Verification of Neural Networks’ Global Robustness
Article No.: 130, Pages 1010 - 1039
Abstract
Neural networks are successful in various applications but are also susceptible to adversarial attacks. To show the safety of network classifiers, many verifiers have been introduced to reason about the local robustness of a given input to a given perturbation. While successful, local robustness cannot generalize to unseen inputs. Several works analyze global robustness properties, however, neither can provide a precise guarantee about the cases where a network classifier does not change its classification. In this work, we propose a new global robustness property for classifiers aiming at finding the minimal globally robust bound, which naturally extends the popular local robustness property for classifiers. We introduce VHAGaR, an anytime verifier for computing this bound. VHAGaR relies on three main ideas: encoding the problem as a mixed-integer programming and pruning the search space by identifying dependencies stemming from the perturbation or the network's computation and generalizing adversarial attacks to unknown inputs. We evaluate VHAGaR on several datasets and classifiers and show that, given a three hour timeout, the average gap between the lower and upper bound on the minimal globally robust bound computed by VHAGaR is 1.9, while the gap of an existing global robustness verifier is 154.7. Moreover, VHAGaR is 130.6x faster than this verifier. Our results further indicate that leveraging dependencies and adversarial attacks makes VHAGaR 78.6x faster.
References
[1]
Motasem Alfarra, Adel Bibi, Hasan Hammoud, Mohamed Gaafar, and Bernard Ghanem. 2020. On the Decision Boundaries of Neural Networks: A Tropical Geometry Perspective. In abs/2002.08838, https://doi.org/10.1109/TPAMI.2022.3201490
[2]
Greg Anderson, Shankara Pailoor, Isil Dillig, and Swarat Chaudhuri. 2019. Optimization and abstraction: a synergistic approach for analyzing neural network robustness. In PLDI, https://doi.org/10.1145/3314221.3314614
[3]
Mislav Balunovic, Maximilian Baader, Gagandeep Singh, Timon Gehr, and Martin T. Vechev. 2019. Certifying Geometric Robustness of Neural Networks. In NeurIPS, https://proceedings.neurips.cc/paper/2019/hash/f7fa6aca028e7ff4ef62d75ed025fe76-Abstract.html
[4]
Mislav Balunovic and Martin T. Vechev. 2020. Adversarial Training and Provable Defenses: Bridging the Gap. In ICLR, https://openreview.net/forum?id=SJxSDxrKDr
[5]
Osbert Bastani, Yani Ioannou, Leonidas Lampropoulos, Dimitrios Vytiniotis, Aditya V. Nori, and Antonio Criminisi. 2016. Measuring Neural Net Robustness with Constraints. In NeurIPS, https://proceedings.neurips.cc/paper/2016/hash/980ecd059122ce2e50136bda65c25e07-Abstract.html
[6]
Anand Bhattad, Min Jin Chong, Kaizhao Liang, Bo Li, and David A. Forsyt. 2020. Unrestricted Adversarial Examples via Semantic Manipulation. In ICLR, https://openreview.net/forum?id=Sye_OgHFwH
[7]
Nicholas Carlini and David A. Wagner. 2017. Towards Evaluating the Robustness of Neural Networks. In SP, https://doi.org/10.1109/SP.2017.49
[8]
Pin-Yu Chen, Yash Sharma, Huan Zhang, Jinfeng Yi, and Cho-Jui Hsieh. 2018. EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples. In AAAI, https://doi.org/10.1609/aaai.v32i1.11302
[9]
Pin-Yu Chen, Huan Zhang, Yash Sharma, Jinfeng Yi, and Cho-Jui Hsieh. 2017. ZOO: Zeroth Order Optimization Based Black-box Attacks to Deep Neural Networks without Training Substitute Models. In AISec Workshop, https://doi.org/10.1145/3128572.3140448
[10]
Yizheng Chen, Shiqi Wang, Yue Qin, Xiaojing Liao, Suman Jana, and David A. Wagner. 2021. Learning Security Classifiers with Verified Global Robustness Properties. In CCS, https://doi.org/10.1145/3460120.3484776
