Make Sure You're Unsure: A Framework for Verifying Probabilistic Specifications

Most real world applications require dealing with stochasticity like sensor noise or predictive uncertainty, where formal specifications of desired behavior are inherently probabilistic. Despite the promise of formal verification in ensuring the reliability of neural networks, progress in the direction of probabilistic specifications has been limited. In this direction, we first introduce a general formulation of probabilistic specifications for neural networks, which captures both probabilistic networks (e.g., Bayesian neural networks, MC-Dropout networks) and uncertain inputs (distributions over inputs arising from sensor noise or other perturbations). We then propose a general technique to verify such specifications by generalizing the notion of Lagrangian duality, replacing standard Lagrangian multipliers with "functional multipliers" that can be arbitrary functions of the activations at a given layer. We show that an optimal choice of functional multipliers leads to exact verification (i.e., sound and complete verification), and for specific forms of multipliers, we develop tractable practical verification algorithms. We empirically validate our algorithms by applying them to Bayesian Neural Networks (BNNs) and MC Dropout Networks, and certifying properties such as adversarial robustness and robust detection of out-of-distribution (OOD) data. On these tasks we are able to provide significantly stronger guarantees when compared to prior work – for instance, for a VGG-64 MC-Dropout CNN trained on CIFAR10 in a verification-agnostic manner, we improve the certified AUC (a verified lower bound on the true AUC) for robust OOD detection (on CIFAR-100) from 0%→ 29%. Similarly, for a BNN trained on MNIST, we improve on the `∞ robust accuracy from 60.2%→ 74.6%. Further, on a novel specification – distributionally robust OOD detection – we improve on the certified AUC from 5%→ 23%.

[1]  Dimitri P. Bertsekas,et al.  Convex Optimization Algorithms , 2015 .

[2]  Matthew Mirman,et al.  Fast and Effective Robustness Certification , 2018, NeurIPS.

[3]  Cho-Jui Hsieh,et al.  Beta-CROWN: Efficient Bound Propagation with Per-neuron Split Constraints for Complete and Incomplete Neural Network Verification , 2021, ArXiv.

[4]  Mark S. Squillante,et al.  PROVEN: Certifying Robustness of Neural Networks with a Probabilistic Approach , 2018, ICML.

[5]  Ian Goodfellow,et al.  Enabling certification of verification-agnostic networks via memory-efficient semidefinite programming , 2020, NeurIPS.

[6]  Cho-Jui Hsieh,et al.  Efficient Neural Network Robustness Certification with General Activation Functions , 2018, NeurIPS.

[7]  Andrew Zisserman,et al.  Very Deep Convolutional Networks for Large-Scale Image Recognition , 2014, ICLR.

[8]  Manfred Morari,et al.  Probabilistic Verification and Reachability Analysis of Neural Networks via Semidefinite Programming , 2019, 2019 IEEE 58th Conference on Decision and Control (CDC).

[9]  Zoubin Ghahramani,et al.  Dropout as a Bayesian Approximation: Representing Model Uncertainty in Deep Learning , 2015, ICML.

[10]  Matthias Hein,et al.  Why ReLU Networks Yield High-Confidence Predictions Far Away From the Training Data and How to Mitigate the Problem , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[11]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[12]  Rüdiger Ehlers,et al.  Formal Verification of Piece-Wise Linear Feed-Forward Neural Networks , 2017, ATVA.

[13]  Shabbir Ahmed,et al.  Exact augmented Lagrangian duality for mixed integer linear programming , 2017, Math. Program..

[14]  Martin S. Andersen,et al.  Chordal Graphs and Semidefinite Optimization , 2015, Found. Trends Optim..

[15]  Nicolas Flammarion,et al.  Square Attack: a query-efficient black-box adversarial attack via random search , 2020, ECCV.

[16]  Asuman E. Ozdaglar,et al.  A geometric framework for nonconvex optimization duality using augmented lagrangian functions , 2008, J. Glob. Optim..

[17]  Dong Yu,et al.  Automatic Speech Recognition: A Deep Learning Approach , 2014 .

[18]  Luca Cardelli,et al.  Uncertainty Quantification with Statistical Guarantees in End-to-End Autonomous Driving Control , 2019, 2020 IEEE International Conference on Robotics and Automation (ICRA).

[19]  Matthew Wicker,et al.  Bayesian Inference with Certifiable Adversarial Robustness , 2021, AISTATS.

[20]  Charles R. Johnson,et al.  Positive definite completions of partial Hermitian matrices , 1984 .

[21]  Aditi Raghunathan,et al.  Semidefinite relaxations for certifying robustness to adversarial examples , 2018, NeurIPS.

[22]  M. Kwiatkowska,et al.  Probabilistic Safety for Bayesian Neural Networks , 2020, UAI.

[23]  Mykel J. Kochenderfer,et al.  Algorithms for Verifying Deep Neural Networks , 2019, Found. Trends Optim..

[24]  Rudy Bunel,et al.  An efficient nonconvex reformulation of stagewise convex optimization problems , 2020, NeurIPS.

[25]  Pushmeet Kohli,et al.  A Dual Approach to Scalable Verification of Deep Networks , 2018, UAI.

[26]  Wolfram Burgard,et al.  Probabilistic Robotics (Intelligent Robotics and Autonomous Agents) , 2005 .

[27]  Pushmeet Kohli,et al.  Verification of deep probabilistic models , 2018, ArXiv.

[28]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[29]  Matthew Mirman,et al.  Robustness Certification of Generative Models , 2020, ArXiv.

[30]  Matthias Hein,et al.  Provable Worst Case Guarantees for the Detection of Out-of-Distribution Data , 2020, ArXiv.

[31]  Jimmy Ba,et al.  Adam: A Method for Stochastic Optimization , 2014, ICLR.

[32]  Luca Cardelli,et al.  Statistical Guarantees for the Robustness of Bayesian Neural Networks , 2019, IJCAI.

[33]  Mykel J. Kochenderfer,et al.  Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks , 2017, CAV.