Quantitative Verification of Neural Networks And its Security Applications
Teodora Baluta, Shiqi Shen, Shweta Shinde, Kuldeep S. Meel, and Prateek Saxena

TL;DR
This paper introduces a new framework for the quantitative verification of neural networks, providing probabilistic guarantees and enabling analysis of robustness, security, and fairness in safety-critical applications.
Contribution
It presents the first PAC-style sound framework for probabilistic counting of network inputs satisfying properties, with a prototype tool for binarized neural networks.
Findings
Provides PAC-style guarantees for quantitative verification
Enables analysis of robustness, attacks, and bias in neural networks
Demonstrates practical applications with a prototype tool
Abstract
Neural networks are increasingly employed in safety-critical domains. This has prompted interest in verifying or certifying logically encoded properties of neural networks. Prior work has largely focused on checking existential properties, wherein the goal is to check whether there exists any input that violates a given property of interest. However, neural network training is a stochastic process, and many questions arising in their analysis require probabilistic and quantitative reasoning, i.e., estimating how many inputs satisfy a given property. To this end, our paper proposes a novel and principled framework to quantitative verification of logical properties specified over neural networks. Our framework is the first to provide PAC-style soundness guarantees, in that its quantitative estimates are within a controllable and bounded error from the true count. We instantiate our…
| A. Internal Block |
| 1) Linear Layer |
| (1) |
| where , is the column in |
| , is the bias row vector and |
| 2) Batch Normalization |
| (2) |
| where , is the weight row vector |
| , is the bias , is the mean and |
| is the standard deviation. |
| 3) Binarization |
| (3) (4) |
| where . |
| B. Output Block |
| 1) Linear Layer |
| (5) |
| where , is the column , |
| is the bias vector. |
| 2) Argmax |
| (6) |
| A. to |
|---|
| B. to |
| C. to BNN |
| Feature | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| NLC | Time | NLC | Time | NLC | Time | NLC | Time | NLC | Time | NLC | Time | NLC | Time | NLC | Time | |
| Marital Status | 39.10 | 8.79 | 39.08 | 1.35 | 39.09 | 0.80 | 39.13 | 0.34 | x | x | 39.07 | 22.48 | 39.07 | 15.74 | 39.10 | 8.79 |
| Race | 40.68 | 3.10 | 40.64 | 0.68 | 40.65 | 0.42 | 40.73 | 0.27 | 40.68 | 14.68 | 40.67 | 8.21 | 40.67 | 5.80 | 40.68 | 3.10 |
| Gender | 41.82 | 3.23 | 41.81 | 0.62 | 41.88 | 0.40 | 41.91 | 0.27 | 41.81 | 15.48 | 41.81 | 8.22 | 41.81 | 6.02 | 41.82 | 3.23 |
| Arch | ACCb |
|
#(Adv) | PS(adv) | #(timeout) | ||
|---|---|---|---|---|---|---|---|
| ARCH1 | 76 | 561 | 11.10 | 0 | |||
| 26,631 | 16.47 | 0 | |||||
| 685,415 | 17.48 | 0 | |||||
| 16,765,457 | 22.27 | 0 | |||||
| ARCH2 | 79 | 789 | 15.63 | 0 | |||
| 35,156 | 21.74 | 0 | |||||
