Fastened CROWN: Tightened Neural Network Robustness Certificates

Zhaoyang, Lyu,; Ko, Ching-Yun; Kong, Zhifeng; Wong, Ngai; Lin, Dahua; Daniel, Luca

doi:10.1609/aaai.v34i04.5944

Cited by 38 publications

(47 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These methods offer exactness guarantees but are based on solving NP-hard optimization problems, which can make them intractable even for small networks. Incomplete methods can be divided into bound propagation approaches [Gowal et al 2019;Müller et al 2020;Singh et al 2018Singh et al , 2019b] and those that generate polynomially-solvable optimization problems [Bunel et al 2020a;Dathathri et al 2020;Lyu et al 2020;Raghunathan et al 2018;Singh et al 2019a;Xiang et al 2018] such as linear programming (LP) or semidefinite programming (SDP) optimization problems. Compared to deterministic certification methods, randomized smoothing [Cohen et al 2019;Lecuyer et al 2018;Salman et al 2019a] is a defence method providing only probabilistic guarantees and incurring significant runtime costs at inference time, with the generalization to arbitrary safety properties still being an open problem.…”

Section: Effectiveness Of Sblm and Pddm For Convex Hull Computationsmentioning

confidence: 99%

PRIMA: general and precise neural network certification via scalable convex hull approximations

Niklas

Makarchuk

Singh

et al. 2022

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Formal verification of neural networks is critical for their safe adoption in real-world applications. However, designing a precise and scalable verifier which can handle different activation functions, realistic network architectures and relevant specifications remains an open and difficult challenge. In this paper, we take a major step forward in addressing this challenge and present a new verification framework, called PRIMA. PRIMA is both (i) general: it handles any non-linear activation function, and (ii) precise: it computes precise convex abstractions involving multiple neurons via novel convex hull approximation algorithms that leverage concepts from computational geometry. The algorithms have polynomial complexity, yield fewer constraints, and minimize precision loss. We evaluate the effectiveness of PRIMA on a variety of challenging tasks from prior work. Our results show that PRIMA is significantly more precise than the state-of-the-art, verifying robustness to input perturbations for up to 20%, 30%, and 34% more images than existing work on ReLU-, Sigmoid-, and Tanh-based networks, respectively. Further, PRIMA enables, for the first time, the precise verification of a realistic neural network for autonomous driving within a few minutes.

show abstract

Section: Effectiveness Of Sblm and Pddm For Convex Hull Computationsmentioning

confidence: 99%

PRIMA: general and precise neural network certification via scalable convex hull approximations

Niklas

Makarchuk

Singh

et al. 2022

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…While our optimal bounds significantly improve precision compared to intervals, they are not sufficient to certify robustness. Prior work for ReLU networks [5,12,23] showed that the greedy approach of always selecting the optimal bounds minimizing the gap can yield less precise results than an adaptive strategy which computes bounds guided by the certification problem. Based on this observation, we introduce a novel approach based on splitting and gradient descent that computes polyhedral abstractions for non-linearities employed in LSTMs informed by the certification problem and proves that min h 2 − h 1 > 0 actually holds.…”

Section: Precise Polyhedral Bounds Via Lpmentioning

confidence: 99%

“…Our method is also faster as it performs expensive gradient-based optimization for only the output layer whereas [21] performs this step for each neuron in the LSTM twice. [5,12,23] also suggest a similar idea of bounding ReLU's lower bound using gradient descent, but their approach is limited to unary functions with trivial candidates, not applicable to our setting which requires handling complex binary operations with non-trivial initial bounds.…”

Section: Precise Polyhedral Bounds Via Lpmentioning

confidence: 99%

“…Thus, verifying the robustness of recurrent architectures is critical for their safe deployment. While there has been considerable interest in certifying the robustness of feedforward image classifiers [4,12,13,23,32,37,39,47], less attention has been given to recurrent architectures. As a result, current certification solutions do not scale beyond simple models and datasets, which limits their practical applicability.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Scalable Polyhedral Verification of Recurrent Neural Networks

Ryou

Chen

Balunović

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We present a scalable and precise verifier for recurrent neural networks, called Prover based on two novel ideas: (i) a method to compute a set of polyhedral abstractions for the non-convex and non-linear recurrent update functions by combining sampling, optimization, and Fermat’s theorem, and (ii) a gradient descent based algorithm for abstraction refinement guided by the certification problem that combines multiple abstractions for each neuron. Using Prover, we present the first study of certifying a non-trivial use case of recurrent neural networks, namely speech classification. To achieve this, we additionally develop custom abstractions for the non-linear speech preprocessing pipeline. Our evaluation shows that Prover successfully verifies several challenging recurrent models in computer vision, speech, and motion sensor data classification beyond the reach of prior work.

show abstract

“…Unfortunately, the DNN formal verification problem is NP-complete even for simple neural networks and specifications [37,39], and becomes exponentially harder as the network size increases. Still, great efforts are being put into devising verification schemes that can solve average instances of the problem quickly, and which support the verification of additional kinds of DNNs and properties [3][4][5]8,14,17,[21][22][23]25,[34][35][36][37][38][39][40]42,44,45,48,50,51,56,58,61,62,65,66,[69][70][71][72][73].…”

Section: Introductionmentioning

confidence: 99%

An Abstraction-Refinement Approach to Verifying Convolutional Neural Networks

Ostrovsky¹,

Barrett²,

Katz³

2022

Preprint

View full text Add to dashboard Cite

Convolutional neural networks have gained vast popularity due to their excellent performance in the fields of computer vision, image processing, and others. Unfortunately, it is now well known that convolutional networks often produce erroneous results -for example, minor perturbations of the inputs of these networks can result in severe classification errors. Numerous verification approaches have been proposed in recent years to prove the absence of such errors, but these are typically geared for fully connected networks and suffer from exacerbated scalability issues when applied to convolutional networks. To address this gap, we present here the Cnn-Abs framework, which is particularly aimed at the verification of convolutional networks. The core of Cnn-Abs is an abstraction-refinement technique, which simplifies the verification problem through the removal of convolutional connections in a way that soundly creates an over-approximation of the original problem; and which restores these connections if the resulting problem becomes too abstract. Cnn-Abs is designed to use existing verification engines as a backend, and our evaluation demonstrates that it can significantly boost the performance of a state-of-the-art DNN verification engine, reducing runtime by 15.7% on average.

show abstract

Fastened CROWN: Tightened Neural Network Robustness Certificates

Cited by 38 publications

References 8 publications

PRIMA: general and precise neural network certification via scalable convex hull approximations

PRIMA: general and precise neural network certification via scalable convex hull approximations

Scalable Polyhedral Verification of Recurrent Neural Networks

An Abstraction-Refinement Approach to Verifying Convolutional Neural Networks

Contact Info

Product

Resources

About