A Dual Approach to Scalable Verification of Deep Networks

03/17/2018

∙

This paper addresses the problem of formally verifying desirable properties of neural networks, i.e., obtaining provable guarantees that the outputs of the neural network will always behave in a certain way for a given class of inputs. Most previous work on this topic was limited in its applicability by the size of the network, network architecture and the complexity of properties to be verified. In contrast, our framework applies to much more general class of activation functions and specifications on neural network inputs and outputs. We formulate verification as an optimization problem and solve a Lagrangian relaxation of the optimization problem to obtain an upper bound on the verification objective. Our approach is anytime, i.e. it can be stopped at any time and a valid bound on the objective can be obtained. We develop specialized verification algorithms with provable tightness guarantees under special assumptions and demonstrate the practical significance of our general verification approach on a variety of verification tasks.

READ FULL TEXT VIEW PDF

1 Introduction

Deep learning has led to tremendous progress in machine learning in the last few years achieving state-of-the-art performance on complex image classification and speech recognition tasks krizhevsky2012imagenet. However, this progress has been tainted by disturbing revelations that state of the art networks can easily be fooled by making seemingly innocuous modifications to the input data that cause the network to change its prediction significantly szegedy2013intriguing; kurakin2016adversarial. While modifications to neural network training algorithms have been proposed to mitigate these effects, a comprehensive solution has remained elusive.

Further, neural networks are gaining widespread adoption, including in domains with critical safety constraints marston2015acas; DC; SD.

Given these factors, verification of neural networks has gained significant attention in recent research kolter2017provable; bunel2017piecewise add more

Most verification methods to date have been limited to piecewise linear neural networks. However, practical state-of-the-art performing neural networks have significant nonlinearities besides piecewise linear. In this report, we describe a general approach to verifying neural networks with arbitrary transfer functions.

2 Formulation

We will start with a layer-wise description of a neural networks


	$x_{l + 1} = h_{l} (y_{l}), y_{l} = W_{l} x_{l} + b_{l} \forall l \in {0, 1, \dots, L - 1}$		(1a)

where $x_{l} \in R^{n_{l}}$

is the vector of neural activations at layer

l

y_{l}

is the pre-nonlinearity activations and

h_{l} : R^{n_{l + 1}} \mapsto R^{n_{l + 1}}

is a component-wise nonlinearity.

We use the notation $x_{l, k}, y_{l, k}$ to denote the $k$ -th component of the vectors $x_{l}, y_{l}$ and $h_{l, k}$ the $k$ -th component of the function $h$ , so that

x_{l + 1, k} = h_{l, k} (y_{l, k})

Note that we do not necessarily need to assume that $h_{k}$ is the same for each $k$

(so we can have layers where some of the neurons have tanh transfer functions while others have ReLUs and yet others have sigmoids).

Most verification problems can be posed as follows:


	$max x_{0}, \dots, x_{L}, y_{0}, \dots, y_{L - 1} c^{T} x_{L}$		(2a)
	Subject to		(2b)
	$x_{l + 1} = h_{l} (y_{l}), y_{l} = W_{l} x_{l} + b_{l} \forall l \in {0, 1, \dots, L - 1}$		(2c)
	${x - -}_{l} \leq x_{l} \leq {¯ ¯ ¯ x}_{l} \forall l \in {1, \dots, L}$		(2d)
	${y -}_{l} \leq W_{l} x_{l} + b_{l} \leq {¯ ¯ ¯ y}_{l} \forall l \in {1, \dots, L}$		(2e)
	${y -}_{l} \leq y \leq {¯ ¯ ¯ y}_{l} \forall l \in {0, 1, \dots, L - 1}$		(2f)
	$x_{0} \in S$		(2g)

where $S$ is a set of constraints on the input $x_{0}$ (assumed to be convex) and ${x - -}_{l}, {¯ ¯ ¯ x}_{l}, {y -}_{l}, {¯ ¯ ¯ y}_{l}$ are bounds on the pre and post nonlinear activations at each layer (that are inferred from the constraints on $x_{0}$ ). We assume for now that these bounds are given, but we later show how they can be inferred as well at a marginally small computational cost.

A concrete instance of a verification problem posed in this form would be when $n_{L} = 1$ and $c=\plusminus1$ and $S = {x : ∥ x - z ∥ \leq δ}$ which corresponds to the search for an adversarial exmaple that causes the maximum deviation in the output of the network subject to the constraint that the input to the network does not change from a nominal value $z$ by more than $δ$ in some norm.

We can bound the optimal value of (2) using the dual program:


	$max x_{0}, \dots, x_{L - 1}, y_{0}, \dots, y_{L - 1} c^{T} h_{L - 1} (y_{L - 1}) + L - 2 \sum l = 0 λ_{l}^{T} (x_{l + 1} - h_{l} (y_{l})) + L - 1 \sum l = 0 μ_{l}^{T} (y_{l} - W_{l} x_{l} - b_{l})$		(3a)
	Subject to		(3b)
	${x - -}_{l} \leq x \leq {¯ ¯ ¯ x}_{l} \forall l \in {1, \dots, L - 1}$		(3c)
	${y -}_{l} \leq W_{l} x_{l} + b_{l} \leq {¯ ¯ ¯ y}_{l} \forall l \in {1, \dots, L - 1}$		(3d)
	${y -}_{l} \leq y \leq {¯ ¯ ¯ y}_{l} \forall l \in {0, 1, \dots, L - 1}$		(3e)
	$x_{0} \in S$		(3f)

By weak duality, for any choice of $λ, μ$ , the above optimization problem provides a valid upper bound on the optimal value of (2).

We now look at solving the above optimization problem. Since the objective and constraints are separable in the layers, the variables in each layer can be optimized independently. For $l = 1, \dots, L - 1$ , we have

f_{l} (λ_{l - 1}, μ_{l}) = max x_{l} \in [{x - -}_{l}, {¯ ¯ ¯ x}_{l}]

(

λ_l-1-W_l^Tμ_l)^Tx_l - (b_l)^Tμ_l which can also be solved trivially by setting each component of $x_{l}$ to its upper or lower bound. Finally, we have

{~ f}_{l} (λ_{l}, μ_{l}) = max y_{l} \in [{y -}_{l}, {¯ y}_{l}] {(μ_{l})}^{T} y_{l} - {(λ_{l})}^{T} h_{l} (y_{l})

where $λ_{L - 1} = - c$ .

Since the objective is separable, one can solve separately for each component of $y_{l}$ :

{~ f}_{l, k} (λ_{l, k}, μ_{l, k}) = max y_{l, k} \in [{y -}_{l, k}, {¯ y}_{l, k}] μ_{l, k} y_{l, k} - λ_{l, k} h_{l, k} (y_{l, k})

This is a one-dimensional optimization problem and can be solved easily for most common transfer functions $h$ by simply looking at all the stationary points of the objective within the constraints plus the upper/lower bounds, and choosing among those the point at which the objective is largest. For most common transfer functions, since they are convex below $0$ and concave above $0$ (sigmoid, tanh all fall into this class), there are at most two stationary points within the domain, and hence the number of possibilities that need to be considered for this optimization is at most $4$ .

Finally, we need to solve

f_{0} (μ_{0}) = max x_{0} \in S {(- {(W_{0})}^{T} μ_{0})}^{T} x_{0} - {(b_{0})}^{T} μ_{0}

which can also be solved easily typically if $S$ is simply a norm ball (the solution would be of the form $x_{0} = z + κ {(W_{0})}^{T} μ_{0}$ where $κ$ is chosen such that $x_{0}$ is on the surface of the norm ball).

Once these problems are solved, we can construct the dual optimization problem:


	$min λ, μ L - 1 \sum l = 0 (n_{l + 1} \sum k = 0 {~ f}_{l, k} (λ_{l, k}, μ_{l, k})) + L - 1 \sum l = 1 f_{l} (λ_{l - 1}, μ_{l}) + f_{0} (μ_{0})$		(4a)

This optimization can be solved via a sub-gradient descent on $λ, μ$ . If the optimal $λ, μ$ are such that the objective of (3) is concave, then it can be guaranteed that there is no duality gap and the dual bound exactly matches the optimal value (2)

A Dual Approach to Scalable Verification of Deep Networks

Zonotope Domains for Lagrangian Neural Network Verification

Reachability Analysis of Deep Neural Networks with Provable Guarantees

Neural Network Verification as Piecewise Linear Optimization: Formulations for the Composition of Staircase Functions

Mandating Code Disclosure is Unnecessary – Strict Model Verification Does Not Require Accessing Original Computer Code

Lagrangian Decomposition for Neural Network Verification

Vehicle: Interfacing Neural Network Verifiers with Interactive Theorem Provers

Provably Tightest Linear Approximation for Robustness Verification of Sigmoid-like Neural Networks

1 Introduction

2 Formulation

References

A Dual Approach to Scalable Verification of Deep Networks

Related Research

Zonotope Domains for Lagrangian Neural Network Verification

Reachability Analysis of Deep Neural Networks with Provable Guarantees

Neural Network Verification as Piecewise Linear Optimization: Formulations for the Composition of Staircase Functions

Mandating Code Disclosure is Unnecessary – Strict Model Verification Does Not Require Accessing Original Computer Code

Lagrangian Decomposition for Neural Network Verification

Vehicle: Interfacing Neural Network Verifiers with Interactive Theorem Provers

Provably Tightest Linear Approximation for Robustness Verification of Sigmoid-like Neural Networks

1 Introduction

2 Formulation

References