| 928,964 | 23.69 | 0 | |||||
| 21,011,934 | 27.91 | 0 | |||||
| ARCH3 | 80 | 518 | 10.25 | 0 | |||
| 24,015 | 14.85 | 0 | |||||
| 638,530 | 16.28 | 0 | |||||
| 18,096,758 | 24.04 | 4 | |||||
| ARCH4 | 88 | 664 | 13.15 | 0 | |||
| 25,917 | 16.03 | 1 | |||||
| 830,129 | 21.17 | 4 | |||||
| 29,138,314 | 38.70 | 17 |
| Arch | #(Adv) (Epoch = 0) | Defense 1 | Defense 2 | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Epoch = 1 | Epoch = 5 | Epoch = 1 | Epoch = 5 | ||||||
| ACCb | #(Adv) | ACCb | #(Adv) | ACCb | #(Adv) | ACCb | #(Adv) | ||
| ARCH1 | 561 | 82.23 | 942 | 84.04 | 776 | 82.61 | 615 | 81.88 | 960 |
| ARCH2 | 789 | 79.55 | 1,063 | 77.10 | 1,249 | 81.76 | 664 | 78.73 | 932 |
| ARCH3 | 518 | 84.12 | 639 | 85.23 | 431 | 82.97 | 961 | 82.94 | 804 |
| ARCH4 | 664 | 88.15 | 607 | 88.31 | 890 | 88.85 | 549 | 85.75 | 619 |
| Arch | TC | Epoch 1 | Epoch 10 | Epoch 30 | Selected Epoch | |||
| PS(tr) | ACCt | PS(tr) | ACCt | PS(tr) | ACCt | |||
| ARCH1 | 0 | 39.06 | 50.75 | 13.67 | 72.90 | 5.76 | 68.47 | 1 |
| 1 | 42.97 | 43.49 | 70.31 | 74.20 | 42.97 | 67.63 | 10 | |
| 4 | 9.77 | 66.80 | 19.14 | 83.18 | 2.69 | 69.99 | 10 | |
| 5 | 27.73 | 58.35 | 25.78 | 53.30 | 7.42 | 39.77 | 1 | |
| 9 | 2.29 | 53.67 | 12.11 | 61.85 | 0.19 | 77.70 | 10 | |
| ARCH2 | 0 | 1.51 | 27.98 | 1.46 | 48.30 | 9.38 | 59.36 | 30 |
| 1 | 2.34 | 30.37 | 13.28 | 40.57 | 8.59 | 51.40 | 10 | |
| 4 | 1.07 | 38.54 | 0.21 | 27.41 | 0.59 | 37.45 | 1 | |
| 5 | 28.91 | 26.66 | 12.70 | 50.24 | 9.38 | 54.90 | 1 | |
| 9 | 0.15 | 36.39 | 0.38 | 41.81 | 0.44 | 42.99 | 30 | |
| ARCH3 | 0 | 18.36 | 26.91 | 25.00 | 71.85 | 8.40 | 76.30 | 10 |
| 1 | 4.79 | 15.23 | 34.38 | 50.57 | 21.48 | 60.33 | 10 | |
| 4 | 7.81 | 33.89 | 11.33 | 67.30 | 4.79 | 62.77 | 10 | |
| 5 | 26.56 | 63.11 | 19.92 | 71.92 | 18.75 | 79.23 | 1 | |
| 9 | 6.84 | 26.51 | 3.32 | 29.12 | 1.15 | 46.51 | 1 | |
| ARCH4 | 0 | x | 10.40 | 3.32 | 36.89 | 4.88 | 60.14 | 30 |
| 1 | x | 8.57 | x | 54.39 | 0.87 | 78.10 | 30 | |
| 4 | x | 9.95 | 1.44 | 62.46 | 0.82 | 82.47 | 10 | |
| 5 | 19.92 | 8.83 | 13.67 | 8.44 | 25.39 | 11.96 | 30 | |
| 9 | x | 19.64 | 7.03 | 58.39 | 1.44 | 74.83 | 10 | |
| Arch | Married Divorced | Female Male | White Black | ||||||
| = | ¿ | ¡ | = | ¿ | ¡ | = | ¿ | ¡ | |
| ARCH1 | 89.22 | 0.00 | 10.78 | 89.17 | 9.13 | 2.07 | 84.87 | 5.57 | 9.16 |
| ARCH2 | 76.59 | 4.09 | 20.07 | 74.94 | 18.69 | 6.58 | 79.82 | 14.34 | 8.63 |
| ARCH3 | 72.50 | 4.37 | 21.93 | 80.04 | 9.34 | 12.11 | 78.23 | 6.24 | 18.58 |
| ARCH4 | 81.79 | 3.81 | 13.75 | 83.86 | 5.84 | 10.19 | 82.21 | 5.84 | 10.35 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Quantitative Verification of Neural Networks
And Its Security Applications
Teodora Baluta
National University of Singapore
,
Shiqi Shen
National University of Singapore
,
Shweta Shinde
University of California, Berkeley
,
Kuldeep S. Meel
National University of Singapore
and
Prateek Saxena
National University of Singapore
Abstract.
