differentiable abstract interpretation for provably
play

Differentiable Abstract Interpretation for Provably Robust Neural - PowerPoint PPT Presentation

Sep 29, 2023 •320 likes •677 views

Differentiable Abstract Interpretation for Provably Robust Neural Networks safeai.ethz.ch Matthew Mirman Timon Gehr Martin Vechev ICML 2018 1 / 27 Adversarial Attack Example of FGSM attack produced by Goodfellow et al. (2014) 2 / 27 L

  1. Differentiable Abstract Interpretation for Provably Robust Neural Networks safeai.ethz.ch Matthew Mirman Timon Gehr Martin Vechev ICML 2018 1 / 27

  2. Adversarial Attack Example of FGSM attack produced by Goodfellow et al. (2014) 2 / 27

  3. L ∞ Adversarial Ball Many developed attacks: Goodfellow et al. (2014); Madry et al. (2018); Evtimov et al. (2017); Athalye & Sutskever (2017); Papernot et al. (2017); Xiao et al. (2018); Carlini & Wagner (2017); Yuan et al. (2017); Tram` er et al. (2017) Ball ǫ ( input ) = { attack | � input − attack � ∞ � ǫ } 3 / 27

  4. L ∞ Adversarial Ball Many developed attacks: Goodfellow et al. (2014); Madry et al. (2018); Evtimov et al. (2017); Athalye & Sutskever (2017); Papernot et al. (2017); Xiao et al. (2018); Carlini & Wagner (2017); Yuan et al. (2017); Tram` er et al. (2017) Ball ǫ ( input ) = { attack | � input − attack � ∞ � ǫ } A net is ǫ -robust at x if it classifies every example in Ball ǫ ( x ) the same and correctly 3 / 27

  5. Adversarial Ball Is attack ∈ Ball ǫ (panda)? attack ǫ ∈ ∈ / ∈ / 0 . 1 ∈ ∈ ∈ / 0 . 5 4 / 27

  6. Prior Work Increase Network Robustness Defense : Train a network so that most inputs are mostly robust. ◮ Madry et al. (2018); Tram` er et al. (2017); Cisse et al. (2017); Yuan et al. (2017); Gu & Rigazio (2014) ◮ Network still attackable 5 / 27

  7. Prior Work Increase Network Robustness Defense : Train a network so that most inputs are mostly robust. ◮ Madry et al. (2018); Tram` er et al. (2017); Cisse et al. (2017); Yuan et al. (2017); Gu & Rigazio (2014) ◮ Network still attackable Certify Robustness Verification : Prove that a network is ǫ -robust at a point ◮ Huang et al. (2017); Pei et al. (2017); Katz et al. (2017); Gehr et al. (2018) ◮ Experimentally robust nets not very certifiably robust ◮ Intuition: not all correct programs are provable 5 / 27

  8. Problem Statement Train a Network to be Certifiably Robust 1 Given: ◮ Net θ with weights θ ◮ Training inputs and labels Find: ◮ θ that maximizes number of inputs we can certify are ǫ -robust 1 Also addressed by: Raghunathan et al. (2018); Kolter & Wong (2017); Dvijotham et al. (2018) 6 / 27

  9. Problem Statement Train a Network to be Certifiably Robust 1 Given: ◮ Net θ with weights θ ◮ Training inputs and labels Find: ◮ θ that maximizes number of inputs we can certify are ǫ -robust Challenge ◮ At least as hard as standard training! 1 Also addressed by: Raghunathan et al. (2018); Kolter & Wong (2017); Dvijotham et al. (2018) 6 / 27

  10. High Level Make certification the training goal ◮ Abstract Interpretation: certify by over-approximating output 2 2 Cousot & Cousot (1977); Gehr et al. (2018) Image Credit: Petar Tsankov 7 / 27

  11. High Level Make certification the training goal ◮ Abstract Interpretation: certify by over-approximating output 2 ◮ Use Automatic Differentiation on Abstract Interpretation 2 Cousot & Cousot (1977); Gehr et al. (2018) Image Credit: Petar Tsankov 7 / 27

