Log In Sign Up

Efficient Formal Safety Analysis of Neural Networks

Neural networks are increasingly deployed in real-world safety-critical domains such as autonomous driving, aircraft collision avoidance, and malware detection. However, these networks have been shown to often mispredict on inputs with minor adversarial or even accidental perturbations. Consequences of such errors can be disastrous and even potentially fatal as shown by the recent Tesla autopilot crash. Thus, there is an urgent need for formal analysis systems that can rigorously check neural networks for violations of different safety properties such as robustness against adversarial perturbations within a certain L-norm of a given image. An effective safety analysis system for a neural network must be able to either ensure that a safety property is satisfied by the network or find a counterexample, i.e., an input for which the network will violate the property. Unfortunately, most existing techniques for performing such analysis struggle to scale beyond very small networks and the ones that can scale to larger networks suffer from high false positives and cannot produce concrete counterexamples in case of a property violation. In this paper, we present a new efficient approach for rigorously checking different safety properties of neural networks that significantly outperforms existing approaches by multiple orders of magnitude. Our approach can check different safety properties and find concrete counterexamples for networks that are 10× larger than the ones supported by existing analysis techniques. We believe that our approach to estimating tight output bounds of a network for a given input range can also help improve the explainability of neural networks and guide the training process of more robust neural networks.


page 1

page 2

page 3

page 4


Quantitative Verification of Neural Networks And its Security Applications

Neural networks are increasingly employed in safety-critical domains. Th...

Finding Input Characterizations for Output Properties in ReLU Neural Networks

Deep Neural Networks (DNNs) have emerged as a powerful mechanism and are...

Efficient Adversarial Input Generation via Neural Net Patching

The adversarial input generation problem has become central in establish...

FANNet: Formal Analysis of Noise Tolerance, Training Bias and Input Sensitivity in Neural Networks

With a constant improvement in the network architectures and training me...

Statistical Verification of Neural Networks

We present a new approach to neural network verification based on estima...

Formal Security Analysis of Neural Networks using Symbolic Intervals

Due to the increasing deployment of Deep Neural Networks (DNNs) in real-...

Probabilistic Safety for Bayesian Neural Networks

We study probabilistic safety for Bayesian Neural Networks (BNNs) under ...

Code Repositories


The released code of ReluVal in USENIX Security 2018

view repo

1 Introduction

Over the last few years, significant advances in neural networks have resulted in their increasing deployment in critical domains including healthcare, autonomous vehicles, and security. However, recent work has shown that neural networks, despite their tremendous success, often make dangerous mistakes, especially for rare corner case inputs. For example, most state-of-the-art neural networks have been shown to produce incorrect outputs for adversarial inputs specifically crafted by adding minor human-imperceptible perturbations to regular inputs szegedy2013intriguing ; goodfellow2014explaining . Similarly, seemingly minor changes in lighting or orientation of an input image have been shown to cause drastic mispredictions by the state-of-the-art neural networks pei2017deepxplore ; pei2017towards . Such mistakes can have disastrous and even potentially fatal consequences. For example, a Tesla car in autopilot mode recently caused a fatal crash as it failed to detect a white truck against a bright sky with white clouds teslacrash1 .

A principled way of minimizing such mistakes is to ensure that neural networks satisfy simple safety/security properties such as the absence of adversarial inputs within a certain L-norm of a given image or the invariance of the network’s prediction on the images of the same object under different lighting conditions. Ideally, given a neural network and a safety property, an automated checker should either guarantee that the property is satisfied by the network or find concrete counterexamples demonstrating violations of the safety property. The effectiveness of such automated checkers hinges on how accurately they can estimate the decision boundary of the network.

However, strict estimation of the decision boundary of a neural network with piece-wise linear activation functions such as ReLU is a hard problem. While piece-wise linear pieces can be partitioned into two linear constraints and efficiently check separately, these linear pieces grow exponentially with the number of nodes in the network 

montufar2014number ; pascanu2013number . Therefore, exhaustive enumeration of all combinations of these pieces for any modern network is prohibitively expensive. Similarly, sampling-based inference techniques like blackbox Monte Carlo sampling may need an enormous amount of data to generate tight accurate bounds on the decision boundary eldan2011polynomial .