Neural networks are increasingly employed in safety-critical domains. This has prompted interest in verifying or certifying logically encoded properties of neural networks. Prior work has largely focused on checking existential properties, wherein the goal is to check whether there exists any input that violates a given property of interest. However, neural network training is a stochastic process, and many questions arising in their analysis require probabilistic and quantitative reasoning, i.e., estimating how many inputs satisfy a given property. To this end, our paper proposes a novel and principled framework to quantitative verification of logical properties specified over neural networks. Our framework is the first to provide PAC-style soundness guarantees, in that its quantitative estimates are within a controllable and bounded error from the true count. We instantiate our algorithmic framework by building a prototype tool called NPAQ that enables checking rich properties over binarized neural networks. We show how emerging security analyses can utilize our framework in concrete point applications: quantifying robustness to adversarial inputs, efficacy of trojan attacks, and fairness/bias of given neural networks.
1. Introduction
Neural networks are witnessing wide-scale adoption, including in domains with the potential for a long-term impact on human society. Examples of these domains include criminal sentencing (com, 2012), drug discovery (Wallach et al., 2015; Verbist et al., 2015), self-driving cars (Bojarski et al., 2016), aircraft collision avoidance systems (Julian et al., ), robots (Bhattacharyya et al., ), and drones (Giusti et al., 2016). While neural networks achieve human-level accuracy in several challenging tasks such as image recognition (Krizhevsky et al., ; Szegedy et al., a; He et al., ) and machine translation (LeCun et al., 2015; Sutskever et al., ; Bahdanau et al., ), studies show that these systems may behave erratically in the wild (Fredrikson et al., b; Fredrikson et al., a; Papernot et al., a; Papernot et al., 2016; Papernot et al., b; Evtimov et al., ; Uesato et al., ; Athalye et al., ; Tramèr et al., ; Shokri et al., ; Biggio et al., ; Carlini et al., ; Carlini et al., 2018).
Consequently, there has been a surge of interest in the design of methodological approaches to verification and testing of neural networks. Early efforts focused on qualitative verification wherein, given a neural network and property , one is concerned with determining whether there exists an input to such that is violated (Simonyan et al., ; Sundararajan et al., ; Koh and Liang, ; Datta et al., b; Pei et al., ; Pulina and Tacchella, ; Ehlers, ; Narodytska et al., ; Katz et al., ; Huang et al., ; Dvijotham et al., 2018). While such certifiability techniques provide value, for instance in demonstrating the existence of adversarial examples (Goodfellow et al., ; Papernot et al., a), it is worth recalling that the designers of neural network-based systems often make a statistical claim of their behavior, i.e., a given system is claimed to satisfy properties of interest with high probability but not always. Therefore, many analyses of neural networks require quantitative reasoning, which determines how many inputs satisfy P.
It is natural to encode properties as well as conditions on inputs or outputs as logical formulae. We focus on the following formulation of quantitative verification: Given a set of neural networks and a property of interest P defined over the union of inputs and outputs of neural networks in , we are interested in estimation of how often P is satisfied. In many critical domains, client analyses often require guarantees that the computed estimates be reasonably close to the ground truth. We are not aware of any prior approaches that provide such formal guarantees, though the need for quantitative verification has recently been recognized (Webb et al., ; Seshia et al., ).
Security Applications.
Quantitative verification enables many applications in security analysis (and beyond) for neural networks. We present point applications in which the following analysis questions can be quantitatively answered:
- •
Robustness: How many adversarial samples does a given neural network have? Does one neural network have more adversarial inputs compared to another one?
- •
Trojan Attacks: A neural network can be trained to classify certain inputs with “trojan trigger” patterns to the desired label. How well-poisoned is a trojaned model, i.e., how many such trojan inputs does the attack successfully work for?
- •
Fairness: Does a neural network change its predictions significantly when certain input features are present (e.g., when the input record has gender attribute set to “female” vs. “male”)?
Note that such analysis questions boil down to estimating how often some property over inputs and outputs is satisfied. Estimating counts is fundamentally different from checking whether a satisfiable input exists. Since neural networks are stochastically trained, the mere existence of certain satisfiable inputs is not unexpected. The questions above checks whether their counts are sufficiently large to draw statistically significant inferences. Section 3 formulates these analysis questions as logical specifications.
