TY - GEN
T1 - AI2
T2 - 39th IEEE Symposium on Security and Privacy, SP 2018
AU - Gehr, Timon
AU - Mirman, Matthew
AU - Drachsler-Cohen, Dana
AU - Tsankov, Petar
AU - Chaudhuri, Swarat
AU - Vechev, Martin
N1 - Publisher Copyright: © 2018 IEEE.
PY - 2018/7/23
Y1 - 2018/7/23
N2 - We present AI2, the first sound and scalable analyzer for deep neural networks. Based on overapproximation, AI2 can automatically prove safety properties (e.g., robustness) of realistic neural networks (e.g., convolutional neural networks). The key insight behind AI2 is to phrase reasoning about safety and robustness of neural networks in terms of classic abstract interpretation, enabling us to leverage decades of advances in that area. Concretely, we introduce abstract transformers that capture the behavior of fully connected and convolutional neural network layers with rectified linear unit activations (ReLU), as well as max pooling layers. This allows us to handle real-world neural networks, which are often built out of those types of layers. We present a complete implementation of AI2 together with an extensive evaluation on 20 neural networks. Our results demonstrate that: (i) AI2 is precise enough to prove useful specifications (e.g., robustness), (ii) AI2 can be used to certify the effectiveness of state-of-the-art defenses for neural networks, (iii) AI2 is significantly faster than existing analyzers based on symbolic analysis, which often take hours to verify simple fully connected networks, and (iv) AI2 can handle deep convolutional networks, which are beyond the reach of existing methods.
AB - We present AI2, the first sound and scalable analyzer for deep neural networks. Based on overapproximation, AI2 can automatically prove safety properties (e.g., robustness) of realistic neural networks (e.g., convolutional neural networks). The key insight behind AI2 is to phrase reasoning about safety and robustness of neural networks in terms of classic abstract interpretation, enabling us to leverage decades of advances in that area. Concretely, we introduce abstract transformers that capture the behavior of fully connected and convolutional neural network layers with rectified linear unit activations (ReLU), as well as max pooling layers. This allows us to handle real-world neural networks, which are often built out of those types of layers. We present a complete implementation of AI2 together with an extensive evaluation on 20 neural networks. Our results demonstrate that: (i) AI2 is precise enough to prove useful specifications (e.g., robustness), (ii) AI2 can be used to certify the effectiveness of state-of-the-art defenses for neural networks, (iii) AI2 is significantly faster than existing analyzers based on symbolic analysis, which often take hours to verify simple fully connected networks, and (iv) AI2 can handle deep convolutional networks, which are beyond the reach of existing methods.
KW - Abstract Interpretation
KW - Neural Networks
KW - Reliable Machine Learning
KW - Robustness
UR - http://www.scopus.com/inward/record.url?scp=85051044371&partnerID=8YFLogxK
U2 - 10.1109/SP.2018.00058
DO - 10.1109/SP.2018.00058
M3 - منشور من مؤتمر
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 3
EP - 18
BT - Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018
Y2 - 21 May 2018 through 23 May 2018
ER -