  12. Abstract Interpretation Cousot & Cousot (1977) Abstract Interpretation is heavily used in industrial large-scale program analysis to compute over-approximation of program behaviors 3 3 For example by Astr´ ee: Blanchet et al. (2003) 4 f [ γ ( d )] ⊆ γ ( f # ( d )) where f [ s ] is the image of s under f 8 / 27

  13. Abstract Interpretation Cousot & Cousot (1977) Abstract Interpretation is heavily used in industrial large-scale program analysis to compute over-approximation of program behaviors 3 Provide ◮ abstract domain D of abstract points d ◮ concretization function γ : D → P ( R n ) ◮ concrete function f : R n → R n Develop a sound 4 abstract transformer f # : D → D 3 For example by Astr´ ee: Blanchet et al. (2003) 4 f [ γ ( d )] ⊆ γ ( f # ( d )) where f [ s ] is the image of s under f 8 / 27

  14. Abstract Interpretation Cousot & Cousot (1977) Abstract Interpretation is heavily used in industrial large-scale program analysis to compute over-approximation of program behaviors 3 Provide ◮ abstract domain D of abstract points d ◮ concretization function γ : D → P ( R n ) ◮ concrete function f : R n → R n Develop a sound 4 abstract transformer f # : D → D ◮ ReLU : R n → R n becomes ReLU # : D → D 3 For example by Astr´ ee: Blanchet et al. (2003) 4 f [ γ ( d )] ⊆ γ ( f # ( d )) where f [ s ] is the image of s under f 8 / 27

  15. Abstract Optimization Goal Given ◮ mx( d ): a way to compute upper bounds for γ ( d ). ◮ ball( x ) ∈ D : a ball abstraction s.t. Ball ǫ ( x ) ⊆ γ (ball( x )) ◮ Loss t : an abstractable traditional loss function for classification target t Err t , Net ( x )= Loss t ◦ Net( x ) classical error t ◦ Net # ◦ ball( x ) AbsErr t , Net ( x )= mx ◦ Loss # abstract error Concrete P ( R n ) P ( R n ) P ( R n ) Err t , Net Net Loss t Ball ǫ ⊆ ⊆ ⊆ P ( R n ) P ( R n ) P ( R n ) x � γ γ γ ball ǫ Loss # Net # t AbsErr t , Net D D D mx Abstract 9 / 27

  16. Using Abstract Goal Theorem Err t , Net ( y ) � AbsErr t , Net ( x ) for all points y ∈ Ball ǫ ( x ) Concrete P ( R n ) P ( R n ) P ( R n ) Err t , Net Net Loss t Ball ǫ ⊆ ⊆ ⊆ P ( R n ) P ( R n ) P ( R n ) x � γ γ γ ball ǫ Loss # Net # t AbsErr t , Net D D D mx Abstract 10 / 27

  17. Abstract Domains ◮ Many abstract domains D with different speed/accuracy tradeoffs ◮ Transformers must be parallelizable, and work well with SGD 11 / 27

  18. Abstract Domains ◮ Many abstract domains D with different speed/accuracy tradeoffs ◮ Transformers must be parallelizable, and work well with SGD y z x Box Domain ◮ p dimension axis-aligned boxes ◮ Ball ǫ : perfect ◮ ( · M ) # : uses abs ◮ ReLU # : 6 linear operations, 2 ReLUs 11 / 27

  19. Abstract Domains ◮ Many abstract domains D with different speed/accuracy tradeoffs ◮ Transformers must be parallelizable, and work well with SGD y y z x z Zonotope Domain x Box Domain ◮ Affine transform of k -cube onto p dims ◮ p dimension axis-aligned boxes ◮ k increases with non-linear transformers ◮ Ball ǫ : perfect ◮ Ball ǫ : perfect ◮ ( · M ) # : uses abs ◮ ( · M ) # : perfect ◮ ReLU # : 6 linear operations, 2 ReLUs ◮ ReLU # : zBox, zDiag, zSwitch, zSmooth, ◮ Hybrid: hSwitch, hSmooth 11 / 27

