Safety Assurance in in Cyber-Physical Systems buil ilt wit ith Le - - PowerPoint PPT Presentation
Safety Assurance in in Cyber-Physical Systems buil ilt wit ith Le Learning-Enabled Components (L (LECs) December 12, 2018 Taylor T. Johnson taylor.johnson@vanderbilt.edu VeriVITAL - The Veri fication and V alidation for I ntelligent and T
December 12, 2018
taylor.johnson@vanderbilt.edu
2
Communication Networks Interfaces
Sensors
Actuators
Physical Environment, Plant, Humans, β¦
Cyber Components /Software/ Controller
All of examples are safety-critical CPS! Can we bet our lives on autonomous CPS designs?
3
4
https://www.youtube.com/watch?v=bsKbGc9TUHc
π satisfies π and give proof, or π violates π and why (bug)
explosion (βcurse of dimensionalityβ) & undecidability
π networked software interacting with physical world: cyber-physical systems (CPS) π Safety: something bad never happens Stability: reach good state eventually and stay there Assurance: safety, stability, liveness, mission specs, other functional & non-functional specs (security, performance, β¦) β¦
9
π β¨ π?
π, π Yes: proof No: bug
is hard for humans to reason about the encoding
because it is more difficult to develop confidence that the model is operating as intended
statistical processes known
algorithms and may converge to local minima
input that cannot be discovered at design time): whole field of adversarial machine learning
difficult to specify (typically based on examples)
10
[ https://www.labsix.org ]
vehicles-may-cost-lives.html
total
autonomous vehicles
ο½ Plant models: hybrid automata, or networks thereof,
ο½ LEC and cyber models: for now, neural networks,
ο½ Specifications: primarily safety properties for now, some
ο½ Verification: composed LEC and plant analysis
Communication Networks Interfaces
Sensors
Actuators
Physical Environment, Plant, Humans, β¦
Cyber Components /Software/ Controller(s) /LECs
12
HyST nnv + nnmt
13
ο½ [Bak, Bogomolov, and Johnson, HSCC 2015]
http://verivital.com/hyst/
ο½ https://github.com/verivital/hyst Plant Model Translation and Transformation (HyST Software Tool) http://verivital.com/hyst/
dReach Flow*
New algorithms,
HyComp SLSF
Model Check π β¨ πΈ?
SpaceEx
Reachable States, Traces, π β¨ πΈ? πS πF πD πH πSF πO SpaceEx XML Hybrid Automaton Network π, πΈ
14 ο½ Preliminary software tool now available
ο½
Matlab toolbox for verification of neural networks
ο½
Available at: https://github.com/verivital/nnv
ο½ Additionally, translators for common neural network formats, as well as to several
Sherlock, β¦) in our NNMT tool
ο½
Available at: https://github.com/verivital/nnmt
ο½ Current support:
ο½
Feedforward neural networks with ReLUs, tanh, and other monotonic activation functions
ο½
Closed-loop systems with LECs
ο½ Method: reachability analysis-based verification ο½ Dependencies: Matlab MPT toolbox (https://www.mpt3.org/)
Reachable set reaches unsafe region (π§1 β₯ 5), the FFNN is unsafe Unsafe region LEC Example:
ο½ Given a feedforward neural network F and an input set π΄,
Input Set Output Set
Layer-by-Layer Propagation
Property P
Input Set Output Set Property P Verification problem: Will neural network system A satisfy or voilate P? Neural network system A
16
1 1
( ) max(0, )
n n j i i i i i i i i
y f x x ο· ο± ο· ο±
= =
= + = +
max(0, ) = + y Wx ο±
For single neuron: For single layer:
x ( ) max(0, ) f x x =
Input set:
Union of polytopes Theorem: For ReLU neural networks, if input set is a union of polytopes, then
polytopes. Union of polytopes
We can compute layer-by-layer.
