ReluVal
The released code of ReluVal in USENIX Security 2018
view repo
Neural networks are increasingly deployed in realworld safetycritical domains such as autonomous driving, aircraft collision avoidance, and malware detection. However, these networks have been shown to often mispredict on inputs with minor adversarial or even accidental perturbations. Consequences of such errors can be disastrous and even potentially fatal as shown by the recent Tesla autopilot crash. Thus, there is an urgent need for formal analysis systems that can rigorously check neural networks for violations of different safety properties such as robustness against adversarial perturbations within a certain Lnorm of a given image. An effective safety analysis system for a neural network must be able to either ensure that a safety property is satisfied by the network or find a counterexample, i.e., an input for which the network will violate the property. Unfortunately, most existing techniques for performing such analysis struggle to scale beyond very small networks and the ones that can scale to larger networks suffer from high false positives and cannot produce concrete counterexamples in case of a property violation. In this paper, we present a new efficient approach for rigorously checking different safety properties of neural networks that significantly outperforms existing approaches by multiple orders of magnitude. Our approach can check different safety properties and find concrete counterexamples for networks that are 10× larger than the ones supported by existing analysis techniques. We believe that our approach to estimating tight output bounds of a network for a given input range can also help improve the explainability of neural networks and guide the training process of more robust neural networks.
READ FULL TEXT VIEW PDFThe released code of ReluVal in USENIX Security 2018
Over the last few years, significant advances in neural networks have resulted in their increasing deployment in critical domains including healthcare, autonomous vehicles, and security. However, recent work has shown that neural networks, despite their tremendous success, often make dangerous mistakes, especially for rare corner case inputs. For example, most stateoftheart neural networks have been shown to produce incorrect outputs for adversarial inputs specifically crafted by adding minor humanimperceptible perturbations to regular inputs szegedy2013intriguing ; goodfellow2014explaining . Similarly, seemingly minor changes in lighting or orientation of an input image have been shown to cause drastic mispredictions by the stateoftheart neural networks pei2017deepxplore ; pei2017towards . Such mistakes can have disastrous and even potentially fatal consequences. For example, a Tesla car in autopilot mode recently caused a fatal crash as it failed to detect a white truck against a bright sky with white clouds teslacrash1 .
A principled way of minimizing such mistakes is to ensure that neural networks satisfy simple safety/security properties such as the absence of adversarial inputs within a certain Lnorm of a given image or the invariance of the network’s prediction on the images of the same object under different lighting conditions. Ideally, given a neural network and a safety property, an automated checker should either guarantee that the property is satisfied by the network or find concrete counterexamples demonstrating violations of the safety property. The effectiveness of such automated checkers hinges on how accurately they can estimate the decision boundary of the network.
However, strict estimation of the decision boundary of a neural network with piecewise linear activation functions such as ReLU is a hard problem. While piecewise linear pieces can be partitioned into two linear constraints and efficiently check separately, these linear pieces grow exponentially with the number of nodes in the network
montufar2014number ; pascanu2013number . Therefore, exhaustive enumeration of all combinations of these pieces for any modern network is prohibitively expensive. Similarly, samplingbased inference techniques like blackbox Monte Carlo sampling may need an enormous amount of data to generate tight accurate bounds on the decision boundary eldan2011polynomial .In this paper, we propose a new efficient approach for rigorously checking different safety properties on neural networks that significantly outperform existing approaches by multiple orders of magnitude. Specifically, we introduce two key techniques. First, we use symbolic linear relaxation that combines symbolic interval analysis and linear relaxation to compute tighter bounds on the network outputs by keeping track of relaxed dependencies across inputs during interval propagation when the actual dependencies become too complex to track. Second, we introduce a novel technique called directed constraint refinement to iteratively minimize the errors introduced during the relaxation process until a safety property is satisfied or a counterexample is found. To make the refinement process efficient, we identify the potentially overestimated nodes, i.e., the nodes where inaccuracies introduced during relaxation which can potentially affect the checking of a given safety property, and use offtheshelf solvers to focus only on those nodes to further tighten their output ranges.
We implement our techniques as part of Neurify, a system for rigorously checking a diverse set of safety properties of neural networks larger than the ones that can be handled by existing techniques. We used Neurify to check six different types of safety properties of nine different networks trained on five different datasets. Our experimental results show that on average Neurify is faster than Reluplex katz2017reluplex and than ReluVal reluval2018 .
Besides formal analysis of safety properties, we believe that our method for efficiently estimating tight and rigorous output ranges of a network for a given input range will also be useful for guiding the training process of robust networks kolter2017provable ; raghunathan2018certified and improving explainability of the decisions made by neural networks shrikumar2017learning ; koh2017understanding ; li2016understanding .
Related work. Several researchers have tried to extend and customize Satisfiability Modulo Theory (SMT) solvers, which have been very successful at verifying different properties of traditional software, for estimating decision boundaries with strong guarantees katz2017reluplex ; katz2017towards ; huang2017safety ; ehlers2017formal ; pulina2010abstraction . Unfortunately, the efficiency of such approaches is severely limited by the high nonlinearity of the resulting formulas.
Different convex or linear relaxation techniques have also been used to strictly approximate the decision boundary of neural networks. While these techniques tend to scale significantly better than solverbased approaches, they suffer from high false positive rates and struggle to find concrete counterexamples demonstrating violations of safety properties kolter2017provable ; raghunathan2018certified ; gehrai . Similarly, existing work on finding lower bounds on the Lnorms of adversarial perturbations that can fool a neural network also suffer from the same limitations peck2017lower ; weng2018evaluating .
Recently, ReluVal, by Wang et al. reluval2018 , has used interval arithmetic intervalbook for rigorously estimating a neural network’s decision boundary by computing tight bounds on the outputs of a network for a given input range. While ReluVal achieved significant performance gain over the stateoftheart solverbased methods katz2017reluplex on networks with a small number of inputs, it struggled to scale to larger networks (see detail discussion in Section 2).
We build upon two prior works ehlers2017formal ; reluval2018 on using interval analysis and linear relaxations for analyzing neural networks. We briefly describe them below and refer interested readers to ehlers2017formal ; reluval2018 for more details.
Symbolic interval analysis. Interval arithmetic intervalbook is a flexible and efficient way of rigorously estimating the output ranges of a function given an input range by computing and propagating the output intervals for each operation in the function. However, naive interval analysis suffers from large overestimation errors as it ignores the input dependencies during interval propagations. To minimize such errors, Wang et al. reluval2018 developed symbolic intervals to keep track of dependencies by maintaining linear equations for upper and lower bounds for each ReLU and concretize only for those ReLUs that demonstrate nonlinear behavior for the given input interval. Specifically, consider an intermediate ReLU node , where denotes the symbolic representation of the ReLu’s input (i.e., a closedform equation) and denotes the concrete lower and upper bounds of , respectively. There are three possible output intervals that the ReLU node can produce depending on the bounds of : (1) when , (2) when , or (3) when . Wang et al. will contretize the output intervals for this node only if the third case is feasible as the output in this case cannot be represented using a single linear equation.
Bisection of input features. To further minimize overestimation, reluval2018 also proposed an iterative refinement strategy involving repeated input bisection and output reunion. Consider a network taking dimensional input, and the th input feature interval is and network output interval is where . A single bisection on will create two children: and . The reunion of the corresponding output intervals , will be tighter than the original output interval, i.e., , as the Lipschitz continuity of the network ensures that the overestimation error decreases as the width of input interval becomes smaller. However, the efficiency of input bisection decreases drastically as the number of input dimensions increase.
Linear relaxation. Ehlers et al. ehlers2017formal used linear relaxation of ReLU nodes to strictly approximate the nonlinear constraints introduced by the ReLU. The generated linear constraints can then be efficiently solved using a linear solver to get bounds on the the output of a neural network for a given input range. Consider the simple ReLU node taking input with an upper and lower bound and respectively and producing output as shown in Figure 1. Linear relaxation of such a node will use the following three linear constraints: (1) , (2) , and (3) to expand the feasible region to the green triangle from the two original piecewise linear components. The effectiveness of this approach heavily depends on how accurately and can be estimated. Unfortunately, Ehlers et al. ehlers2017formal used naive interval propagation to estimate and leading to a large overestimation error. Furthermore, their approach cannot efficiently refine the estimated bounds and therefore do not benefit from increasing computing power.
In this paper, we make two major contributions to scale formal safety analysis to networks significantly larger than those evaluated in prior works katz2017reluplex ; ehlers2017formal ; kolter2017provable ; reluval2018 . First, we combine symbolic interval analysis and linear relaxation (described in Section 2) in a novel way to create a significantly more efficient propagation method–symbolic linear relaxation–that can achieve substantially tighter estimations (evaluated in Section 4). Second, we present a technique for identifying the overestimated intermediate nodes, i.e., the nodes whose outputs are overestimated, during symbolic linear relaxation and propose directed constraint refinement to iteratively refine the output ranges of these nodes. In Section 4, we also show that this method mitigates the limitations of input bisection reluval2018 and scales to larger networks.
Figure 2 illustrates the highlevel workflow of Neurify. Neurify takes in a range of inputs and then determines using linear solver whether the output estimation generated by symbolic linear relaxation satisfies the safety proprieties. The property is proven to be satisfied if the solver produces Unsat. Note that a suspicious counterexample found by the solver might be a false positive due to the inaccuracies introduced by the relaxation process. If the solver finds a counterexample, Neurify checks whether it is a false positive. If not, Neurify stops the checking process and produces the counterexample as output. In case of a false positive, Neurify leverages directed constraint refinement guided by symbolic linear relaxation to obtain a tighter output bound and recheck the property with the solver. Once the number of iterative steps reaches a configurable threshold, Neurify will report a timeout along with the current state of the refinement process.
We define a symbolic linear relaxation of the output of each ReLU given the input whose range is bounded by and (). Here denotes the closedform representation of .
Sepcifically, Equation 1 shows the symbolic linear relaxation where denotes “relax to”. In addition, and denote the concrete lower and upper bound for and , respectively. In supplementary material Section 1.2, we give the detailed proof that this relaxation is the tightest achievable due to its least maximum distance from . In the following discussion, we simplify and as and the corresponding lower and upper bound as . Figure 3 shows the comparison of symbolic relaxation to the concretizations used in symbolic interval analysis described in reluval2018 . The complete comparison and discussion can be found in supplementary material Section 2.
(1) 
In practice, symbolic linear relaxation can cut (on average) 59.64% more overestimation error than symbolic interval analysis (cf. Section 2) and saves the time needed to prove a property by orders of magnitude (cf. Section 4). Three reasons lead to the outperformance of our symbolic linear relaxation. First, the maximum possible error after introducing relaxations is for upper bound and for lower bound in Figure 3(b) (the proof is in supplementary material Section 1.2). These relaxations are considerably tighter than concretizations shown in Figure 3(a), which introduces the error . Second, symbolic linear relaxation partially keep the input dependencies during interval propagation ( by maintaining symbolic equations, which is completely overlooked by concretizations ( in Figure 3(a)). Third, the final output error is exponential to the error created on each node (proved in supplementary 1.2). Thus the error minimized on earlier nodes can significantly reduce the final output error.
While using symbolic linear relaxation alone can already give a tight estimation of the output bound for checking safety properties, we develop another generic approach, directed constraint refinement, to further improve the overall performance of property checking. Our empirical results in Section 4 shows the substantial improvement of using this approach combined with symbolic linear relaxation. In the following, we first define overestimated nodes necessary to the following detailed description of directed constraint refinement.
Overestimated nodes. We note that only a small proportion of intermediate ReLU nodes operate in the nonlinear region in practice for a given input range , which are the only nodes need to be relaxed (cf. Section 2). We define these nodes, which indeed show nonlinear behavior, and overestimation error is thus introduced, as overestimated nodes. We include other useful properties and proofs regarding overestimated nodes in supplementary material Section 1.1.
Based on the definition of overestimated nodes, we define one step of directed constraint refinement as computing the refined output range :
(2) 
where denotes the input intervals to the network, is the corresponding network, and is the input equation of an overestimated node. Note that here we also simplify the input of a node as a single equation instead of two bounds following Section 3.1.
The refinement runs iteratively by calling underlying efficient linear solver, allowing us to make Neurify more scalable for more difficult safety properties. The convergence analysis is given in supplementary material Section 1.3.
The refinement includes following three steps:
Locating overestimated nodes. From symbolic linear approximation, we can get the sets of overestimated nodes within the network. We then prioritize the overestimated nodes with larger output gradient and refine on this most influential overestimated node. We borrow the idea from reluval2018 of computing the gradient of network output with respect to the input interval of the overestimated node, where the larger gradient value of any particular node signifies the input of that node has a greater influence towards changing the output.
Splitting. After locating the overestimated nodes, we split its input ranges into two independent cases, and where denotes the input equation of target overestimated node. Now, in contrast to symbolic linear relaxation which needs to be relaxed as , neither of the two split cases requires any relaxation as described in Section 2 as the input interval no longer spans 0. Therefore, two tighter approximations of output and can be achieved.
Solving. We solve the resulting linear constraints, along with the constraints defined in safety properties, by instantiating an underlying linear solver. In particular, we define safety property as that the confidence value of outputting targeted class (e.g., a handwritten image should be predicted as 7) is always greater than the outputs of other classes (e.g., outputs other than 7). We thus define the constraints for safety properties as . Here, and are the lower bound equation of and the upper bound equation of got from symbolic linear relaxation. After one step of directed constraint refinement of an overestimated node, the original formal proof of safety properties can be written as following two independent problems shown in Equation 3.
(3)  
In this process, we invoke the solver in two ways. (1) If the solver tells that both cases are unsatisfiable, then the property is formally proved safe. Otherwise, another step of iterative refinement can be applied for satisfiable cases. (2) If either is satisfiable, then the solution of the linear solver is the case violating the safety properties. Note that the solution is retrieved under the relaxed constraints, and thus may be the false positive. We thus resort to directly executing the computed input solution. If the solution is not violating the property, we repeat the above process for another overestimated node (cf. Figure 2).
In this work, we support checking diverse safety properties of networks including five classes of properties based on the input constraints. Particularly, we specify the safety properties of neural network based on defining constraints on its inputoutput. For example, as briefly mentioned in Section 3.1, we specify the output of the network on input should not change (i.e., remain invariant) when is allowed to vary in a certain range . For output constraints, take classification network as an example, we define the output invariance by specifying the difference greater than 0 between lower and upper bound of confidence value of the original class of the input and other classes. For specifying input constraints, we consider three popular bounds, i.e., , , and
, which are widely employed in the literature of adversarial machine learning
goodfellow2014explaining . These three bounds allow for arbitrary perturbation of the input features as long as the corresponding norms of overall perturbation is not beyond a certain threshold. In addition to these arbitrary perturbations, we consider two specific perturbations that change brightness and contrast as discussed in pei2017towards . Properties specified using are the most straightforward fit into the scope of our symbolic linear relaxation where each input features are bounded into an interval. For properties specified in or , we need one more constraint for , or for , which are no longer linear. We leverage the solver that supports quadratic constraints to handle these cases (see details in Section 4). For changing brightness and contrast, they can be efficiently solved by iteratively bisecting input nodes simultaneously as . Here is the objective function of a certain safety property.Implementation. We implement Neurify in about 26,000 lines of C code. We use the highly optimized OpenBLAS^{1}^{1}1https://www.openblas.net/ library for matrix multiplication and lp_solve 5.5^{2}^{2}2http://lpsolve.sourceforge.net/5.5/ for solving the linear constraints generated during the directed constraint refinement process. Gurobi 8.0.0 solver is used for bound safety properties. All our evaluations were performed on a Linux server running Ubuntu 16.04 with 8 CPU cores and 256GB memory. Besides, Neurify uses many optimization algorithms like threads rebalancing for parallelization and outward rounding. Details of optimizations can be found in supplementary material Section 3.