  20. Implementation DiffAI Framework ◮ Can be found at: safeai.ethz.ch ◮ Implemented in PyTorch 5 ◮ Tested with modern GPUs 5 Paszke et al. (2017) 12 / 27

  21. Scalability CIFAR10 Train 1 Epoch (s) Test 2k Pts (s) Attack 6 Model #Neurons #Weights Base Box Box hSwitch ConvSuper 7 ∼ 124k ∼ 16mill 23 149 74 0.09 40 ◮ Can use a less precise domain for training than for certification ◮ Can test/train Resnet18 8 : 2k points tested on ∼ 500k neurons in ∼ 1s with Box ◮ tldr: can test and train with larger nets than prior work 6 5 iterations of PGD Madry et al. (2018) for both training and testing 7 ConvSuper: 5 layers deep, no Maxpool. 8 like that described by He et al. (2016) but without pooling or dropout. 13 / 27

  22. Robustness Provability MNIST with ǫ = 0 . 1 on ConvSuper Training Method %Correct %Attack Success %hSwitch Certified Baseline 98.4 2.4 2.8 Madry et al. (2018) 98.8 1.6 11.2 Box 99.0 2.8 96.4 ◮ Usually loses only small amount of accuracy (sometimes gains) ◮ Significantly increases provability 9 9 Much more thorough evaluation in appendix of Mirman et al. (2018). 14 / 27

  23. hSmooth Training FashionMNIST with ǫ = 0 . 1 on FFNN Method Train Total (s) %Correct %zSwitch Certified Baseline 119 94.6 0 Box 608 8.6 0 hSmooth 4316 84.4 21.0 ◮ Training unexpectedly fails with Box (very rare) ◮ Training slow but reliable with hSmooth 15 / 27

  24. Conclusion First application of automatic differentiation to abstract interpretation (that we know of) Trained and verified the largest verifiable neural networks to date A way to train networks on regions, not just points 10 10 Further examples of this use-case in paper 16 / 27

  25. Bibliography I Athalye, A. and Sutskever, I. Synthesizing robust adversarial examples. arXiv preprint arXiv:1707.07397 , 2017. Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Min ´ e, A., Monniaux, D., and Rival, X. A static analyzer for large safety-critical software. In Programming Language Design and Implementation (PLDI) , 2003. Carlini, N. and Wagner, D. A. Adversarial examples are not easily detected: Bypassing ten detection methods. CoRR , abs/1705.07263, 2017. URL http://arxiv.org/abs/1705.07263 . Cisse, M., Bojanowski, P., Grave, E., Dauphin, Y., and Usunier, N. Parseval networks: Improving robustness to adversarial examples. In International Conference on Machine Learning , pp. 854–863, 2017. Cousot, P. and Cousot, R. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Symposium on Principles of Programming Languages (POPL) , 1977. 17 / 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Abstract interpretation based Analysis [FPCA 95], Predicate Abstraction [Mannas festschrift

Abstract interpretation based Analysis [FPCA 95], Predicate Abstraction [Mannas festschrift

Abstract interpretation The Verification Grand Challenge - Abstract interpretation is a mathematical theory of - - and Abstract Interpretation sound approximation of properties of formal sys- tems (including program specifications, semantics,

422 views • 10 slides
Correctness of Abstract Interpretation Deepak Dsouza and K. V. Raghavan Summary: What is an

Correctness of Abstract Interpretation Deepak Dsouza and K. V. Raghavan Summary: What is an

Correctness of Abstract Interpretation Deepak Dsouza and K. V. Raghavan Summary: What is an abstract interpretation (AI)? Given: A complete join semi-lattice D . This is the abstract semantic domain. A monotonic

297 views • 25 slides
Abstract Interpretation Harry Xu CS 253/INF 212 Spring 2013 Acknowledgements Many slides in

Abstract Interpretation Harry Xu CS 253/INF 212 Spring 2013 Acknowledgements Many slides in

Abstract Interpretation Harry Xu CS 253/INF 212 Spring 2013 Acknowledgements Many slides in this file were taken from the tutorial slides that Patrick Cousot used in VMCAI05 Abstract Interpretation A theory of sound approximation of

946 views • 92 slides
Ariane 5.01 failure Patriot failure Mars orbiter loss (overflow) (float rounding) (unit error)

Ariane 5.01 failure Patriot failure Mars orbiter loss (overflow) (float rounding) (unit error)

Motivation (1 mn) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Abstract interpretation, reminder (10 mn) . . . . . . . . . . . . . . . . . . 6 Applications of abstract interpretation (2 mn) . . . . . . . . .

