Neural Networks, Secure by Construction - An Exploration of Refinement Types

We present StarChild and Lazuli, two libraries which leverage refinement types to verify neural networks, implemented in F∗ and Liquid Haskell. Refinement types are types augmented, or refined, with assertions about values of that type, e.g., "integers greater than five", which are checked by an SMT solver. Crucially, these assertions are written in the language itself. A user of our library can refine the type of neural networks, e.g., "neural networks which are robust against adversarial attacks", and expect F∗ to handle the verification of this claim for any specific network, without having to change the representation of the network, or even having to learn about SMT solvers. Our initial experiments indicate that our approach could greatly reduce the burden of verifying neural networks. Unfortunately, they also show that SMT solvers do not scale to the sizes required for neural network verification.

[1]  Leonardo Mendonça de Moura,et al.  Solving non-linear arithmetic , 2012, ACCA.

[2]  Martín Abadi,et al.  TensorFlow: Large-Scale Machine Learning on Heterogeneous Distributed Systems , 2016, ArXiv.

[3]  Clark W. Barrett,et al.  The SMT-LIB Standard Version 2.0 , 2010 .

[4]  Stefan Wermter,et al.  Continual Lifelong Learning with Neural Networks: A Review , 2019, Neural Networks.

[5]  Marta Z. Kwiatkowska Safety Verification for Deep Neural Networks with Provable Guarantees (Invited Paper) , 2019, CONCUR.

[6]  Erik Poll,et al.  Adversarial Examples - A Complete Characterisation of the Phenomenon , 2018, ArXiv.

[7]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[8]  Francisco Eiras,et al.  PaRoT: A Practical Framework for Robust Deep Neural Network Training , 2020, NFM.

[9]  Rupak Majumdar,et al.  Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages , 2016, POPL 2016.

[10]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[11]  Petros Maragos,et al.  Detecting Adversarial Examples in Convolutional Neural Networks , 2018, ArXiv.

[12]  Timon Gehr,et al.  An abstract domain for certifying neural networks , 2019, Proc. ACM Program. Lang..

[13]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[14]  Mislav Balunovic,et al.  DL2: Training and Querying Neural Networks with Logic , 2019, ICML.

[15]  W. Pitts,et al.  A Logical Calculus of the Ideas Immanent in Nervous Activity (1943) , 2021, Ideas That Created the Future.

[16]  Mykel J. Kochenderfer,et al.  The Marabou Framework for Verification and Analysis of Deep Neural Networks , 2019, CAV.

[17]  Min Wu,et al.  Safety Verification of Deep Neural Networks , 2016, CAV.

[18]  Bruno Dutertre,et al.  A Fast Linear-Arithmetic Solver for DPLL(T) , 2006, CAV.

[19]  Gordon Stewart,et al.  Certifying the True Error: Machine Learning in Coq with Verified Generalization Guarantees , 2019, AAAI.

[20]  Pierre-Yves Strub,et al.  Dependent types and multi-monadic effects in F* , 2016, POPL.

[21]  John Launchbury,et al.  The HACMS program: using formal methods to eliminate exploitable bugs , 2017, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[22]  Philip Wadler,et al.  Refinement reflection: complete verification with SMT , 2017, Proc. ACM Program. Lang..

[23]  Philip Heng Wai Leong,et al.  FINN: A Framework for Fast, Scalable Binarized Neural Network Inference , 2016, FPGA.

[24]  Ananthram Swami,et al.  Crafting adversarial input sequences for recurrent neural networks , 2016, MILCOM 2016 - 2016 IEEE Military Communications Conference.

[25]  Lawrence C. Paulson,et al.  MetiTarski: An Automatic Theorem Prover for Real-Valued Special Functions , 2010, Journal of Automated Reasoning.