In this paper, we propose a new efficient approach for rigorously checking different safety properties on neural networks that significantly outperform existing approaches by multiple orders of magnitude. Specifically, we introduce two key techniques. First, we use symbolic linear relaxation that combines symbolic interval analysis and linear relaxation to compute tighter bounds on the network outputs by keeping track of relaxed dependencies across inputs during interval propagation when the actual dependencies become too complex to track. Second, we introduce a novel technique called directed constraint refinement to iteratively minimize the errors introduced during the relaxation process until a safety property is satisfied or a counterexample is found. To make the refinement process efficient, we identify the potentially overestimated nodes, i.e., the nodes where inaccuracies introduced during relaxation which can potentially affect the checking of a given safety property, and use off-the-shelf solvers to focus only on those nodes to further tighten their output ranges.

We implement our techniques as part of Neurify, a system for rigorously checking a diverse set of safety properties of neural networks larger than the ones that can be handled by existing techniques. We used Neurify to check six different types of safety properties of nine different networks trained on five different datasets. Our experimental results show that on average Neurify is faster than Reluplex katz2017reluplex and than ReluVal reluval2018 .

Besides formal analysis of safety properties, we believe that our method for efficiently estimating tight and rigorous output ranges of a network for a given input range will also be useful for guiding the training process of robust networks kolter2017provable ; raghunathan2018certified and improving explainability of the decisions made by neural networks shrikumar2017learning ; koh2017understanding ; li2016understanding .

Related work. Several researchers have tried to extend and customize Satisfiability Modulo Theory (SMT) solvers, which have been very successful at verifying different properties of traditional software, for estimating decision boundaries with strong guarantees katz2017reluplex ; katz2017towards ; huang2017safety ; ehlers2017formal ; pulina2010abstraction . Unfortunately, the efficiency of such approaches is severely limited by the high nonlinearity of the resulting formulas.

Different convex or linear relaxation techniques have also been used to strictly approximate the decision boundary of neural networks. While these techniques tend to scale significantly better than solver-based approaches, they suffer from high false positive rates and struggle to find concrete counterexamples demonstrating violations of safety properties kolter2017provable ; raghunathan2018certified ; gehrai . Similarly, existing work on finding lower bounds on the L-norms of adversarial perturbations that can fool a neural network also suffer from the same limitations peck2017lower ; weng2018evaluating .

Recently, ReluVal, by Wang et al. reluval2018 , has used interval arithmetic intervalbook for rigorously estimating a neural network’s decision boundary by computing tight bounds on the outputs of a network for a given input range. While ReluVal achieved significant performance gain over the state-of-the-art solver-based methods katz2017reluplex on networks with a small number of inputs, it struggled to scale to larger networks (see detail discussion in Section 2).

2 Background

We build upon two prior works ehlers2017formal ; reluval2018 on using interval analysis and linear relaxations for analyzing neural networks. We briefly describe them below and refer interested readers to ehlers2017formal ; reluval2018 for more details.

Symbolic interval analysis. Interval arithmetic intervalbook is a flexible and efficient way of rigorously estimating the output ranges of a function given an input range by computing and propagating the output intervals for each operation in the function. However, naive interval analysis suffers from large overestimation errors as it ignores the input dependencies during interval propagations. To minimize such errors, Wang et al. reluval2018 developed symbolic intervals to keep track of dependencies by maintaining linear equations for upper and lower bounds for each ReLU and concretize only for those ReLUs that demonstrate non-linear behavior for the given input interval. Specifically, consider an intermediate ReLU node , where denotes the symbolic representation of the ReLu’s input (i.e., a closed-form equation) and denotes the concrete lower and upper bounds of , respectively. There are three possible output intervals that the ReLU node can produce depending on the bounds of : (1) when , (2) when , or (3) when . Wang et al. will contretize the output intervals for this node only if the third case is feasible as the output in this case cannot be represented using a single linear equation.

Bisection of input features. To further minimize overestimation, reluval2018 also proposed an iterative refinement strategy involving repeated input bisection and output reunion. Consider a network taking -dimensional input, and the -th input feature interval is and network output interval is where . A single bisection on will create two children: and . The reunion of the corresponding output intervals , will be tighter than the original output interval, i.e., , as the Lipschitz continuity of the network ensures that the overestimation error decreases as the width of input interval becomes smaller. However, the efficiency of input bisection decreases drastically as the number of input dimensions increase.

Figure 1: Linear relaxation of a ReLU node.

