Safety verification for deep neural networks

Similar documents
Safety verification for deep neural networks

Deep Learning for Computer Vision II

Deep Learning. Vladimir Golkov Technical University of Munich Computer Vision Group

Deep Learning for Embedded Security Evaluation

An Abstract Domain for Certifying Neural Networks. Department of Computer Science

COMP 551 Applied Machine Learning Lecture 16: Deep Learning

Vulnerability of machine learning models to adversarial examples

CMU Lecture 18: Deep learning and Vision: Convolutional neural networks. Teacher: Gianni A. Di Caro

Perceptron: This is convolution!

INF 5860 Machine learning for image classification. Lecture 11: Visualization Anne Solberg April 4, 2018

All You Want To Know About CNNs. Yukun Zhu

Deep Learning with Tensorflow AlexNet

CS 2750: Machine Learning. Neural Networks. Prof. Adriana Kovashka University of Pittsburgh April 13, 2016

Dynamic Routing Between Capsules

Transfer Learning. Style Transfer in Deep Learning

Deep Learning. Architecture Design for. Sargur N. Srihari

Is Bigger CNN Better? Samer Hijazi on behalf of IPG CTO Group Embedded Neural Networks Summit (enns2016) San Jose Feb. 9th

Countering Adversarial Images using Input Transformations

Global Optimality in Neural Network Training

Natural Language Processing CS 6320 Lecture 6 Neural Language Models. Instructor: Sanda Harabagiu

Restricted Boltzmann Machines. Shallow vs. deep networks. Stacked RBMs. Boltzmann Machine learning: Unsupervised version

Dropout. Sargur N. Srihari This is part of lecture slides on Deep Learning:

Adversarial Examples in Deep Learning. Cho-Jui Hsieh Computer Science & Statistics UC Davis

Machine Learning With Python. Bin Chen Nov. 7, 2017 Research Computing Center

Proving that safety-critical neural networks do what they're supposed to!

Capsule Networks. Eric Mintun

Machine Learning. Deep Learning. Eric Xing (and Pengtao Xie) , Fall Lecture 8, October 6, Eric CMU,

Deep Learning Cook Book

Deep Learning and Its Applications

arxiv: v1 [cs.cv] 17 Nov 2016

Alternatives to Direct Supervision

Inception Network Overview. David White CS793

Machine Learning 13. week

Artificial Neural Networks. Introduction to Computational Neuroscience Ardi Tampuu

COMP9444 Neural Networks and Deep Learning 7. Image Processing. COMP9444 c Alan Blair, 2017

Machine Learning. MGS Lecture 3: Deep Learning

DECISION TREES & RANDOM FORESTS X CONVOLUTIONAL NEURAL NETWORKS

Convolutional Neural Networks. Computer Vision Jia-Bin Huang, Virginia Tech

ECE 6504: Deep Learning for Perception

CENG 783. Special topics in. Deep Learning. AlchemyAPI. Week 11. Sinan Kalkan

Neural Networks for Machine Learning. Lecture 15a From Principal Components Analysis to Autoencoders

Machine Learning. The Breadth of ML Neural Networks & Deep Learning. Marc Toussaint. Duy Nguyen-Tuong. University of Stuttgart

Unsupervised Learning

Deep Learning Based Real-time Object Recognition System with Image Web Crawler

INTRODUCTION TO DEEP LEARNING

Know your data - many types of networks

Computer Vision Lecture 16

Classification of objects from Video Data (Group 30)

6. Convolutional Neural Networks

Study of Residual Networks for Image Recognition

3D model classification using convolutional neural network

Neural Networks for unsupervised learning From Principal Components Analysis to Autoencoders to semantic hashing

COMP9444 Neural Networks and Deep Learning 5. Geometry of Hidden Units

Structured Prediction using Convolutional Neural Networks

Applying Machine Learning to Real Problems: Why is it Difficult? How Research Can Help?

Inception and Residual Networks. Hantao Zhang. Deep Learning with Python.

Face Recognition A Deep Learning Approach

ADAPTIVE DATA AUGMENTATION FOR IMAGE CLASSIFICATION

CSE 559A: Computer Vision

Residual Networks And Attention Models. cs273b Recitation 11/11/2016. Anna Shcherbina

Convolution Neural Networks for Chinese Handwriting Recognition

Learning to Match. Jun Xu, Zhengdong Lu, Tianqi Chen, Hang Li

Vulnerability of machine learning models to adversarial examples

Autoencoders. Stephen Scott. Introduction. Basic Idea. Stacked AE. Denoising AE. Sparse AE. Contractive AE. Variational AE GAN.