876 views • 16 slides
Abstract Interpretation III Semantics and Application to Program Verification Antoine Min e

Abstract Interpretation III Semantics and Application to Program Verification Antoine Min e

Abstract Interpretation III Semantics and Application to Program Verification Antoine Min e Ecole normale sup erieure, Paris year 20152016 Course 12 20 May 2016 Course 12 Abstract Interpretation III Antoine Min e p. 1 / 60

706 views • 67 slides
A Reconstruction of a Types-and-Effects Analysis by Abstract Interpretation Letterio Galletta

A Reconstruction of a Types-and-Effects Analysis by Abstract Interpretation Letterio Galletta

A Reconstruction of a Types-and-Effects Analysis by Abstract Interpretation Letterio Galletta Dipartimento di Informatica - Universit di Pisa 19/09/2012 - ITCTCS 2012 Outline 1 Type and Effect Systems 2 Abstract Interpretation 3

762 views • 24 slides
Tracing Compilation by Abstract Interpretation S. Dissegna, F. Logozzo, F. Ranzato Thophile

Tracing Compilation by Abstract Interpretation S. Dissegna, F. Logozzo, F. Ranzato Thophile

Just-In-Time compilation Study setup Abstract interpretation Correctness proof Tracing Compilation by Abstract Interpretation S. Dissegna, F. Logozzo, F. Ranzato Thophile Bastian March 7, 2018 Slides: https://tiny.tobast.fr/m2-absint-slides

445 views • 16 slides
30 Years of Abstract Interpretation Thomas Jaudon Ball Microsoft Research [This is the text of a

30 Years of Abstract Interpretation Thomas Jaudon Ball Microsoft Research [This is the text of a

30 Years of Abstract Interpretation Thomas Jaudon Ball Microsoft Research [This is the text of a 20 minute talk I gave at the 30 Years of Abstract Interpretation Workshop in San Francisco, California, USA on January 9, 2008. The subsections

196 views • 9 slides
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond Final Goal of the

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond Final Goal of the

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond Final Goal of the class Automatically verify partial correctness of programs like the following using abstract interpretation. Void Init(int* A, int n) { for (i := 0;

908 views • 62 slides
Static Program Analysis Foundations of Abstract Interpretation Sebastian Hack, Christian Hammer,

Static Program Analysis Foundations of Abstract Interpretation Sebastian Hack, Christian Hammer,

Static Program Analysis Foundations of Abstract Interpretation Sebastian Hack, Christian Hammer, Jan Reineke Advanced Lecture, Winter 2014/15 Abstract Interpretation Semantics-based approach to program analysis Framework to develop

487 views • 33 slides
Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview TDDC90: Software Security Syntactic Analysis Ahmed Rezine Abstract Interpretation IDA, Linkpings Universitet Hsttermin 2014 Static Program

75 views • 7 slides
Constraints in Abstract Model Checking Direct implementation of an abstract interpretation John

Constraints in Abstract Model Checking Direct implementation of an abstract interpretation John

Constraints in Abstract Model Checking Direct implementation of an abstract interpretation John Gallagher 12 1 Roskilde University 2 IMDEA Software Institute, Madrid CP meets CAV Turun, Turkey John Gallagher Constraints in Abstract Model

375 views • 16 slides
Basic Concepts of Abstract Interpretation Patrick Cousot cole normale suprieure 45

Basic Concepts of Abstract Interpretation Patrick Cousot cole normale suprieure 45

Basic Concepts of Abstract Interpretation Patrick Cousot cole normale suprieure 45 rue dUlm 75230 Paris cedex 05, France Patrick.Cousot@ens.fr www.di.ens.fr/~cousot IFIP WCC Topical day on Abstract Interpretation P.