[11]
Dimitar Iliev Dimitrov, Gagandeep Singh, Timon Gehr, and Martin T. Vechev. 2022. Provably Robust Adversarial Examples. In ICLR, https://openreview.net/forum?id=UMfhoMtIaP5
[12]
Rüdiger Ehlers. 2017. Formal verification of piece-wise linear feed-forward neural networks. In ATVA, https://doi.org/10.1007/978-3-319-68167-2_19
[13]
Logan Engstrom, Brandon Tran, Dimitris Tsipras, Ludwig Schmidt, and Aleksander Madry. 2019. Exploring the Landscape of Spatial Robustness. In ICML, arxiv:1712.02779
[14]
Logan Engstrom, Dimitris Tsipras, Ludwig Schmidt, and Aleksander Madry. 2017. A Rotation and a Translation Suffice: Fooling CNNs with Simple Transformations. In abs/1712.02779, https://openreview.net/pdf?id=BJfvknCqFQ
[15]
Ecenaz Erdemir, Jeffrey Bickford, Luca Melis, and Sergül Aydöre. 2022. Adversarial Robustness with Non-uniform Perturbations. In NeurIPS, https://openreview.net/pdf?id=cQLkLAQgZ5I
[16]
Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and Harnessing Adversarial Examples. In ICLR, arxiv:1412.6572
[17]
Divya Gopinath, Guy Katz, Corina S. Pasareanu, and Clark W. Barrett. 2018. DeepSafe: A Data-Driven Approach for Assessing Robustness of Neural Networks. In ATVA, https://doi.org/10.1007/978-3-030-01090-4_1
[18]
Gaurav Goswami, Nalini K. Ratha, Akshay Agarwal, Richa Singh, and Mayank Vatsa. 2018. Unravelling Robustness of Deep Learning based Face Recognition Against Adversarial Attacks. In AAAI, https://doi.org/10.48550/arXiv.1803.00401
[19]
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep Residual Learning for Image Recognition. In IEEE Conference on Computer Vision and Pattern Recognition, CVPR. IEEE Computer Society, 770–778. arxiv:1512.03385
[20]
W. Hoeffding. 1963. Probability inequalities for sums of bounded random variables. J. Amer. Statist. Assoc., 58, 301 (1963), 13–30. https://doi.org/10.1007/978-1-4612-0865-5_26
[21]
Changcun Huang. 2020. ReLU Networks Are Universal Approximators via Piecewise Linear or Constant Functions. In Neural Computation, 32, 11 (2020), 11, 2249–2278. https://doi.org/10.1162/neco_a_01316
[22]
Anan Kabaha and Dana Drachsler-Cohen. 2022. Boosting Robustness Verification of Semantic Feature Neighborhoods. In SAS, https://doi.org/10.1007/978-3-031-22308-2_14
[23]
Anan Kabaha and Dana Drachsler-Cohen. 2023. Maximal Robust Neural Network Specifications via Oracle-Guided Numerical Optimization. In VMCAI, https://doi.org/10.1007/978-3-031-24950-1_10
[24]
Anan Kabaha and Dana Drachsler-Cohen. 2024. Verification of Neural Networks’ Global Robustness. In CoRR abs/2402.19322, https://doi.org/10.48550/arXiv.2402.19322
[25]
Guy Katz, Clark W. Barrett, David L. Dill, Kyle Julian, and Mykel J. Kochenderfer. 2017. Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks. In CAV, https://doi.org/10.1007/978-3-319-63387-9_5
[26]
Guy Katz, Derek A. Huang, Duligur Ibeling, Kyle Julian, Christopher Lazarus, Rachel Lim, Parth Shah, Shantanu Thakoor, Haoze Wu, Aleksandar Zeljic, David L. Dill, Mykel J. Kochenderfer, and Clark W. Barrett. 2019. The Marabou Framework for Verification and Analysis of Deep Neural Networks. In CAV, https://doi.org/10.1007/978-3-030-25540-4_26
[27]
Alex Krizhevsky. 2009. Learning Multiple Layers of Features from Tiny Images. https://www.cs.toronto.edu/~kriz/learning-features-2009-TR.pdf
[28]
Y. Lecun, L. Bottou, Y. Bengio, and P. Haffner. 1998. Gradient-based Learning Applied to Document Recognition. In Proceedings of the IEEE 1998;86(11):2278e324, https://doi.org/10.1109/5.726791
[29]
Klas Leino, Zifan Wang, and Matt Fredrikson. 2021. Globally-Robust Neural Networks. In ICML, http://proceedings.mlr.press/v139/leino21a.html
[30]