Dataset  Models 

Architecture 

Safe  Violated  Timeout  

ACAS Xu  300 


141  37  0  
MNIST lecun1998mnist  MNIST_FC1  48  <784, 24, 24, 10>  267  233  0  
MNIST_FC2  100  <784, 50, 50, 10>  271  194  35  
MNIST_FC3  1024  <784, 512, 512, 10>  322  41  137  
MNIST_CN  4804 

91  476  233  
Drebin arp2014drebin  Drebin_FC1  100  <545334, 50, 50, 2>  C.P. in pei2017deepxplore  458  21  21  
Drebin_FC2  210  <545334, 200, 10, 2>  437  22  41  
Drebin_FC3  400  <545334, 200, 200, 2>  297  27  176  
Car dave2016  DAVE  10276 


80  82  58  
* Custom properties.  
# < > denotes hidden layers with x neurons in first layer, y neurons in second layer, etc. 

+ denotes the output channel (), kernel width (), height ( ) and stride ( ). 
Summary. To evaluate the performance of Neurify, we test it on nine models trained over five datasets for different tasks where each type of model includes multiple concrete architectures. Specifically, we evaluate on fully connected ACAS Xu models julian2016policy , three fully connected Drebin models arp2014drebin , three fully connected MNIST models lecun1998mnist , one convolutional MNIST model kolter2017provable , and one convolutional selfdriving car model dave2016 . Table reftab:summary summarizes the detailed structures of these models. We include more detailed description in supplementary material Section 4. All the networks closely follow the publicly known settings and are either pretrained or trained offline to achieve comparable performance to the realworld models on these datasets.
We also summarize the safety properties checked by Neurify in Table 1 with timeout threshold set to 3600 seconds. Here we report the result of the selfdriving care model (DAVE) to illustrate how we define the safety properties and the numbers of safe and violated properties. We report the other results in supplementary material Section 5.




Dave. We show that Neurify is the first formal analysis tool that can systematically check different safety properties for a large (over 10,000 ReLUs) convolutional selfdriving car network, Dave dave2016 ; bojarski2016end . We use the dataset from Udacity selfdriving car challenge containing 101,396 training and 5,614 testing samples udacitychallenge2016 . Our model’s architecture is similar to the DAVE2 selfdriving car architecture from NVIDIA bojarski2016end ; dave2016 and it achieves similar 1MSE as models used in pei2017deepxplore . We formally analyze the network with inputs bounded by , , brightness, and contrast as described in Section 3.3. We define the safe range of deviation of the output steering direction from the original steering angle to be less than 30 degrees. The detailed number of cases Neurify can prove are shown in Table 2.
Source  Props  Reluplex (sec)  ReluVal (sec)  Neurify (sec)  ()  () 
Security Properties from katz2017reluplex  443,560.73*  14,603.27  458.75  
123,420.40  117,243.26  16491.83  8  
35,040.28  19,018.90  600.64  58.33  
13,919.51  441.97  54.56  255  
23,212.52  216.88  21.378  1086  
220,330.82  46.59  1.48  148872  
86400.00*  9,240.29  563.55  154  
43,200.01  40.41  33.17  1302  
116,441.97  15,639.52  921.06  126.42  
23,683.07  10.94  1.16  20416.38  
Additional Security Properties  4,394.91  27.89  0.62  7089  
2,556.28  0.104  0.13  19664  
172,800.00*  148.21  38.11  4534  
172,810.86*  288.98  22.87  7556  
31,328.26  876.8  91.71  342  
* Reluplex uses different timeout thresholds for different properties.  