17
Input set: 3 inputs, 2 outputs, 7 hidden layers of 7 neurons each. Output reachable set: union of 1250 polytopes 8000 randomly generated outputs
18
Output Set Input Set
Neural Network
Interval-Based Computation Procedure:
19
Output Set Input Set
Uniform Partition
(Length of sub-interval is small)
(Huge number of sub-intervals)
Specification-Guided Partition
unnecessary computation)
specification
20
Neural Network
Method Intervals Verification Time (s) Uniform 111556 294.37 Spec-Guided 4095 21.45
Random neural network
Specification-Guided Partition
21
Uniform partition
Specification-guided Robotic Arm Example
ο½ Standard LEC representations (ONNX) & integration with standard
learning frameworks
ο½ Challenges: specification & assumption modeling, analysis parameters
Sherlock (.txt) Reluplex (.nnet) nnv (.mat / onnx) LEC Translation & Transformation (NNMT Software Tool) https://github.com/verivital/nnmt ONNX (.onnx) ONNX Converter (.onnx)
PyTorch Keras Caffe2 Tensorflow Matlab β¦
22
ο½ Alternate iterations of reachability analysis for:
ο½ nnv: Machine learning-based / neural network controllers ο½ HyST: Plant (and environment, noise, etc.) models
Compute reachable set for closed-loop system Iterative from time 0 to k-1
23
State Space
Execution: starting from an initial state, sequence of states visited by transitions (discrete evolution) and trajectories (continuous evolution) Reachable State: state π² such that finite execution ends in π² Set of Reachable States: Reachπ Invariant: (safety) property π that holds over all executions of π Reachπ β π
24
π β π
1 β¨ π 2 β¨ β― β¨ ππ discrete transitions
β¨ ΰΈ π·
continuous trajectories
Adaptive Cruise Control System:
Specification: πΈπ π’ β₯ πΈπ‘πππ(π’) 2 where
πππ Γ π πππ (π’)
πππ is time gap between the vehicles
πππ(π’) is velocity of the ego car
25
ο½
Specification: πΈπ π’ β₯
πΈπ‘πππ(π’) 2
, where πΈπ‘πππ π’ = πΈdππππ£ππ’ + π
πππ Γ π πππ π’ , πΈπ π’ is the
relative distance, πΈdππππ£ππ’ is the standstill default spacing, π
πππ is time gap between the
vehicles, π
πππ(π’) is velocity of the ego car
26
27 ο½ Plant model: 4 state variables, linear or nonlinear
dynamics
ο½ LEC: feedforward ReLU network with 5 layers and
50 neurons
ο½ Bounded model checking: k = 40 steps ο½ Runtimes: 1-2 minutes on modern laptop, scales
linearly in number of steps k Nonlinear: red unsafe set and blue reachable set
28
FNN Range & CSV Exact Approximate Approximate & Partition Mixing Sherlock Abalone i = 8, o = 1, l=2, n = 16 Range [2.18, 9.07] [2.18, 9.07] [2.18, 9.07] [2.18, 9.07] [0, 0] CSV 0% 0% 0% 0% UN Pollution i = 24, o = 3, l = 3, n = 16 Range [122.78, 206.68] [ 2.83, 13.91] [65.2, 116.51] [0, 236.41] [0, 18.04] [0, 138.5] [86.43, 222.4] [0, 16.13] [41.29, 128.22] [122.69, 212.16] [2.81, 14.73] [65.11, 120.7] [122.78, 206.68] [ 2.83, 13.91] [65.2, 116.51] CSV [0%] [0%] [0%] [146.4%] - OA [37.34.9%] - OA [127%] - OA [43.337%] - OA [25.54%] - OA [46.6056%] - OA [6.536%] - OA [7.426%] - OA [8.14%] - OA [0%] [0%] [0%] Sherlock N0 i = 2, o = 1, l = 1, n = 100 Range [2.31, 8.79] [ 0, 15.46] [1.82, 9.07] [0, 9.65] [8.43, 10.75] CSV 0% 102.93% - OA 7.55% - OA 35.63% - OA UN Sherlock N4 i = 2, o = 1, l=1, n = 1000 Range β [8.94, 128.33] [ 0, 399.66] [ 0, 147.19] Timeout [12.24, 30.62] CSV β 0% β 227.27% -OA β 15.79% - OA
i is the number of inputs, o is the number of outputs, l is the number of layers and n is the total number of neurons. OA: over-approximation, UN: neither an over-approximation nor an under-approximation.
