑦 d 𝑦 ]' 𝑦 ]U [−1,1] −1 −1 1 max (0, 𝑦 b ) max (0, 𝑦 d ) 0 0 0 12

Checking for robustness Prove 𝑦 ]] − 𝑦 ]U > 0 for all inputs in −1,1 ×[−1,1] Computing lower bound for 𝑦 ]] − 𝑦 ]U using 𝑚 ]] , 𝑣 ]U gives - 1 which is an imprecise result With backsubstitution, one gets 1 as the lower bound for 𝑦 ]] − 𝑦 ]U , proving robustness 13

More complex perturbations: rotations Challenge: Rotate( 𝐽 ' , 𝜗 , 𝛽, 𝛾 ) is non-linear and cannot be captured in our domain unlike 𝑀 % 𝐽 ' , 𝜗 Solution: Over-approximate Rotate( 𝐽 ' , 𝜗 , 𝛽, 𝛾 ) with boxes and use input refinement for precision Result: Prove robustness for networks under Rotate( 𝐽 ' , 0.001 ,-45 ,65 ) 14

More in the paper Sigmoid transformer Tanh transformer Maxpool transformer Floating point soundness 15

Experimental evaluation • Neural network architectures: • fully connected feedforward (FFNN) • convolutional (CNN) • Training: • trained to be robust with DiffAI [ICML’18] and PGD [CVPR’18] • without adversarial training • Datasets: • MNIST • CIFAR10 • DeepPoly vs. state-of-the-art DeepZ [NIPS’18] and Fast-Lin [ICML’18] 16

Results 17

MNIST FFNN (3,010 hidden units) 18

CIFAR10 CNNs (4,852 hidden units) 19

Large Defended CNNs trained via DiffAI [ICML’18] 𝝑 Dataset Model #hidden units %verified robustness Average runtime (s) DeepZ DeepPoly DeepZ DeepPoly MNIST ConvBig 34,688 0.1 97 97 5 50 ConvBig 34,688 0.2 79 78 7 61 ConvBig 34,688 0.3 37 43 17 88 ConvSuper 88,500 0.1 97 97 133 400 CIFAR10 ConvBig 62,464 0.006 50 52 39 322 ConvBig 62,464 0.008 33 40 46 331 20

Conclusion A new abstract domain combining floating point Polyhedra with Intervals: 𝑜: #neurons, 𝑛: # constraints 𝑥 5WX : max #neurons in a layer, 𝑀 : # layers Transformer Polyhedra Our domain Ο(𝑜𝑛 U ) U Affine Ο(𝑥 5WX 𝑀) Ο(exp (𝑜, 𝑛)) Ο(1) ReLU DeepPoly: complete and parallelized end-to-end • implementation based on ELINA https://github.com/eth-sri/eran • 21