Linear relaxation. Ehlers et al. ehlers2017formal used linear relaxation of ReLU nodes to strictly approximate the non-linear constraints introduced by the ReLU. The generated linear constraints can then be efficiently solved using a linear solver to get bounds on the the output of a neural network for a given input range. Consider the simple ReLU node taking input with an upper and lower bound and respectively and producing output as shown in Figure 1. Linear relaxation of such a node will use the following three linear constraints: (1) , (2) , and (3) to expand the feasible region to the green triangle from the two original piecewise linear components. The effectiveness of this approach heavily depends on how accurately and can be estimated. Unfortunately, Ehlers et al. ehlers2017formal used naive interval propagation to estimate and leading to a large overestimation error. Furthermore, their approach cannot efficiently refine the estimated bounds and therefore do not benefit from increasing computing power.

3 Approach

Figure 2: Workflow of Neurify to formally analyze safety properties of neural networks.

In this paper, we make two major contributions to scale formal safety analysis to networks significantly larger than those evaluated in prior works katz2017reluplex ; ehlers2017formal ; kolter2017provable ; reluval2018 . First, we combine symbolic interval analysis and linear relaxation (described in Section 2) in a novel way to create a significantly more efficient propagation method–symbolic linear relaxation–that can achieve substantially tighter estimations (evaluated in Section 4). Second, we present a technique for identifying the overestimated intermediate nodes, i.e., the nodes whose outputs are overestimated, during symbolic linear relaxation and propose directed constraint refinement to iteratively refine the output ranges of these nodes. In Section 4, we also show that this method mitigates the limitations of input bisection reluval2018 and scales to larger networks.

Figure 2 illustrates the high-level workflow of Neurify. Neurify takes in a range of inputs and then determines using linear solver whether the output estimation generated by symbolic linear relaxation satisfies the safety proprieties. The property is proven to be satisfied if the solver produces Unsat. Note that a suspicious counterexample found by the solver might be a false positive due to the inaccuracies introduced by the relaxation process. If the solver finds a counterexample, Neurify checks whether it is a false positive. If not, Neurify stops the checking process and produces the counterexample as output. In case of a false positive, Neurify leverages directed constraint refinement guided by symbolic linear relaxation to obtain a tighter output bound and recheck the property with the solver. Once the number of iterative steps reaches a configurable threshold, Neurify will report a timeout along with the current state of the refinement process.

3.1 Symbolic Linear Relaxation

We define a symbolic linear relaxation of the output of each ReLU given the input whose range is bounded by and (). Here denotes the closed-form representation of .

Sepcifically, Equation 1 shows the symbolic linear relaxation where denotes “relax to”. In addition, and denote the concrete lower and upper bound for and , respectively. In supplementary material Section 1.2, we give the detailed proof that this relaxation is the tightest achievable due to its least maximum distance from . In the following discussion, we simplify and as and the corresponding lower and upper bound as . Figure 3 shows the comparison of symbolic relaxation to the concretizations used in symbolic interval analysis described in reluval2018 . The complete comparison and discussion can be found in supplementary material Section 2.


Figure 3: An illustration of symbolic linear relaxation for an intermediate node. (a) Original symbolic interval analysis directly concretizes. (b) Symbolic linear relaxation leverages the knowledge of concrete bounds for and passes relaxed symbolic interval. is the symbolic representation of .

In practice, symbolic linear relaxation can cut (on average) 59.64% more overestimation error than symbolic interval analysis (cf. Section 2) and saves the time needed to prove a property by orders of magnitude (cf. Section 4). Three reasons lead to the outperformance of our symbolic linear relaxation. First, the maximum possible error after introducing relaxations is for upper bound and for lower bound in Figure 3(b) (the proof is in supplementary material Section 1.2). These relaxations are considerably tighter than concretizations shown in Figure 3(a), which introduces the error . Second, symbolic linear relaxation partially keep the input dependencies during interval propagation ( by maintaining symbolic equations, which is completely overlooked by concretizations ( in Figure 3(a)). Third, the final output error is exponential to the error created on each node (proved in supplementary 1.2). Thus the error minimized on earlier nodes can significantly reduce the final output error.

3.2 Directed Constraint Refinement

While using symbolic linear relaxation alone can already give a tight estimation of the output bound for checking safety properties, we develop another generic approach, directed constraint refinement, to further improve the overall performance of property checking. Our empirical results in Section 4 shows the substantial improvement of using this approach combined with symbolic linear relaxation. In the following, we first define overestimated nodes necessary to the following detailed description of directed constraint refinement.