FNN Cores Exact Approximate Mixing T(sec) R(%) Output T(sec) R(% ) Output T(sec) R(%) Output MNIST 1 i = 784, o = 1, l=6, n = 141 1 243.57 [0.91, 0.96] 0.005 1 [0, 10.22] 163.01 [0, 2.31] 2 153.33 37.05 118.74 27.16 4 142.07 41.67 114.34 29.9 MINIST 2 I = 784, o = 1, l = 5, n = 250 1 684.6 [0.99, 0.993] 0.006 2 [0, 5.37] 72.73 [0.62, 1.43] 2 328.5 52.02 51.23 29.55 4 222.8 67.47 45.13 37.95 MINIST 3 i = 784, o = 1, l = 2, n = 1000 1 Timeout 0.048 6 [0.8, 1.26] Timeout 2
i is the number of inputs, o is the number of outputs, l is the number of layers and n is the total number of neurons. R is the reachable set computation time, R is the time reduction and Output is the output reachable set.
Property FNN Safety Exact scheme Reluplex RT(sec) ST(sec) VT(sec) VT(sec) ο¦3 π2β4 safe 4635.7 2.17 4637.9 40 π2β9 safe 2135.5 2.74 2138.3 26 π5β9 safe 1036 0.64 1036.7 19
ο¦4
π2β9 safe 248.8 0.25 249.1 61 π3β8 safe 3281.47 1.91 3283.4 55 π5β7 safe 522.04 0.73 522.8 42
Output reachable set for property π4 on ACAS XU π2β9 ACAS XU Networks
neurons per layer (total 300 neurons) Collision avoidance using ACAS XU networks
RT is the reach set computation time, ST is the safety checking time and VT is the total verification time.
Assumption:
For any , the activation function satisfies
1 2
x x ο£
1 2
( ) ( ). f x f x ο£
x y ο€ ο₯
Ξ΅ is called the maximal sensitivity
to Ξ΄. Input set over-approximation Output set over-approximation
x y ο€ ο₯
Ξ΄ 0.5
0. 5
Input set
Red points: 10000 random outputs. All are located in estimated reachable set.
Discretize input space by
0.05 ο€ =
Discretize input space by
0.02 ο€ =
Computational time: Use cvx: ~20 min Use linprog:~30 sec Pre-generate solution expression: ~0.12 sec! How fast? Random 676 inputs, ~0.08 sec. Computation cost mainly comes from the number of simulations.
37 37
Ship Motion control LEC Perception LEC
position and size speed, direction position, velocity Environment radar measurements wind measurements disturbances
38
ο½ What is the effect of architecture on assurance of LECs?
ο½ Decomposition may allow easier comprehension and the use of
compositional techniques
ο½ Training data required for end-to-end may be significantly higher
Ship Motion control LEC Perception LEC
position and size speed, direction position, velocity Environment radar measurements wind measurements disturbances Ship End-to-end LEC speed, direction position, velocity Environment radar measurements wind measurements disturbances
39
40
ο½ βVerification for Machine Learning, Autonomy, and Neural Networks
Surveyβ
ο½ Surveys most work on ML verification, including some control
theory/intelligent control (guaranteeing stability while training), safe RL, and software tools
ο½ Weiming Xiang, Patrick Musau, Ayana Wild, Diego Manzanas Lopez,
Xiaodong Yang, Joel Rosenfeld, and Taylor T. Johnson
ο½ Draft available, open to collaborations, suggestions/missing refs, and we plan
a survey/magazine paper submission, please feel free to get in touch, taylor.johnson@Vanderbilt.edu
ο½ https://www.overleaf.com/read/nxdtyhzhypjz ο½ https://arxiv.org/abs/1810.01989 ο½ QR code links to overleaf draft
Tool Name Reference Approach Never [Pulina and Tacchella, 2011] SMT (HySAT) NNAF [Bastani et al., 2016] LP DLV [Huang et al., 2016] SMT (Z3), CEGAR Reluplex [Katz et al., 2017] SMT (custom), LP (GLPK) Reverify [Lomuscio and Maganti, 2017] LP (Gurobi) Planet [Ehlers, 2017] LP (GLPK), SAT (Minisat) PLNN [Bunel et al., 2017] LP (Gurobi); Branch & bound Sherlock [Dutta et al., 2017] LP (Gurobi); Local search DiffAI / AI2 [Gehr et al., 2018] Abstract interpretation nnv+nnmt http://github.com/verivital/nnv http://github.com/verivital/nnmt [Xiang, β¦, J, 2017-2018] LP (Matlab); Maximal sensitivity (non-linear activations); Reachability 41
[ https://www.overleaf.com/read/nxdtyhzhypjz ]
https://arxiv.org/abs/1810.01989
ο½ Alternate computations on neural network controller & plant
ο½ How to scale for systems where a single iteration is insufficient due
to nondeterministic branching, e.g., path planning?
ο½ How much uncertainty to incorporate in plant & LEC analysis? ο½ How to scale for deep neural networks (DNNs)?
ο½ State-of-the-art (all methods): ~10k neurons, various assumptions on
numbers of layers, numbers in input/output layers, etc. (See survey paper)
ο½ Some ideas: abstractions based on feature extraction, performing analysis
in the feature space
ο½ Standard representations for LECs: highly recommend ONNX for
NNs, need to formulate plans in the AA program for apples-to- apples comparisons of verification methods
ο½ Other LECs / machine learning components ο½ Runtime monitoring, verification, and assurance
ο½ Environment monitoring, checking if uncertainty assumptions valid ο½ Real-time computation and real-time reachability
42
Bibliographical Surveyβ
theory/intelligent control (guaranteeing stability while training), safe RL, and software tools
Manzanas Lopez, Ran Hao, Xiaodong Yang, and Taylor T. Johnson
we plan a survey/magazine paper submission, please feel free to get in touch, taylor.johnson@Vanderbilt.edu
43
in cyber-physical systems (CPS)? Are new specification languages, such as hyperproperties and signal temporal logic (STL) expressive enough?
components, such as perception versus planning/decision making/control?
to assure autonomy?
consider alternative paradigms, such as guaranteed training methods that produce robust LECs?
44
45
45
46
Thank You! Questions?
β VU EECS: Hoang-Dung Tran (PhD), Nate Hamilton (PhD), Ayana Wild (PhD), Patrick Musau (PhD), Xiaodong Yang (PhD), Ran Hao (PhD), Tianshu Bao (PhD), Diego Manzanas (PhD), Yuanqi Xie (PhD) Weiming Xiang (Postdoc), Joel Rosenfeld (Postdoc) β UTA CSE: Luan Viet Nguyen (PhD), Shafiul Chowdhury (PhD) β UTA Alumni: Omar Beg (PhD), Nathan Hervey (MS), Ruoshi Zhang (MS), Shweta Hardas (MS), Randy Long (MS), Rahul (MS), Amol (MS)
β UTA: Ali Davoudi, Christoph Csallner, Matt Wright, Steve Mattingly, Colleen Casey β Illinois: Sayan Mitra, Marco Caccamo Lui Sha, Amy LaViers β AFRL: Stanley Bak and Steven Drager β Toyota: Jim Kapinski, Xiaoqing Jin, Jyo Deshmukh, Ken Butts, Issac Ito β Waterloo: Sebastian Fischmeister β Toronto: Andreas Veneris β ANU: Sergiy Bogomolov β UTSW: Ian White, Victor Salinas, Rama Ranganathan
Taylor T. Johnson http://www.TaylorTJohnson.com http://www.verivital.com Taylor.Johnson@vanderbilt.edu
n n
i
x ο’ οΎ
i
x ο’ ο£ 0,
i j
x x ο³ ο£
Number of Cases:
Case1 :
Input set of layer:
i
x ο’ οΎ
i
x ο’ οΎ
Case2 :
Input set of layer:
i
x ο’ ο£
i
x ο’ ο£
Case 3 :
Input set of layer:
0,
i j
x x ο³ ο£
j
x ο£
i
x ο³
Ouput set of layer:
j j
x x ο£ ο =
Estimation and Verification for Multi-Layer Neural Networks", In IEEE Transactions on Neural Networks and Learning Systems (TNNLS), 2018, March.
"Reachable Set Estimation and Verification for Neural Network Models of Nonlinear Dynamic Systems", In Unmanned System Technologies: Safe, Autonomous and Intelligent Vehicles, Springer, 2018, September.
Computation and Safety Verification for Neural Networks with ReLU Activations", In In Submission, IEEE, 2018, September.
Set Estimation and Verification for a Class of Piecewise Linear Systems with Neural Network Controllers", In American Control Conference (ACC 2018), IEEE, 2018, June
51
Reachability for Verified Simplex Design", In ACM Transactions on Embedded Computing Systems (TECS), ACM, vol. 15, no. 2, New York, NY, USA, pp. 26:1β 26:27, 2016, February.
Reachability for Verified Simplex Design", In 35th IEEE Real-Time Systems Symposium (RTSS 2014), IEEE Computer Society, Rome, Italy, 2014, December.
ARM, MIPS
control in StarL
52