我们提出了一种修复使用Relu激活功能的神经网络的新方法。与现有的方法依赖于修改可以诱导函数空间全局变化的神经网络的权重的现有方法不同，我们的方法仅应用功能空间的局部变化，同时仍然保证删除了车辆行为。通过利用Relu网络的分段线性性质，我们的方法可以有效地构建一个针对该线性输入驻留的线性区域量身定制的补丁网络，当与原始网络结合使用时，可以证明该网络可以纠正错误输入的行为。我们的方法既声音又完整 - 修复后的网络可以确保修复该越野车的输入，并确保为任何越野车输入找到一个补丁程序。此外，我们的方法保留了Relu网络的连续分段线性性质，自动将修复到所有要点的维修，包括维修区域内的其他未检测到的错误输入，在功能空间的变化方面是最小的，并确保输出输出输出。从维修区域不变。在几个基准上，我们表明我们的方法在区域性和限制负面影响方面显着优于现有方法。

深度神经网络的鲁棒性对于现代AI支持系统至关重要，应正式验证。在广泛的应用中采用了类似乙状结肠的神经网络。由于它们的非线性，通常会过度评估乙状结肠样激活功能，以进行有效的验证，这不可避免地引入了不精确度。已大量的努力致力于找到所谓的更紧密的近似值，以获得更精确的验证结果。但是，现有的紧密定义是启发式的，缺乏理论基础。我们对现有神经元的紧密表征进行了彻底的经验分析，并揭示它们仅在特定的神经网络上是优越的。然后，我们将网络紧密度的概念介绍为统一的紧密度定义，并表明计算网络紧密度是一个复杂的非convex优化问题。我们通过两个有效的，最紧密的近似值从不同的角度绕过复杂性。结果表明，我们在艺术状态下的方法实现了有希望的表现：（i）达到高达251.28％的改善，以提高认证的较低鲁棒性界限； （ii）在卷积网络上表现出更为精确的验证结果。

Verifying the robustness property of a general Rectified Linear Unit (ReLU) network is an NPcomplete problem. Although finding the exact minimum adversarial distortion is hard, giving a certified lower bound of the minimum distortion is possible. Current available methods of computing such a bound are either time-consuming or deliver low quality bounds that are too loose to be useful. In this paper, we exploit the special structure of ReLU networks and provide two computationally efficient algorithms (Fast-Lin,Fast-Lip) that are able to certify non-trivial lower bounds of minimum adversarial distortions. Experiments show that (1) our methods deliver bounds close to (the gap is 2-3X) exact minimum distortions found by Reluplex in small networks while our algorithms are more than 10,000 times faster; (2) our methods deliver similar quality of bounds (the gap is within 35% and usually around 10%; sometimes our bounds are even better) for larger networks compared to the methods based on solving linear programming problems but our algorithms are 33-14,000 times faster; (3) our method is capable of solving large MNIST and CIFAR networks up to 7 layers with more than 10,000 neurons within tens of seconds on a single CPU core. In addition, we show that there is no polynomial time algorithm that can approximately find the minimum 1 adversarial distortion of a ReLU network with a 0.99 ln n approximation ratio unless NP=P, where n is the number of neurons in the network.

这项工作解决了通过分段线性非线性激活来表征和理解神经网络的决策界限的问题。我们使用热带几何形状，这是代数几何区域中的新开发项目，以表征形式的简单网络（Aggine，Relu，offine）的决策边界。我们的主要发现是，决策边界是热带超曲面的子集，该子集与两个分区的凸壳形成的多层密切相关。这些分区的生成器是网络参数的函数。这种几何表征为三个任务提供了新的观点。 （i）我们对彩票假说提出了一个新的热带观点，在其中我们查看了不同初始化对网络决策边界热带几何表示的影响。 （ii）此外，我们提出了新的基于热带的优化重新纠正，该重新策划直接影响网络修剪任务的网络决策边界。 （iii）最后，我们在热带意义上讨论了对抗攻击的产生的重新印象。我们证明，可以通过扰动网络中的一组参数来扰动一组特定的决策边界，在新的热带环境中构建对手。