1.95k views • 183 slides
Abstract Interpretation + Impure Catalysts Our Sparrow Experience YI Jhee, MS Jin, YB Jung, DH

Abstract Interpretation + Impure Catalysts Our Sparrow Experience YI Jhee, MS Jin, YB Jung, DH

Abstract Interpretation + Impure Catalysts Our Sparrow Experience YI Jhee, MS Jin, YB Jung, DH Kim, SH Kong, HJ Lee, HJ Oh, DJ Park, Kwangkeun Yi Programming Research Laboratory Seoul National University Korea 30 Years of Abstract

920 views • 37 slides
A proof - theoretic approach to abstract interpretation Apostolos Tzimoulis joint work with

A proof - theoretic approach to abstract interpretation Apostolos Tzimoulis joint work with

A proof - theoretic approach to abstract interpretation Apostolos Tzimoulis joint work with Vijay DSilva, Alessandra Palmigiano and Caterina Urban (with images from Patrick Cousot) TACL 2017 - Prague A bstract interpretation A bstract

341 views • 14 slides
Evaluation of the Implementation of an Abstract Interpretation Algorithm using Tabled CLP n

Evaluation of the Implementation of an Abstract Interpretation Algorithm using Tabled CLP n

ICLP19 Las Cruces, September 22, 2019 Evaluation of the Implementation of an Abstract Interpretation Algorithm using Tabled CLP n Arias 1 , 2 Manuel Carro 1 , 2 Joaqu 1 IMDEA Software Institute, 2 Universidad Polit ecnica de Madrid

468 views • 42 slides
Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall

Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall

Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall 2011 Distributed Denial of Service (DDoS) Exhaust resources of a target, or the resources it depends on Resources: CPU, Memory, Bandwidth

427 views • 23 slides
On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS attack: a powerful type of volumetric DDoS attack

438 views • 25 slides
Fragmentation Considered Vulnerable Yossi Gilad & Amir Herzberg Computer Science Department,

Fragmentation Considered Vulnerable Yossi Gilad & Amir Herzberg Computer Science Department,

Fragmentation Considered Vulnerable Yossi Gilad & Amir Herzberg Computer Science Department, Bar Ilan University Overview IP fragmentation recap `Easy case fragment miss -association attacks Fragmentation attacks in tunnels

238 views • 23 slides
Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu Li 1 , Shicheng Wang 1 , Chang Liu 1 , Ang Chen 2 , Hongxin Hu 3 , Guofei Gu 4 , Qi Li 1 , Mingwei Xu 1 , Jianping Wu 1 1 4 2 3 DDoS Attacks are

480 views • 23 slides
15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico Kolter (this lecture) and Ariel Procaccia Carnegie Mellon University Spring 2018 Portions base upon joint work with Eric Wong 1 Outline Adverarial

710 views • 39 slides
Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to Nicolas Papernot, Ian Goodfellow, and Jerry Zhu for some slides . Machine learning brings social disruption at scale Healthcare Energy Source: Peng and

821 views • 71 slides
The Federal Payroll Tax Case (Focus on Trust-Fund Recovery Penalty) S T E P H E N P . K A U F F

The Federal Payroll Tax Case (Focus on Trust-Fund Recovery Penalty) S T E P H E N P . K A U F F

The Federal Payroll Tax Case (Focus on Trust-Fund Recovery Penalty) S T E P H E N P . K A U F F M A N E S Q . S K E E N & K A U F F M A N 9 11 N . CH A R L E S S T . B A L T I M O R E , M D 2 12 0 1 S K A U F F M A N @ S K A U F F

527 views • 34 slides
Defending against malicious peripherals with Cinch Presented by Avesta Hojjati CS598 Computer

Defending against malicious peripherals with Cinch Presented by Avesta Hojjati CS598 Computer

Defending against malicious peripherals with Cinch Presented by Avesta Hojjati CS598 Computer Security in the Physical World University of Illinois Based on slides by Sebastian Angel Citation S. Angel,R. Wahby, M. Howald, J. Leners, M.

650 views • 43 slides

More recommend