Overestimated nodes. We note that only a small proportion of intermediate ReLU nodes operate in the non-linear region in practice for a given input range , which are the only nodes need to be relaxed (cf. Section 2). We define these nodes, which indeed show non-linear behavior, and overestimation error is thus introduced, as overestimated nodes. We include other useful properties and proofs regarding overestimated nodes in supplementary material Section 1.1.

Based on the definition of overestimated nodes, we define one step of directed constraint refinement as computing the refined output range :


where denotes the input intervals to the network, is the corresponding network, and is the input equation of an overestimated node. Note that here we also simplify the input of a node as a single equation instead of two bounds following Section 3.1.

The refinement runs iteratively by calling underlying efficient linear solver, allowing us to make Neurify more scalable for more difficult safety properties. The convergence analysis is given in supplementary material Section 1.3.

The refinement includes following three steps:

Locating overestimated nodes. From symbolic linear approximation, we can get the sets of overestimated nodes within the network. We then prioritize the overestimated nodes with larger output gradient and refine on this most influential overestimated node. We borrow the idea from reluval2018 of computing the gradient of network output with respect to the input interval of the overestimated node, where the larger gradient value of any particular node signifies the input of that node has a greater influence towards changing the output.

Splitting. After locating the overestimated nodes, we split its input ranges into two independent cases, and where denotes the input equation of target overestimated node. Now, in contrast to symbolic linear relaxation which needs to be relaxed as , neither of the two split cases requires any relaxation as described in Section 2 as the input interval no longer spans 0. Therefore, two tighter approximations of output and can be achieved.

Solving. We solve the resulting linear constraints, along with the constraints defined in safety properties, by instantiating an underlying linear solver. In particular, we define safety property as that the confidence value of outputting targeted class (e.g., a hand-written image should be predicted as 7) is always greater than the outputs of other classes (e.g., outputs other than 7). We thus define the constraints for safety properties as . Here, and are the lower bound equation of and the upper bound equation of got from symbolic linear relaxation. After one step of directed constraint refinement of an overestimated node, the original formal proof of safety properties can be written as following two independent problems shown in Equation 3.


In this process, we invoke the solver in two ways. (1) If the solver tells that both cases are unsatisfiable, then the property is formally proved safe. Otherwise, another step of iterative refinement can be applied for satisfiable cases. (2) If either is satisfiable, then the solution of the linear solver is the case violating the safety properties. Note that the solution is retrieved under the relaxed constraints, and thus may be the false positive. We thus resort to directly executing the computed input solution. If the solution is not violating the property, we repeat the above process for another overestimated node (cf. Figure 2).

3.3 Safety Properties

In this work, we support checking diverse safety properties of networks including five classes of properties based on the input constraints. Particularly, we specify the safety properties of neural network based on defining constraints on its input-output. For example, as briefly mentioned in Section 3.1, we specify the output of the network on input should not change (i.e., remain invariant) when is allowed to vary in a certain range . For output constraints, take classification network as an example, we define the output invariance by specifying the difference greater than 0 between lower and upper bound of confidence value of the original class of the input and other classes. For specifying input constraints, we consider three popular bounds, i.e., , , and

, which are widely employed in the literature of adversarial machine learning 

goodfellow2014explaining . These three bounds allow for arbitrary perturbation of the input features as long as the corresponding norms of overall perturbation is not beyond a certain threshold. In addition to these arbitrary perturbations, we consider two specific perturbations that change brightness and contrast as discussed in pei2017towards . Properties specified using are the most straightforward fit into the scope of our symbolic linear relaxation where each input features are bounded into an interval. For properties specified in or , we need one more constraint for , or for , which are no longer linear. We leverage the solver that supports quadratic constraints to handle these cases (see details in Section 4). For changing brightness and contrast, they can be efficiently solved by iteratively bisecting input nodes simultaneously as . Here is the objective function of a certain safety property.

4 Experiments

Implementation. We implement Neurify in about 26,000 lines of C code. We use the highly optimized OpenBLAS111 library for matrix multiplication and lp_solve 5.5222 for solving the linear constraints generated during the directed constraint refinement process. Gurobi 8.0.0 solver is used for bound safety properties. All our evaluations were performed on a Linux server running Ubuntu 16.04 with 8 CPU cores and 256GB memory. Besides, Neurify uses many optimization algorithms like threads rebalancing for parallelization and outward rounding. Details of optimizations can be found in supplementary material Section 3.