神经网络已广泛应用于垃圾邮件和网络钓鱼检测，入侵预防和恶意软件检测等安全应用程序。但是，这种黑盒方法通常在应用中具有不确定性和不良的解释性。此外，神经网络本身通常容易受到对抗攻击的影响。由于这些原因，人们对可信赖和严格的方法有很高的需求来验证神经网络模型的鲁棒性。对抗性的鲁棒性在处理恶意操纵输入时涉及神经网络的可靠性，是安全和机器学习中最热门的主题之一。在这项工作中，我们在神经网络的对抗性鲁棒性验证中调查了现有文献，并在机器学习，安全和软件工程领域收集了39项多元化研究工作。我们系统地分析了它们的方法，包括如何制定鲁棒性，使用哪种验证技术以及每种技术的优势和局限性。我们从正式验证的角度提供分类学，以全面理解该主题。我们根据财产规范，减少问题和推理策略对现有技术进行分类。我们还展示了使用样本模型在现有研究中应用的代表性技术。最后，我们讨论了未来研究的开放问题。

基于基于不完整的神经网络验证如冠的绑定传播非常有效，可以显着加速基于神经网络的分支和绑定（BAB）。然而，绑定的传播不能完全处理由昂贵的线性编程（LP）求解器的BAB常规引入的神经元分割限制，导致界限和损伤验证效率。在这项工作中，我们开发了一种基于$ \ beta $ -cra所做的，一种基于新的绑定传播方法，可以通过从原始或双空间构造的可优化参数$ \ beta $完全编码神经元分割。当在中间层中联合优化时，$ \ Beta $ -CROWN通常会产生比具有神经元分裂约束的典型LP验证更好的界限，同时像GPU上的皇冠一样高效且并行化。适用于完全稳健的验证基准，使用BAB的$ \ Beta $ -CROWN比基于LP的BAB方法快三个数量级，并且比所有现有方法更快，同时产生较低的超时率。通过早期终止BAB，我们的方法也可用于有效的不完整验证。与强大的不完整验证者相比，我们始终如一地在许多设置中获得更高的验证准确性，包括基于凸屏障破碎技术的验证技术。与最严重但非常昂贵的Semidefinite编程（SDP）的不完整验证者相比，我们获得了更高的验证精度，验证时间较少三个级。我们的算法授权$ \ alpha，\ \β$ -craft（Alpha-Beta-Crown）验证者，VNN-Comp 2021中的获胜工具。我们的代码可在http://papercode.cc/betacrown提供

我们考虑非线性优化问题，涉及神经网络代表代理模型。我们首先展示了如何直接将神经网络评估嵌入优化模型中，突出难以防止收敛的方法，然后表征这些模型的平稳性。然后，我们在具有Relu激活的前馈神经网络的特定情况下存在两种替代配方，其具有recu激活：作为混合整数优化问题，作为具有互补限制的数学程序。对于后一种制剂，我们证明了在该问题的点处的有同性，对应于嵌入式制剂的实质性。这些配方中的每一个都可以用最先进的优化方法来解决，并且我们展示了如何为这些方法获得良好的初始可行解决方案。我们将三种实际应用的配方进行比较，在燃烧发动机的设计和控制中产生的三种实际应用，在对分类器网络的对抗攻击中产生的产生，以及在油井网中的最佳流动确定。

We study the expressibility and learnability of convex optimization solution functions and their multi-layer architectural extension. The main results are: \emph{(1)} the class of solution functions of linear programming (LP) and quadratic programming (QP) is a universal approximant for the $C^k$ smooth model class or some restricted Sobolev space, and we characterize the rate-distortion, \emph{(2)} the approximation power is investigated through a viewpoint of regression error, where information about the target function is provided in terms of data observations, \emph{(3)} compositionality in the form of a deep architecture with optimization as a layer is shown to reconstruct some basic functions used in numerical analysis without error, which implies that \emph{(4)} a substantial reduction in rate-distortion can be achieved with a universal network architecture, and \emph{(5)} we discuss the statistical bounds of empirical covering numbers for LP/QP, as well as a generic optimization problem (possibly nonconvex) by exploiting tame geometry. Our results provide the \emph{first rigorous analysis of the approximation and learning-theoretic properties of solution functions} with implications for algorithmic design and performance guarantees.