Novel Lossy Compression Algorithms with Stacked Autoencoders

Incremental Runtime Verification of Probabilistic Systems

Deep Neural Networks:

Deep Learning for Computer Vision with MATLAB By Jon Cherrie

Index. Springer Nature Switzerland AG 2019 B. Moons et al., Embedded Deep Learning,

CNN Basics. Chongruo Wu

CS6220: DATA MINING TECHNIQUES

END-TO-END CHINESE TEXT RECOGNITION

Deep Learning Workshop. Nov. 20, 2015 Andrew Fishberg, Rowan Zellers

ImageNet Classification with Deep Convolutional Neural Networks

Semantic Segmentation. Zhongang Qi

Introduction to Neural Networks

Day 3 Lecture 1. Unsupervised Learning

Logical Rhythm - Class 3. August 27, 2018

Introduction to Neural Networks

Plankton Classification Using ConvNets

CS 1674: Intro to Computer Vision. Neural Networks. Prof. Adriana Kovashka University of Pittsburgh November 16, 2016

Improving the way neural networks learn Srikumar Ramalingam School of Computing University of Utah

The exam is closed book, closed notes except your one-page (two-sided) cheat sheet.

Lecture 2 Notes. Outline. Neural Networks. The Big Idea. Architecture. Instructors: Parth Shah, Riju Pahwa

Linear Models. Lecture Outline: Numeric Prediction: Linear Regression. Linear Classification. The Perceptron. Support Vector Machines

Using Machine Learning for Classification of Cancer Cells

Spatial Localization and Detection. Lecture 8-1

Lab meeting (Paper review session) Stacked Generative Adversarial Networks

Deep neural networks II

Fuzzy Set Theory in Computer Vision: Example 3, Part II

Predictive Analytics: Demystifying Current and Emerging Methodologies. Tom Kolde, FCAS, MAAA Linda Brobeck, FCAS, MAAA

Application of Convolutional Neural Network for Image Classification on Pascal VOC Challenge 2012 dataset

Deep Generative Models Variational Autoencoders

Report: Privacy-Preserving Classification on Deep Neural Network

Akarsh Pokkunuru EECS Department Contractive Auto-Encoders: Explicit Invariance During Feature Extraction

Bilinear Models for Fine-Grained Visual Recognition

MoonRiver: Deep Neural Network in C++

arxiv: v1 [cs.cv] 20 Dec 2016

Neural Networks. CE-725: Statistical Pattern Recognition Sharif University of Technology Spring Soleymani

Octree Generating Networks: Efficient Convolutional Architectures for High-resolution 3D Outputs Supplementary Material

Transcription:

Safety verification for deep neural networks Marta Kwiatkowska Department of Computer Science, University of Oxford UC Berkeley, 8 th November 2016

Setting the scene Deep neural networks have achieved impressive results can match human perception ability Many potential uses e.g. object classification in perception software Machine learning software - not clear how it works - does not offer rigorous guarantees - yet end-to-end solutions are being considered 2

Motivating example Street sign Deep neural network employed as a perception module of an autonomous car must be resilient to image imperfections, change of camera angle, weather, lighting conditions, 3

Motivating example Street sign Birdhouse Deep neural network employed as a perception module of an autonomous car must be resilient to image imperfections, change of camera angle, weather, lighting conditions, 4

Deep neural networks can be fooled! They are unstable wrt adversarial perturbations often imperceptible changes to the image [Szegedy et al 2014] sometimes artificial white noise potential security risk Substantial growth in techniques to evaluate robustness variety of robustness measures, different from risk [Vapnik 91] tools DeepFool [CVPR 16] and constraint-based [NIPS 16] This talk: focus on safety and automated verification framework visible and human-recognisable perturbations should not result in class changes tool DLV based on Satisfiability Modulo Theory https://128.84.21.199/abs/1610.06940 5

Deep feed-forward neural network Convolutional multi-layer network http://cs231n.github.io/convolutional-networks/#conv 6

Problem setting Assume vector spaces D L0, D L1,, D Ln, one for each layer f : D L0 {c 1, c k } classifier function modelling human perception ability then multi-layer neural network f : D L0 {c 1, c k } approximates f from M training examples {(x i,c i )} i=1..m Notation for point (image) x D L0, call α x,k its activation in layer k overload α x,n = α y,n to mean x and y have the same class Common assumption each point x D L0 in the input layer has a region η around it such that all points in η classify the same as x Pointwise robustness f is not robust at point x if y η such that f (x) f (y) 7

Automated verification framework Require a specification adopt the human classifier f as the ideal specification work with pointwise robustness as a safety criterion and decidable procedure to perform exhaustive search but region η can be infinite constraint systems do not scale, cf 6 neurons [CAV 10] nonlinearity implies need for approximation using convex optimisation, no guarantee of precise adversarial examples Our approach focus on safety wrt a set of manipulations, requiring invariance propagate verification layer by layer, i.e. need to assume for each activation α x,k in layer k there is a region η(α x,k ) dimensionality reduction by focusing on features 8

Multi-layer (feed-forward) neural network Require mild conditions on region η k and ψ k mappings 9

Mapping forward and backward Can compute region η k (α x,k ) forward via activation function Back, use inverse of activation function 10

Manipulations Consider a family k of operators δ k : D Lk D Lk that perturb activations in layer k, incl. input layer think of scratches, weather conditions, camera angle, etc classification should be invariant wrt such manipulations Intuitively, safety of network N at a pointxwrt the region η k (α x,k ) and set of manipulations k means that perturbing activation α x,k by manipulations from k will not result in a class change Note that manipulations can be defined by user and wrt different norms made specific to each layer, and applied directly on features, i.e. subsets of dimensions 11