Dataset Models
# of
Safe Violated Timeout
Xu julian2016policy
ACAS Xu 300
<5, 50, 50, 50,
50, 50, 50, 5>
in reluval2018
141 37 0
MNIST lecun1998mnist MNIST_FC1 48 <784, 24, 24, 10> 267 233 0
MNIST_FC2 100 <784, 50, 50, 10> 271 194 35
MNIST_FC3 1024 <784, 512, 512, 10> 322 41 137
<784, k:16*4*4 s:2,
k:32*4*4 s:2, 100, 10>
91 476 233
Drebin arp2014drebin Drebin_FC1 100 <545334, 50, 50, 2> C.P. in pei2017deepxplore 458 21 21
Drebin_FC2 210 <545334, 200, 10, 2> 437 22 41
Drebin_FC3 400 <545334, 200, 200, 2> 297 27 176
Car dave2016 DAVE 10276
<30000, k:24*5*5 s:5,
k:36*5*5 s:5, 100, 10>
80 82 58
* Custom properties.
# <

> denotes hidden layers with x neurons in first layer, y neurons in second layer, etc.

+ denotes the output channel (), kernel width (), height (

) and stride (

Table 1: Details of evaluated networks and related safety properties. The last three columns summarize the number of safety properties that are satisfied, violated, and timed out for the corresponding networks as found by Neurify with a timeout threshold of 3600 seconds.

4.1 Properties Checked by Neurify for Each Model

Summary. To evaluate the performance of Neurify, we test it on nine models trained over five datasets for different tasks where each type of model includes multiple concrete architectures. Specifically, we evaluate on fully connected ACAS Xu models julian2016policy , three fully connected Drebin models arp2014drebin , three fully connected MNIST models lecun1998mnist , one convolutional MNIST model kolter2017provable , and one convolutional self-driving car model dave2016 . Table reftab:summary summarizes the detailed structures of these models. We include more detailed description in supplementary material Section 4. All the networks closely follow the publicly known settings and are either pre-trained or trained offline to achieve comparable performance to the real-world models on these datasets.

We also summarize the safety properties checked by Neurify in Table 1 with timeout threshold set to 3600 seconds. Here we report the result of the self-driving care model (DAVE) to illustrate how we define the safety properties and the numbers of safe and violated properties. We report the other results in supplementary material Section 5.

1 2 5 8 10
Safe(%) 50 10 0 0 0
Violated(%) 0 20 70 100 100
Timeout(%) 50 70 30 0 0
100 200 300 500 700
Safe(%) 100 100 10 10 0
Violated(%) 0 0 40 50 60
Timeout(%) 0 0 50 40 40
10 70 80 90 100
Safe(%) 100 30 20 10 10
Violated(%) 0 30 50 60 70
Timeout(%) 0 40 30 30 20
0.2 0.5 0.99 1.01 2.5
Safe(%) 0 10 100 100 0
Violated(%) 70 20 0 0 50
Timeout(%) 30 70 0 0 50
Table 2: Different safety properties checked by Neurify out of 10 random images on Dave within 3600 seconds.

Dave. We show that Neurify is the first formal analysis tool that can systematically check different safety properties for a large (over 10,000 ReLUs) convolutional self-driving car network, Dave dave2016 ; bojarski2016end . We use the dataset from Udacity self-driving car challenge containing 101,396 training and 5,614 testing samples udacitychallenge2016 . Our model’s architecture is similar to the DAVE-2 self-driving car architecture from NVIDIA bojarski2016end ; dave2016 and it achieves similar 1-MSE as models used in pei2017deepxplore . We formally analyze the network with inputs bounded by , , brightness, and contrast as described in Section 3.3. We define the safe range of deviation of the output steering direction from the original steering angle to be less than 30 degrees. The detailed number of cases Neurify can prove are shown in Table 2.