Our Approach.
The primary contribution of this paper is a new analysis framework, which models the given set of neural networks and P as set of logical constraints, , such that the problem of quantifying how often satisfies P reduces to model counting over . We then show that the quantitative verification is -hard. Given the computational intractability of , we seek to compute rigorous estimates and introduce the notion of approximate quantitative verification: given a prescribed tolerance factor and confidence parameter , we estimate how often P is satisfied with PAC-style guarantees, i.e., computed result is within a multiplicative factor of the ground truth with confidence at least .
Our approach works by encoding the neural network into a logical formula in CNF form. The key to achieving soundness guarantees is our new notion of equi-witnessability, which defines a principled way of encoding neural networks into a CNF formula , such that quantitative verification reduces to counting the satisfying assignments of projected to a subset of the support of . We then use approximate model counting on , which has seen rapid advancement in practical tools that provide PAC-style guarantees on counts for . The end result is a quantitative verification procedure for neural networks with soundness and precision guarantees.
While our framework is more general, we instantiate our analysis framework with a sub-class of neural networks called binarized neural networks (or BNNs) (Hubara et al., ). BNNs are multi-layered perceptrons with weights and step activation functions. They have been demonstrated to achieve high accuracy for a wide variety of applications (Rastegari et al., 2016; McDanel et al., ; Kung et al., 2018). Due to their small memory footprint and fast inference time, they have been deployed in constrained environments such as embedded devices (McDanel et al., ; Kung et al., 2018). We observe that specific existing encodings for BNNs adhere to our notion of equi-witnessability and implement these in a new tool called NPAQ 111The name stands for Neural Property Approximate Quantifier. The tool will be released as open-source post-publication.. We provide proofs of key correctness and composability properties of our general approach, as well as of our specific encodings. Our encodings are linear in the size of and .
Empirical Results.
We show that NPAQ scales to BNNs with internal layers and units per layer. We use standard datasets namely MNIST and UCI Adult Census Income dataset. We encode a total of models, each with parameters, into formulae and quantitatively verify them. NPAQ encodes properties in less than a minute and solves % formulae in a -hour timeout. Encodings scale linearly in the size of the models, and its running time is not dependent on the true counts. We showcase how NPAQ can be used in diverse security applications with case studies. First, we quantify the model robustness by measuring how many adversarially perturbed inputs are misclassified, and then the effectiveness of defenses for model hardening with adversarial training. Next, we evaluate the effectiveness of trojan attacks outside the chosen test set. Lastly, we measure the influence of sensitive features on the output and check if the model is biased towards a particular value of the sensitive feature.
Contributions.
We make the following contributions:
- •
New Notion. We introduce the notion of approximate quantitative verification to estimate how often a property is satisfied by the neural net with theoretically rigorous PAC-style guarantees.
- •
Algorithmic Approach, Tool, & Security Applications. We propose a principled algorithmic approach for encoding neural networks to CNF formula that preserve model counts. We build an end-to-end tool called NPAQ that can handle BNNs. We demonstrate security applications of NPAQ in quantifying robustness, trojan attacks, and fairness.
- •
Results.
We evaluate NPAQ on formulae derived from properties over BNNs trained on two datasets. We show that NPAQ presently scales to BNNs of over parameters, and evaluate its performance characteristics with respect to different user-chosen parameters.
2. Problem Definition
Definition 2.1 (Specification ()).
Let be a set of neural nets, where each neural net takes a vector of inputs and outputs a vector , such that . Let denote the property P over the inputs and outputs . We define the specification of property P over as .
We show several motivating property specifications in Section 3. For the sake of illustration here, consider be a set of two neural networks that take as input a vector of three integers and output a , i.e., and . We want to encode a property to check the dis-similarity between and , i.e., counting for how many inputs (over all possible inputs) do and produce differing outputs. The specification is defined over the inputs , outputs and as .
Given a specification for a property P over the set of neural nets , a verification procedure returns (SAT) if there exists a satisfying assignment such that , otherwise it returns (UNSAT). A satisfying assignment for is defined as such that evaluates to true, i.e., or .