Ensuring region coverage Fix point x and region η k (α x,k ) Want to perform exhaustive search of the region for adversarial manipulations if found, use to fine-tunethe network and/or show to human tester else, region is safe wrt the specified manipulations Methodology discretise the region cover the region with ladders that are complete and covering show 0-variation, i.e. explore nondeterministically and iteratively all paths in the tree of ladders, counting the number of misclassifications after applying manipulations search is exhaustive if we have minimality of manipulations, e.g. unit steps 12

Covering region with ladders NB related work considers approximate, deterministicand non-iterative manipulations that are not covering 13

Layer-by-layer analysis In deep neural networks linearity increases with deeper layers Naïve search intractable: work with features Propagate analysis, starting from a given layer k: Determine regionη k (α x,k ) from region η k-1 (α x,k-1 ) map forward using activation function NB each activation at layer k arises from a subset of dimensions at layer k-1 check forward/backward mapping conditions (SMT-expressible) Refinemanipulations in k-1, yielding k consider more points as the analysis progresses into deeper layers If safety wrtη k (α x,k ) and k is verified, continueto layer k+1, else report adversarial example 14

Layer-by-layer analysis Framework ensures that safety wrt η k (α x,k ) and k implies safety wrt η k-1 (α x,k-1 ) and k-1 If manipulations are minimal, then can deduce safety (= pointwise robustness) of the region at x But adversarial examples at layer k can be spurious, i.e. need to check if they are adversarial examples at the input layer NB employ various heuristics for scalability explore manipulations of a subset of most extremedimensions, which encode more explicit knowledge employ additional precision parameter to avoid overly small spans 15

Features The layer-by-layer analysis is finite, but regions η k (α x,k ) are high-dimensional exhaustive analysis impractical We exploit decomposition into features, assuming their independence and low-dimensionality natural images form high-dimensional tangled manifold, which embeds tangled manifolds that represent features classification separates these manifolds By assuming independence of features, reduceproblem of size O(2 d1+..+dn ) to set of smaller problems O(2 d1 ), O(2 dn ) e.g. compute regions and 0-variation wrt to features analysis discovers features automatically through hidden layer analysis 16

Implementation Implement the techniques using SMT (Z3) for layer-by-layer analysis, use linear real arithmetic with existential and universal quantification within the layer (0-variation), use as above but without universal quantification Euclidean norm, but can be adapted to other norms We work with one point at a time, rather than activation functions, but computation is exact constraint system for sigmoid requires approximation (not scalable) [Pulina et al, CAV 10] ReLU can be approximated by linear programming (more scalable) [Bastani, NIPS 16] Main challenge: how to define meaningful regions and manipulations but adversarial examples can be found quickly 17

Example: input layer x Small point classification network, 8 manipulations 18

Example: 1 st hidden layer Refined manipulations, adversarial example found 19

MNIST example 8 0 28x28 image size, one channel, medium size network (12 layers, Conv, ReLU, FC and softmax) 20

Another MNIST example 6 5 28x28 image size, one channel, medium size network (12 layers, Conv, ReLU, FC and softmax) 21

CIFAR-10 example ship ship truck 32x32 image size, 3 channels, medium size network (Conv, ReLU, Pool, FC, dropout and softmax) Working with 1 st hidden layer, project back to input layer 22

ImageNet example Street sign Birdhouse 224x224 image size, 3 channels, 16 layers, state-of-theart network, (Conv, ReLU, Pool, FC, zero padding, dropout and softmax) Work with 20,000 dimensions (of 3m), unsafefor 2 nd layer 23

ImageNet example 224x224 image size, 3 channels, 16 layers, state-of-theart network, (Conv, ReLU, Pool, FC, zero padding, dropout and softmax) Reported safe for 20,000 dimensions 24

Another ImageNet example Boxer Rhodesian ridgeback 224x224 image size, 3 channels, 16 layers, state-of-theart network, (Conv, ReLU, Pool, FC, zero padding, dropout and softmax) Work with 20,000 dimensions 25

Yet another ImageNet example Labrador retriever Lifeboat 224x224 image size, 3 channels, 16 layers, state-of-theart network, (Conv, ReLU, Pool, FC, zero padding, dropout and softmax) Work with 20,000 dimensions 26

Conclusion First framework for safety verification of deep neural networks formulated and implemented Method safety parameterised by region and set of manipulations based on exhaustive search, akin to explicit model checking propagation of analysis into deeper layers heuristics to improve scalability adversarial examples found quickly Future work how best to use adversarial examples: training vs logic symbolic methods? abstraction-refinement? more complex properties? 27

Acknowledgements My group and collaborators in this work Project funding ERC Advanced Grant EPSRC Mobile Autonomy Programme Grant Oxford Martin School, Institute for the Future of Computing See also www.veriware.org PRISM www.prismmodelchecker.org 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback