Formal Verification of Piece-Wise Linear Feed-Forward Neural Networks [chapter]

Rüdiger Ehlers
2017 Lecture Notes in Computer Science  
We present an approach for the verification of feed-forward neural networks in which all nodes have a piece-wise linear activation function. Such networks are often used in deep learning and have been shown to be hard to verify for modern satisfiability modulo theory (SMT) and integer linear programming (ILP) solvers. The starting point of our approach is the addition of a global linear approximation of the overall network behavior to the verification problem that helps with SMT-like reasoning
more » ... ver the network behavior. We present a specialized verification algorithm that employs this approximation in a search process in which it infers additional node phases for the non-linear nodes in the network from partial node phase assignments, similar to unit propagation in classical SAT solving. We also show how to infer additional conflict clauses and safe node fixtures from the results of the analysis steps performed during the search. The resulting approach is evaluated on collision avoidance and handwritten digit recognition case studies. on safety cases would help with certification and also provides valuable feedback to the system engineer. Verifying formal properties of feed-forward neural networks is a challenging task. Pulina and Tacchella [PT10] present an approach for neurons with non-linear activation functions that only scales to small networks. In their work, they use networks with 6 nodes, which are far too few for most practical applications. They combine counterexample-triggered abstraction-refinement with satisfiability modulo theory (SMT) solving. Scheibler et al. [SWWB15] consider the bounded model checking problem for an inverse pendulum control scenario with non-linear system dynamics and a non-linear neuron activation function, and despite employing the state-of-the-art SMT solver iSAT3 [SNM + 16] and even extending this solver to deal better with the resulting problem instances, their experiments show that the resulting verification problem is already challenging for neural networks with 26 nodes. In deep learning [Sch15], many works use networks whose nodes have piece-wise linear activation functions. This choice has the advantage that they are more amenable to formal verification, for example using SMT solvers with the theory of linear real arithmetic, without the need to perform abstract interpretation. In such an approach, the solver chooses the phases of (some of) the nodes, and then applies a linear-programming-like sub-solver to check if there exist concrete real-valued inputs to the network such that all nodes have the selected phases. The node phases represent which part of the piece-wise linear activation functions are used for each node. It has been observed that the SMT instances stemming from such an encoding are very difficult to solve for modern SMT solvers, as they need to iterate through many such phase combinations before a problem instance is found to be satisfiable or unsatisfiable [KBD + 17, PT12]. Due to the practical importance of verifying piecewise-linear feed-forward neural networks, this observation asks for a specialized approach for doing so. Huang et al. [HKWW17] describe such an approach that is based on propagating constraints through the layers of a network. The constraints encode regions of the input space of each layer all of whose points lead to the same overall classification in the network. Their approach is partially based on discretization and focusses on robustness testing, i.e., determining the extent to which the input can be altered without changing the classification result. They do not support general verification properties. Bastiani et al. [BIL + 16] also target robustness testing and define an abstraction-refinement constraint solving loop to test a network's robustness against adversarial pertubations. They also employ the counter-examples that their approach finds to learning more robust networks. Katz et al. [KBD + 17] provide an alternative approach that allows to check the input/output behavior of a neural network with linear and so-called ReLU nodes against convex specifications. Many modern network architectures employ these nodes. They present a modification of the simplex algorithm for solving linear programs that can also deal with the constraints imposed by ReLU nodes, and they show that their approach scales orders of magnitudes better than when applying the SMT solvers MathSAT or Yices on SMT instances generated from the verification problems. Modern neural network architectures, especially those for image recognition, however often employ another type of neural network node that the approach by Katz et al. does not support: MaxPool nodes. They are used to determine the strongest signal from their input neurons, and they are crucial for feature detection in complex machine learning tasks. In order to support the verification of safety cases for machine learning applications that make use of this node type, it is thus important to have verification approaches that can efficiently operate on networks that have such nodes, without the need to simulate MaxPool nodes by encoding their behavior into a much larger number of ReLU nodes. In this paper, we present an approach to verify neural networks with piece-wise linear activation functions against convex specifications. The approach supports all node types used in modern network network architectures that only employ piece-wise linear activation functions (such as MaxPool and ReLU nodes). The approach is based on combining satisfiability (SAT) solving and
doi:10.1007/978-3-319-68167-2_19 fatcat:nduemt4ubbbr3p2xbcmciz5isi