Publication | Open Access
AI2: Safety and Robustness Certification of Neural Networks with Abstract Interpretation
798
Citations
30
References
2018
Year
Unknown Venue
Artificial IntelligenceEngineeringMachine LearningNeural Networks (Machine Learning)VerificationAi FoundationAi SafetyRobustness (Computer Science)Intelligent SystemsSoftware AnalysisFormal VerificationSocial SciencesAi ReliabilitySystems EngineeringAi Safety EducationRobustness CertificationAbstract InterpretationComputer ScienceNeural Networks (Computational Neuroscience)Neural NetworksDeep LearningDeep Neural NetworksTrustworthy AiAutomated ReasoningConvolutional Neural NetworksFormal MethodsMathematical FoundationsSafe Artificial Intelligence
We present AI <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sup> , the first sound and scalable analyzer for deep neural networks. Based on overapproximation, AI <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sup> can automatically prove safety properties (e.g., robustness) of realistic neural networks (e.g., convolutional neural networks). The key insight behind AI <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sup> is to phrase reasoning about safety and robustness of neural networks in terms of classic abstract interpretation, enabling us to leverage decades of advances in that area. Concretely, we introduce abstract transformers that capture the behavior of fully connected and convolutional neural network layers with rectified linear unit activations (ReLU), as well as max pooling layers. This allows us to handle real-world neural networks, which are often built out of those types of layers. We present a complete implementation of AI <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sup> together with an extensive evaluation on 20 neural networks. Our results demonstrate that: (i) AI <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sup> is precise enough to prove useful specifications (e.g., robustness), (ii) AI <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sup> can be used to certify the effectiveness of state-of-the-art defenses for neural networks, (iii) AI <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sup> is significantly faster than existing analyzers based on symbolic analysis, which often take hours to verify simple fully connected networks, and (iv) AI <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sup> can handle deep convolutional networks, which are beyond the reach of existing methods.
| Year | Citations | |
|---|---|---|
Page 1
Page 1