While the problem of standard (qualitative) verification asks whether there exists a satisfying assignment to , the problem of quantitative verification asks how many satisfying assignments or models does admit. We denote the set of satisfying assignments for the specification as .
Definition 2.2 (Neural Quantitative Verification (NQV)).
Given a specification for a property P over the set of neural nets , a quantitative verification procedure, , returns the number of satisfying assignments of , .
It is worth noting that may be intractably large to compute via naïve enumeration. For instance, we consider neural networks with hundreds of bits as inputs for which the unconditioned input space is . In fact, we prove that quantitative verification is #P-hard, as stated below.
Theorem 2.3.
* is #P-hard, where is a specification for a property P over binarized neural nets.*
Our proof is a parsimonious reduction of model counting of CNF formulas, #CNF, to quantitative verification of binarized neural networks. We show how an arbitrary CNF formula F can be transformed into a binarized neural net and a property P such that for a specification for P over , it holds true that . See Appendix 10.2 for the full proof.
Remark 1.
The parsimonious reduction from #CNF to NQV implies that fully polynomial time randomized approximation schemes, including those based on Monte Carlo, cannot exist unless NP=RP.
The computational intractability of #P necessitates a search for relaxations of NQV. To this end, we introduce the notion of an approximate quantitative verifier that outputs an approximate count within of the true count with a probability greater than .
Definition 2.4 (Approximate NQV ()).
Given a specification for a property P over a set of neural nets , and , an approximate quantitative verification procedure computes such that .
The security analyst can set the “confidence” parameter and the precision or “error tolerance” as desired. The definition specifies the end guarantee of producing estimates that are statistically sound with respect to chosen parameters .
Connection to computing probabilities.
Readers can naturally interpret as a measure of probability. Consider to be a set of functions defined over input random variables . The property specification defines an event that conditions inputs and outputs to certain values, which the user can specify as desired. The measure counts how often the event occurs under all possible values of . Therefore, is the probability of the event defined by occurring. Our formulation presented here computes weighting all possible values of equally, which implicitly assumes a uniform distribution over all random variables . Our framework can be extended to weighted counting (Ermon et al., a, b, 2013; Chakraborty et al., a), assigning different user-defined weights to different values of , which is akin to specifying a desired probability distributions over . However, we consider this extension as a promising future work.
3. Security Applications
We present three concrete application contexts which highlight how quantitative verification is useful to diverse security analyses. The specific property specifications presented here derived directly from recent works, highlighting that NPAQ is broadly applicable to analysis problems actively being investigated.
Robustness.
An adversarial example for a neural network is an input which under a small perturbation is classified differently (Szegedy et al., b; Goodfellow et al., ). The lower the number of adversarial examples, the more “robust” the neural network. Early work on verifying robustness aimed at checking whether adversarial inputs exist. However, recent works suggest that adversarial inputs are statistically “not surprising” (Uesato et al., ; Athalye et al., ; Ford et al., 2019) as they are a consequence of normal error in statistical classification (Gilmer et al., 2018b, a; Mahloujifar et al., 2018; Dohmatob, 2018). This highlights the importance of analyzing whether a statistically significant number of adversarial examples exist, not just whether they exist at all, under desired input distributions. Our framework allows the analyst to specify a logical property of adversarial inputs and quantitatively verify it. Specifically, one can estimate how many inputs are misclassified by the net () and within some small perturbation distance from a benign sample () (Carlini and Wagner, ; Papernot et al., a; Papernot et al., 2016), by encoding the property P1 in our framework as:
[TABLE]
As a concrete usage scenario, our evaluation reports on BNNs for image classification (Section 6.2). Even for a small given input (say bits), the space of all inputs within a perturbation of bits is , which is too large to check for misclassification one-by-one. NPAQ does not enumerate and yet can estimate adversarial input counts with PAC-style guarantees (Section 6.2). As we permit larger perturbation, as expected, the number of adversarial samples monotonically increase, and NPAQ can quantitatively measure how much. Further, we show how one can directly compare robustness estimates for two neural networks. Such estimates may also be used to measure the efficacy of defenses. Our evaluation on adversarial training defenses shows that the hardened models show lesser robustness than the plain (unhardened) model. Such analysis can help to quantitatively refute, for instance, claims that BNNs are intrinsically more robust, as suggested in prior work (Galloway et al., ).
Trojan Attacks.
Neural networks, such as for facial recognition systems, can be trained in a way that they output a specific value, when the input has a certain “trojan trigger” embedded in it (Liu et al., ; Geigel, 2013). The trojan trigger can be a fixed input pattern (e.g., a sub-image) or some transformation that can be stamped on to a benign image. One of the primary goals of the trojan attack is to maximize the number of trojaned inputs which are classified as the desired target output, . NPAQ can quantify the number of such inputs for a trojaned network, allowing attackers to optimize for this metric. To do so, one can encode the set of trojaned inputs as all those inputs which satisfy the following constraint for a given neural network , trigger , and the (pixel) location of the trigger :
[TABLE]
Section 6.3 shows an evaluation on BNNs trained on the MNIST dataset. Our evaluation demonstrates that the attack accuracy on samples from the test set can differ significantly from the total set of trojaned inputs specified as in property P2.
Fairness.
The right notion of algorithmic fairness is being widely debated(Dwork et al., ; Feldman et al., ; Zafar et al., ; Datta et al., b; Hardt et al., ; Datta et al., a). Our framework can help quantitatively evaluate desirable metrics measuring “bias” for neural networks. Consider a scenario where a neural network is used to predict the recommended salary for a new hire in a company. Having been trained on public data, one may want to check whether makes biased predictions based on certain sensitive features such as race, gender, or marital status of the new hire. To verify this, one can count how often proposes a higher salary for inputs when they have a particular sensitive feature (say “gender”) set to certain values (say “male”), given all other input features the same. Formally, this property can be encoded for given sensitive features , , where , along with values , as:
[TABLE]
Notice the NPAQ counts over all possible inputs where the non-sensitive feature remain equal, but only the sensitive feature changes, which causes no change in prediction. An unbiased model would produce a very high count, meaning that for most inputs (or with high probability), changing just the sensitive feature results in no change in outputs. A follow-up query one may ask is whether setting the sensitive feature to a certain input value, keeping all other values the same, increases (or decreases) the output salary prediction. This can be encoded as property P4 (or P5) below.
[TABLE]
[TABLE]
NPAQ can be used to quantitatively verify such properties, and compare models before deploying them based on such estimates. Section 6.4 presents more concrete evaluation details and interpretation of BNNs trained on the UCI Adult dataset (uci, 2017).
4. Approach
Recall that exact counting (as defined in NQV) is -hard. Even for approximate counting, many widely used sampling-based approaches, such as based on Monte Carlo methods (Grosu and Smolka, ; Hastings, 1970; Neal, 1993; Jerrum and Sinclair, 1996), do not provide soundness guarantees since existence of a method that only requires polynomially many samples computable in (randomized) polynomial time would imply (See Remark 1). For sound estimates, it is well-known that many properties encodable in our framework require intractably large number of samples—for instance, to check for distributional similarity of two networks and in the classical model, a lower bound of samples are needed to obtain estimates with reasonable guarantees. However, approximate counting for boolean CNF formulae has recently become practical. These advances combine the classical ideas of universal hashing with the advances in the Boolean satisfiability by invoking SAT solvers for NP queries, i.e., to obtain satisfiable witnesses for queried CNF formulae. The basic idea behind these approximate CNF counters is to first employ universal hashing to randomly partition the set of solutions into roughly small buckets. Then, the approximate counter can enumerate a tractably small number of witnesses satisfying using a SAT solver within one bucket, which calculates the “density” of satisfiable solutions in that bucket. By careful analysis using concentration bounds, these estimates can be extended to the sum over all buckets, yielding a provably sound PAC-style guarantee of estimates. Our work leverages this recent advance in approximate CNF counting to solve the problem of (Soos and Meel, ).
The Equi-witnessability framework.