Natan Levy, Raz Yerushalmi, and Guy Katz. 2023. gRoMA: a Tool for Measuring Deep Neural Networks Global Robustness. In arXiv.2301.02288, https://doi.org/10.48550/arXiv.2301.02288
[31]
Changjiang Li, Shouling Ji, Haiqin Weng, Bo Li, Jie Shi, Raheem Beyah, Shanqing Guo, Zonghui Wang, and Ting Wang. 2021. Towards Certifying the Asymmetric Robustness for Neural Networks: Quantification and Applications. In TDSC, https://doi.org/10.1109/TDSC.2021.3116105
[32]
Chen Liu, Ryota Tomioka, and Volkan Cevher. 2019. On Certifying Non-Uniform Bounds against Adversarial Attacks. In ICML, http://proceedings.mlr.press/v97/liu19h.html
[33]
Xin Liu, Huanrui Yang, Ziwei Liu, Linghao Song, Yiran Chen, and Hai Li. 2019. DPATCH: An Adversarial Patch Attack on Object Detectors. In AAAI, https://doi.org/10.48550/arXiv.1806.02299
[34]
Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In ICLR, https://doi.org/forum?id=rJzIBfZAb
[35]
Ravi Mangal, Aditya V. Nori, and Alessandro Orso. 2019. Robustness of neural networks: a probabilistic and practical approach. In ICSE, https://doi.org/10.1109/ICSE-NIER.2019.00032
[36]
Sara Mohammadinejad, Brandon Paulsen, Jyotirmoy V. Deshmukh, and Chao Wang. 2021. DiffRNN: Differential Verification of Recurrent Neural Networks. In FORMATS, https://doi.org/10.1007/978-3-030-85037-1_8
[37]
Jeet Mohapatra, Tsui-Wei Weng, Pin-Yu Chen, Sijia Liu, and Luca Daniel. 2020. Towards Verifying Robustness of Neural Networks Against A Family of Semantic Perturbations. In CVPR, https://doi.org/10.48550/arXiv.1912.09533
[38]
Chongli Qin, Krishnamurthy (Dj) Dvijotham, Brendan O’Donoghue, Rudy Bunel, Robert Stanforth, Sven Gowal, Jonathan Uesato, Grzegorz Swirszcz, and Pushmeet Kohli. 2019. Verification of Non-Linear Specifications for Neural Networks. In ICLR, https://openreview.net/forum?id=HyeFAsRctQ
[39]
Wenjie Ruan, Min Wu, Youcheng Sun, Xiaowei Huang, Daniel Kroening, and Marta Kwiatkowska. 2019. Global Robustness Evaluation of Deep Neural Networks with Provable Guarantees for the Hamming Distance. In IJCAI, https://doi.org/10.24963/IJCAI.2019/824
[40]
Gagandeep Singh, Rupanshu Ganvir, Markus Püschel, and Martin T. Vechev. 2019. Beyond the Single Neuron Convex Barrier for Neural Network Certification. In NeurIPS, https://proceedings.neurips.cc/paper/2019/hash/0a9fdbb17feb6ccb7ec405cfb85222c4-Abstract.html
[41]
Gagandeep Singh, Timon Gehr, Markus Püschel, and Martin T. Vechev. 2019. An abstract domain for certifying neural networks. In POPL, https://doi.org/10.1145/3290354
[42]
Gagandeep Singh, Timon Gehr, Markus Püschel, and Martin T. Vechev. 2019. Boosting Robustness Certification of Neural Networks. In ICLR, https://openreview.net/forum?id=HJgeEh09KQ
[43]
Weidi Sun, Yuteng Lu, Xiyue Zhang, and Meng Sun. 2022. DeepGlobal: A framework for global robustness verification of feedforward neural networks. In J. Syst. Archit., https://doi.org/10.1016/J.SYSARC.2022.102582
[44]
Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian J. Goodfellow, and Rob Fergus. 2014. Intriguing Properties of Neural Networks. In ICLR, https://doi.org/10.48550/arXiv.1312.6199
[45]
Vincent Tjeng, Kai Y. Xiao, and Russ Tedrake. 2019. Evaluating robustness of neural networks with mixed integer programming. In ICLR, https://openreview.net/forum?id=HyGIdiRqtm
[46]
Chun-Chen Tu, Pai-Shun Ting, Pin-Yu Chen, Sijia Liu, Huan Zhang, Jinfeng Yi, Cho-Jui Hsieh, and Shin-Ming Cheng. 2019. AutoZOOM: Autoencoder-Based Zeroth Order Optimization Method for Attacking Black-Box Neural Networks. In AAAI, arxiv:1805.11770
[47]
Shiqi Wang, Kexin Pei, Justin Whitehouse, Junfeng Yang, and Suman Jana. 2018. Efficient Formal Safety Analysis of Neural Networks. In NeurIPS, https://proceedings.neurips.cc/paper/2018/hash/2ecd2bd94734e5dd392d8678bc64cdab-Abstract.html