在本文中，我们在具有线性阈值激活功能的神经网络上提出了新的结果。我们精确地表征了这种神经网络可表示的功能，并且显示2个隐藏层是必要的并且足以表示类中可表示的任何功能。鉴于使用其他流行的激活功能的神经网络的最近精确的可比性调查，这是一个令人惊讶的结果，这些功能使用其他流行的激活功能，如整流的线性单元（Relu）。我们还给出了代表类中任意函数所需的神经网络的大小的精确界限。最后，我们设计了一种算法来解决具有固定架构的这些神经网络的全球最优性的经验风险最小化（ERM）问题。如果输入维度和网络架构的大小被认为是固定常数，则算法的运行时间是数据样本大小的多项式。该算法的意义上是独一无二的，即它适用于任何数量的层数，而先前的多项式时间全局最佳算法仅适用于非常受限制的架构类。

The adversarial input generation problem has become central in establishing the robustness and trustworthiness of deep neural nets, especially when they are used in safety-critical application domains such as autonomous vehicles and precision medicine. This is also practically challenging for multiple reasons-scalability is a common issue owing to large-sized networks, and the generated adversarial inputs often lack important qualities such as naturalness and output-impartiality. We relate this problem to the task of patching neural nets, i.e. applying small changes in some of the network$'$s weights so that the modified net satisfies a given property. Intuitively, a patch can be used to produce an adversarial input because the effect of changing the weights can also be brought about by changing the inputs instead. This work presents a novel technique to patch neural networks and an innovative approach of using it to produce perturbations of inputs which are adversarial for the original net. We note that the proposed solution is significantly more effective than the prior state-of-the-art techniques.

我们有助于更好地理解由具有Relu激活和给定架构的神经网络表示的功能。使用来自混合整数优化，多面体理论和热带几何的技术，我们为普遍近似定理提供了数学逆向，这表明单个隐藏层足以用于学习任务。特别是，我们调查完全可增值功能是否完全可以通过添加更多层（没有限制大小）来严格增加。由于它为神经假设类别代表的函数类提供给算法和统计方面，这个问题对算法和统计方面具有潜在的影响。然而，据我们所知，这个问题尚未在神经网络文学中调查。我们还在这些神经假设类别中代表功能所需的神经网络的大小上存在上限。

While deep neural networks (DNNs) have demonstrated impressive performance in solving many challenging tasks, they are limited to resource-constrained devices owing to their demand for computation power and storage space. Quantization is one of the most promising techniques to address this issue by quantizing the weights and/or activation tensors of a DNN into lower bit-width fixed-point numbers. While quantization has been empirically shown to introduce minor accuracy loss, it lacks formal guarantees on that, especially when the resulting quantized neural networks (QNNs) are deployed in safety-critical applications. A majority of existing verification methods focus exclusively on individual neural networks, either DNNs or QNNs. While promising attempts have been made to verify the quantization error bound between DNNs and their quantized counterparts, they are not complete and more importantly do not support fully quantified neural networks, namely, only weights are quantized. To fill this gap, in this work, we propose a quantization error bound verification method (QEBVerif), where both weights and activation tensors are quantized. QEBVerif consists of two analyses: a differential reachability analysis (DRA) and a mixed-integer linear programming (MILP) based verification method. DRA performs difference analysis between the DNN and its quantized counterpart layer-by-layer to efficiently compute a tight quantization error interval. If it fails to prove the error bound, then we encode the verification problem into an equivalent MILP problem which can be solved by off-the-shelf solvers. Thus, QEBVerif is sound, complete, and arguably efficient. We implement QEBVerif in a tool and conduct extensive experiments, showing its effectiveness and efficiency.

Deep neural networks have achieved impressive experimental results in image classification, but can surprisingly be unstable with respect to adversarial perturbations, that is, minimal changes to the input image that cause the network to misclassify it. With potential applications including perception modules and end-to-end controllers for self-driving cars, this raises concerns about their safety. We develop a novel automated verification framework for feed-forward multi-layer neural networks based on Satisfiability Modulo Theory (SMT). We focus on safety of image classification decisions with respect to image manipulations, such as scratches or changes to camera angle or lighting conditions that would result in the same class being assigned by a human, and define safety for an individual decision in terms of invariance of the classification within a small neighbourhood of the original image. We enable exhaustive search of the region by employing discretisation, and propagate the analysis layer by layer. Our method works directly with the network code and, in contrast to existing methods, can guarantee that adversarial examples, if they exist, are found for the given region and family of manipulations. If found, adversarial examples can be shown to human testers and/or used to fine-tune the network. We implement the techniques using Z3 and evaluate them on state-of-the-art networks, including regularised and deep learning networks. We also compare against existing techniques to search for adversarial examples and estimate network robustness.

深度神经网络（DNN）越来越多地用于安全至关重要的系统中，迫切需要保证其正确性。因此，验证社区设计了多种技术和工具来验证DNN。当DNN验证者发现触发错误的输入时，很容易确认；但是，当他们报告不存在错误时，就无法确保验证工具本身没有缺陷。由于在DNN验证工具中已经观察到了多个错误，因此这将DNN验证的适用性提出了质疑。在这项工作中，我们提出了一种具有证明生产能力的基于简单的DNN验证符的新型机制：产生易于检查的不可满足性的见证人，这证明了没有错误的情况。我们的证明生产是基于众所周知的Farkas引理的有效适应，并结合了处理分段线性函数和数值精确误差的机制。作为概念的证明，我们在Marabou DNN验证者之上实施了我们的技术。我们对避免空中碰撞的安全至关重要系统的评估表明，在几乎所有情况下，证明生产都成功了，只需要最小的开销。

We describe an algorithm that learns two-layer residual units using rectified linear unit (ReLU) activation: suppose the input $\mathbf{x}$ is from a distribution with support space $\mathbb{R}^d$ and the ground-truth generative model is a residual unit of this type, given by $\mathbf{y} = \boldsymbol{B}^\ast\left[\left(\boldsymbol{A}^\ast\mathbf{x}\right)^+ + \mathbf{x}\right]$, where ground-truth network parameters $\boldsymbol{A}^\ast \in \mathbb{R}^{d\times d}$ represent a full-rank matrix with nonnegative entries and $\boldsymbol{B}^\ast \in \mathbb{R}^{m\times d}$ is full-rank with $m \geq d$ and for $\boldsymbol{c} \in \mathbb{R}^d$, $[\boldsymbol{c}^{+}]_i = \max\{0, c_i\}$. We design layer-wise objectives as functionals whose analytic minimizers express the exact ground-truth network in terms of its parameters and nonlinearities. Following this objective landscape, learning residual units from finite samples can be formulated using convex optimization of a nonparametric function: for each layer, we first formulate the corresponding empirical risk minimization (ERM) as a positive semi-definite quadratic program (QP), then we show the solution space of the QP can be equivalently determined by a set of linear inequalities, which can then be efficiently solved by linear programming (LP). We further prove the strong statistical consistency of our algorithm, and demonstrate its robustness and sample efficiency through experimental results on synthetic data and a set of benchmark regression datasets.

人工神经网络（ANN）训练景观的非凸起带来了固有的优化困难。虽然传统的背传播随机梯度下降（SGD）算法及其变体在某些情况下是有效的，但它们可以陷入杂散的局部最小值，并且对初始化和普通公共表敏感。最近的工作表明，随着Relu激活的ANN的培训可以重新重整为凸面计划，使希望能够全局优化可解释的ANN。然而，天真地解决凸训练制剂具有指数复杂性，甚至近似启发式需要立方时间。在这项工作中，我们描述了这种近似的质量，并开发了两个有效的算法，这些算法通过全球收敛保证培训。第一算法基于乘法器（ADMM）的交替方向方法。它解决了精确的凸形配方和近似对应物。实现线性全局收敛，并且初始几次迭代通常会产生具有高预测精度的解决方案。求解近似配方时，每次迭代时间复杂度是二次的。基于“采样凸面”理论的第二种算法更简单地实现。它解决了不受约束的凸形制剂，并收敛到大约全球最佳的分类器。当考虑对抗性培训时，ANN训练景观的非凸起加剧了。我们将稳健的凸优化理论应用于凸训练，开发凸起的凸起制剂，培训Anns对抗对抗投入。我们的分析明确地关注一个隐藏层完全连接的ANN，但可以扩展到更复杂的体系结构。

由于它们在计算机视觉，图像处理和其他人领域的优异性能，卷积神经网络具有极大的普及。不幸的是，现在众所周知，卷积网络通常产生错误的结果 - 例如，这些网络的输入的小扰动可能导致严重的分类错误。近年来提出了许多验证方法，以证明没有此类错误，但这些通常用于完全连接的网络，并且在应用于卷积网络时遭受加剧的可扩展性问题。为了解决这一差距，我们在这里介绍了CNN-ABS框架，特别是旨在验证卷积网络。 CNN-ABS的核心是一种抽象细化技术，它通过拆除卷积连接，以便在这种方式创造原始问题的过度逼近来简化验证问题;如果产生的问题变得过于抽象，它会恢复这些连接。 CNN-ABS旨在使用现有的验证引擎作为后端，我们的评估表明它可以显着提高最先进的DNN验证引擎的性能，平均降低运行时间15.7％。

Deep learning (DL) systems are increasingly deployed in safety-and security-critical domains including self-driving cars and malware detection, where the correctness and predictability of a system's behavior for corner case inputs are of great importance. Existing DL testing depends heavily on manually labeled data and therefore often fails to expose erroneous behaviors for rare inputs.We design, implement, and evaluate DeepXplore, the first whitebox framework for systematically testing real-world DL systems. First, we introduce neuron coverage for systematically measuring the parts of a DL system exercised by test inputs. Next, we leverage multiple DL systems with similar functionality as cross-referencing oracles to avoid manual checking. Finally, we demonstrate how finding inputs for DL systems that both trigger many differential behaviors and achieve high neuron coverage can be represented as a joint optimization problem and solved efficiently using gradientbased search techniques.DeepXplore efficiently finds thousands of incorrect corner case behaviors (e.g., self-driving cars crashing into guard rails and malware masquerading as benign software) in stateof-the-art DL models with thousands of neurons trained on five popular datasets including ImageNet and Udacity selfdriving challenge data. For all tested DL models, on average, DeepXplore generated one test input demonstrating incorrect behavior within one second while running only on a commodity laptop. We further show that the test inputs generated by DeepXplore can also be used to retrain the corresponding DL model to improve the model's accuracy by up to 3%.

作为一个新的编程范式，深度神经网络（DNN）在实践中越来越多地部署，但是缺乏鲁棒性阻碍了他们在安全至关重要的领域中的应用。尽管有用于正式保证的DNN验证DNN的技术，但它们的可伸缩性和准确性有限。在本文中，我们提出了一种新颖的抽象方法，用于可扩展和精确的DNN验证。具体而言，我们提出了一种新颖的抽象来通过过度透明度分解DNN的大小。如果未报告任何虚假反例，验证抽象DNN的结果始终是结论性的。为了消除抽象提出的虚假反例，我们提出了一种新颖的反例引导的改进，该精炼精炼了抽象的DNN，以排除给定的虚假反例，同时仍然过分欣赏原始示例。我们的方法是正交的，并且可以与许多现有的验证技术集成。为了进行演示，我们使用两个有前途和确切的工具Marabou和Planet作为基础验证引擎实施我们的方法，并对广泛使用的基准ACAS XU，MNIST和CIFAR-10进行评估。结果表明，我们的方法可以通过解决更多问题并分别减少86.3％和78.0％的验证时间来提高他们的绩效。与最相关的抽象方法相比，我们的方法是11.6-26.6倍。

To rigorously certify the robustness of neural networks to adversarial perturbations, most state-of-the-art techniques rely on a triangle-shaped linear programming (LP) relaxation of the ReLU activation. While the LP relaxation is exact for a single neuron, recent results suggest that it faces an inherent "convex relaxation barrier" as additional activations are added, and as the attack budget is increased. In this paper, we propose a nonconvex relaxation for the ReLU relaxation, based on a low-rank restriction of a semidefinite programming (SDP) relaxation. We show that the nonconvex relaxation has a similar complexity to the LP relaxation, but enjoys improved tightness that is comparable to the much more expensive SDP relaxation. Despite nonconvexity, we prove that the verification problem satisfies constraint qualification, and therefore a Riemannian staircase approach is guaranteed to compute a near-globally optimal solution in polynomial time. Our experiments provide evidence that our nonconvex relaxation almost completely overcome the "convex relaxation barrier" faced by the LP relaxation.