** Reluplex returns spurious counterexamples on two safe networks due to a rounding bug and ends  
prematurely. 
ACAS Xu. Unmanned aircraft alert systems (ACAS Xu) kochenderfer2012next are networks advising decisions for aircraft, which is on schedule to be installed in over 30,000 passengers and cargo aircraft worldwide ACASXTech and US Navy’s fleets MQ4C . It is comparably small and only has five input features so that ReluVal reluval2018 can efficiently check different safety properties. However, its performance still suffers from the loose estimation of output ranges due to the concretizations introduced during symbolic interval analysis. Neurify leverages symbolic linear relaxation and achieves on average 20 better performance than ReluVal reluval2018 and up to 5,000 better performance than Reluplex katz2017reluplex . In Table 3, we summarize the time and speedup of Neurify compared to ReluVal and Reluplex for all the properties tested in katz2017reluplex ; reluval2018 .
MNIST_FC. The MNIST networks are significantly more inputs than ACAS Xu. It has 784 input features and ReluVal always times out when the analyzed input ranges become larger (). We measure the performance of Neurify on fully connected layer MNIST models MNIST_FC1, MNIST_FC2 and MNIST_FC3 and compare the cases that can be proved to be safe or a counterexample can be found by ReluVal and Reluplex in Figure 4. Due to the low efficiency of Reluplex and ReluVal, we set 1,200 seconds as the timeout threshold. The result shows that Neurify constantly outperforms the other two, especially when increasing the bound where the percentage of properties that the other two can prove quickly decreases.


Improve(%)  
MNIST_FC1  111.87  52.22  114.23  
MNIST_FC2  230.27  101.72  126.38  
MNIST_FC3  1271.19  624.27  103.63  
* Naive Interval Arithmetic  
** Symbolic Linear Relaxation 
Symbolic Linear Relaxation (SLR). We compare the width of estimated output ranges computed by naive interval arithmetic reluval2018 and symbolic linear relaxation on MNIST_FC1, MNIST_FC2, MNIST_FC3 and summarize the average output widths in Table 4. The experiments are based on 100 images each bounded by (). The results indicate that SLR in Neurify can tighten the output intervals by at least 100%, which significantly speeds up performance.
Properties  SLR  SLR + DCR  Improve 
0  0  0  
2  1  1  
6  0  6  
18  5  13  
58  12  46  
100  90  10  
100  80  20  
100  45  55 
Directed Constraint Refinement (DCR). To illustrate how DCR can improve the overall performance when combined with SLR, we evaluate Neurify on MNIST_CN and measure the number of timeout cases out of 100 random images when using symbolic linear relaxation alone and combining it with directed constraint refinement. Table 5 shows that SLR combined with DCR can prove 18.88% more cases on average than those using SLR alone .
We designed and implemented Neurify, an efficient and scalable platform for checking safety properties of realworld neural networks and providing concrete counterexamples. We propose symbolic linear relaxation to compute a tight overapproximation of a network’s output for a given input range and use directed constraint refinement to further refine the bounds using linear solvers. Our extensive empirical results covering a broad spectrum of realworld applications demonstrate that Neurify outperforms stateoftheart formal analysis systems providing similar functionality by multiple orders of magnitude.
NvidiaAutopilotKeras.
https://github.com/0bserver07/NvidiaAutopilotKeras.Using Deep Learning to Predict Steering Angles.
https://github.com/udacity/selfdrivingcar.The mnist database of handwritten digits.
http://yann. lecun. com/exdb/mnist/, 1998.