4.2 Comparisons with Other Formal Checkers

Source Props Reluplex (sec) ReluVal (sec) Neurify (sec) () ()
Security Properties from katz2017reluplex 443,560.73* 14,603.27 458.75
123,420.40 117,243.26 16491.83 8
35,040.28 19,018.90 600.64 58.33
13,919.51 441.97 54.56 255
23,212.52 216.88 21.378 1086
220,330.82 46.59 1.48 148872
86400.00* 9,240.29 563.55 154
43,200.01 40.41 33.17 1302
116,441.97 15,639.52 921.06 126.42
23,683.07 10.94 1.16 20416.38
Additional Security Properties 4,394.91 27.89 0.62 7089
2,556.28 0.104 0.13 19664
172,800.00* 148.21 38.11 4534
172,810.86* 288.98 22.87 7556
31,328.26 876.8 91.71 342
* Reluplex uses different timeout thresholds for different properties.
** Reluplex returns spurious counterexamples on two safe networks due to a rounding bug and ends
Table 3: Performance comparison of Neurify, Reluplex, and ReluVal while checking different safety properties of ACAS Xu. to are the properties tested in katz2017reluplex . to are the additional properties tested in reluval2018 .

ACAS Xu. Unmanned aircraft alert systems (ACAS Xu) kochenderfer2012next are networks advising decisions for aircraft, which is on schedule to be installed in over 30,000 passengers and cargo aircraft worldwide ACASXTech and US Navy’s fleets MQ-4C . It is comparably small and only has five input features so that ReluVal reluval2018 can efficiently check different safety properties. However, its performance still suffers from the loose estimation of output ranges due to the concretizations introduced during symbolic interval analysis. Neurify leverages symbolic linear relaxation and achieves on average 20 better performance than ReluVal reluval2018 and up to 5,000 better performance than Reluplex katz2017reluplex . In Table 3, we summarize the time and speedup of Neurify compared to ReluVal and Reluplex for all the properties tested in katz2017reluplex ; reluval2018 .

Figure 4: As we increase the bounds of the safety property, the number of cases ReluVal and Reluplex can prove quickly decreases while Neurify clearly outperforms both of them. We use 50 randomly selected imaged for each property and set the timeout to 1,200 seconds.

MNIST_FC. The MNIST networks are significantly more inputs than ACAS Xu. It has 784 input features and ReluVal always times out when the analyzed input ranges become larger (). We measure the performance of Neurify on fully connected layer MNIST models MNIST_FC1, MNIST_FC2 and MNIST_FC3 and compare the cases that can be proved to be safe or a counterexample can be found by ReluVal and Reluplex in Figure 4. Due to the low efficiency of Reluplex and ReluVal, we set 1,200 seconds as the timeout threshold. The result shows that Neurify constantly outperforms the other two, especially when increasing the bound where the percentage of properties that the other two can prove quickly decreases.

4.3 Benefits of Each Technique

MNIST_FC1 111.87 52.22 114.23
MNIST_FC2 230.27 101.72 126.38
MNIST_FC3 1271.19 624.27 103.63
* Naive Interval Arithmetic
** Symbolic Linear Relaxation
Table 4: The average width of output ranges on three MNIST models of 100 random images where each has five different .

Symbolic Linear Relaxation (SLR). We compare the width of estimated output ranges computed by naive interval arithmetic reluval2018 and symbolic linear relaxation on MNIST_FC1, MNIST_FC2, MNIST_FC3 and summarize the average output widths in Table 4. The experiments are based on 100 images each bounded by (). The results indicate that SLR in Neurify can tighten the output intervals by at least 100%, which significantly speeds up performance.

Properties SLR SLR + DCR Improve
0 0 0
2 1 1
6 0 6
18 5 13
58 12 46
100 90 10
100 80 20
100 45 55
Table 5: The timeout cases out of 100 random images generated while using symbolic linear relaxation alone and together with directed constraint refinement. These results are computed on MNIST_CN model bounded by (). The last column shows the number of additional cases checked while using directed constraint refinement.

Directed Constraint Refinement (DCR). To illustrate how DCR can improve the overall performance when combined with SLR, we evaluate Neurify on MNIST_CN and measure the number of timeout cases out of 100 random images when using symbolic linear relaxation alone and combining it with directed constraint refinement. Table 5 shows that SLR combined with DCR can prove 18.88% more cases on average than those using SLR alone .

5 Conclusion

We designed and implemented Neurify, an efficient and scalable platform for checking safety properties of real-world neural networks and providing concrete counterexamples. We propose symbolic linear relaxation to compute a tight over-approximation of a network’s output for a given input range and use directed constraint refinement to further refine the bounds using linear solvers. Our extensive empirical results covering a broad spectrum of real-world applications demonstrate that Neurify outperforms state-of-the-art formal analysis systems providing similar functionality by multiple orders of magnitude.