[48]
Shiqi Wang, Huan Zhang, Kaidi Xu, Xue Lin, Suman Jana, Cho-Jui Hsieh, and J Zico Kolter. 2021. Beta-CROWN: Efficient Bound Propagation with Per-neuron Split Constraints for Neural Network Robustness Verification. In NeurIPS, https://proceedings.neurips.cc/paper/2021/hash/fac7fead96dafceaf80c1daffeae82a4-Abstract.html
[49]
Zhilu Wang, Chao Huang, and Qi Zhu. 2022. Efficient Global Robustness Certification of Neural Networks via Interleaving Twin-Network Encoding. In DATE 2022, https://doi.org/10.24963/IJCAI.2023/727
[50]
Zhilu Wang, Yixuan Wang, Feisi Fu, Ruochen Jiao, Chao Huang, Wenchao Li, and Qi Zhu. 2022. A Tool for Neural Network Global Robustness Certification and Training. In https://doi.org/10.48550/arXiv.2208.07289 2022, https://doi.org/10.48550/ARXIV.2208.07289
[51]
Tong Wu, Liang Tong, and Yevgeniy Vorobeychik. 2019. Defending Against Physically Realizable Attacks on Image Classification. In ICLR, https://openreview.net/forum?id=H1xscnEKDr
[52]
Han Xiao, Kashif Rasul, and Roland Vollgraf. 2017. Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms. In http://arxiv.org/abs/1708.07747, https://doi.org/10.48550/arXiv.1708.07747
[53]
Zhuolin Yang, Linyi Li, Xiaojun Xu, Bhavya Kailkhura, Tao Xie, and Bo Li. 2022. On the Certified Robustness for Ensemble Models and Beyond. In ICLR, https://openreview.net/forum?id=tUa4REjGjTf
[54]
Bohang Zhang, Du Jiang, Di He, and Liwei Wang. 2022. Rethinking Lipschitz Neural Networks and Certified Robustness: A Boolean Function Perspective. In NeurIPS, http://papers.nips.cc/paper_files/paper/2022/hash/7b04ec5f2b89d7f601382c422dfe07af-Abstract-Conference.html
[55]
Chaoning Zhang, Philipp Benz, Tooba Imtiaz, and In So Kweon. 2020. Understanding Adversarial Examples From the Mutual Influence of Images and Perturbations. In CVPR, https://doi.org/10.48550/arXiv.2007.06189
[56]
Huan Zhang, Shiqi Wang, Kaidi Xu, Yihan Wang, Suman Jana, Cho-Jui Hsieh, and J. Zico Kolter. 2022. A Branch and Bound Framework for Stronger Adversarial Attacks of ReLU Networks. In ICML, https://proceedings.mlr.press/v162/zhang22ae.html
Index Terms
- Verification of Neural Networks’ Global Robustness
Recommendations
Deep Learning Robustness Verification for Few-Pixel Attacks
While successful, neural networks have been shown to be vulnerable to adversarial example attacks. In L0 adversarial attacks, also known as few-pixel attacks, the attacker picks t pixels from the image and arbitrarily perturbs them. To understand the ...
Local and global robustness with q-step delay for max-plus linear systems
AbstractThis paper studies the local and global robustness with q-step delay of max-plus linear systems, which requires part or all components of the state vectors remain unchanged under the bounded parameter perturbations after a finite number of steps. ...
Robustness Verification for Classifier Ensembles
Automated Technology for Verification and AnalysisAbstractWe give a formal verification procedure that decides whether a classifier ensemble is robust against arbitrary randomized attacks. Such attacks consist of a set of deterministic attacks and a distribution over this set. The robustness-checking ...
Comments
Information & Contributors
Information
Published In
April 2024
1492 pages
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 29 April 2024
Published in PACMPL Volume 8, Issue OOPSLA1
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Israel Science Foundation
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 151Total Downloads
- Downloads (Last 12 months)151
- Downloads (Last 6 weeks)47
Reflects downloads up to 22 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in