Our key technical advance is a new algorithmic framework for reducing to CNF counting with an encoding procedure that has provable soundness. The procedure encodes and P into , such that model counting in some way over counts over . This is not straight-forward. For illustration, consider the case of counting over boolean circuits, rather than neural networks. To avoid exponential blowup in the encoding, often one resorts to classical equisatisfiable encoding (Tseitin, 1983), which preserves satisfiability but introduces new variables in the process. Equisatisfiability means that the original formula is satisfiable if and only if the encoded one is too. Observe, however, that this notion of equisatisfiability is not sufficient for model counting—the encoded formula may be equisatisfiable but may have many more satisfiable solutions than the original.
We observe that a stronger notion, which we call equi-witnessability, provides a principled approach to constructing encodings that preserve counts. An equi-witnessability encoding, at a high level, ensures that the model count for an original formula can be computed by performing model counting projected over the subset of variables in the resulting formula. We define this equi-witnessability relation rigorously and prove in Lemma 4.2 that model counting over a constraint is equivalent to counting over its equi-witnessable encoding. Further, we prove in Lemma 4.3 that the equi-witnessability relation is closed under logical conjunction. This means model counting over conjunction of constraints is equivalent to counting over the conjunction of their equi-witnessable encodings. Equi-witnessability CNF encodings can thus be composed with boolean conjunction, while preserving equi-witnessability in the resulting formulae.
With this key observation, our procedure has two remaining sub-steps. First, we show equi-witnessable encodings for each neural net and properties over them to individual equi-witnessability CNF formulae. This implies , the conjunction of the equi-witnessability CNF encodings of the conjuncts in , preserves the original model count of . Second, we show how an existing approximate model counter for CNF with guarantees can be utilized to count over a projected subset of the variables in . This end result, by construction, guarantees that our final estimate of the model count has bounded error, parameterized by , with confidence at least .
Formalization.
We formalize the above notions using notation standard for boolean logic (Nieuwenhuis and Oliveras, 2005; Ganesh and Dill, ; Boigelot et al., ; Kozen and Parikh, ). The projection of an assignment over a subset of the variables , denoted as , is an assignment of to the values taken in (ignoring variables other than in ).
Definition 4.1.
We say that a formula is equi-witnessable to a formula where , if:
- (a)
, and 2. (b)
An example of a familiar equi-witnessable encoding is Tseitin (Tseitin, 1983), which transforms arbitrary boolean formulas to CNF. Our next lemma shows that equi-witnessability preserves model counts. We define , the set of satisfying assignments of projected over , as .
Lemma 4.2 (Count Preservation).
If is equi-witnessable to , then .
Proof.
By Definition 4.1(a), for every assignment , there is a and the . Therefore, each distinct satisfying assignment of must have a unique assignment to , which must be in . It follows that , then. Next, observe that Definition 4.1(b) states that everything in has a satisfying assignment in ; that is, its projection cannot correspond to a non-satisfying assignment in . By pigeonhole principle, it must be that . This proves that . ∎
Lemma 4.3 (CNF-Composibility).
Consider and , such that is equi-witnessable to , for . If , where , then is equi-witnessable to .
Proof.
- (a)
. By Definition 4.1(a), . Further, by Definition 4.1(a), and . This implies that . We can now define the . Since is empty (the only shared variables between and are ), it follows that and that . This proves part (a) of the claim that is equi-witnessable to . 2. (b)
. By Definition 4.1(b), and . This implies , thereby proving the part (b) of the definition for the claim that is equi-witnessable to .
∎
Final count estimates.
With the CNF-composability lemma at hand, we decompose the counting problem over a conjunction of neural networks and property P, to that of counting over the conjunction of their respective equi-witnessability encodings. Equi-witnessability encodings preserve counts, and taking their conjunction preserves counts. It remains to show how to encode to boolean CNF formulae, such that the encodings are equi-witnessable. Since the encoding preserves counts originally desired exactly, we can utilize off-the-shelf approximate CNF counters (Chakraborty et al., b; Soos and Meel, ) which have guarantees. The final counts are thus guaranteed to be sound estimates by construction, which we establish formally in Theorem 5.5 for the encodings in Section 5.
Why not random sampling?
An alternative to our presented approach is random sampling. One could simply check what fraction of all possible inputs satisfies by testing on a random set of samples. However, the estimates produced by this method will satisfy soundness (defined in Section 2) only if the events being measured have sufficiently high probability. In particular, obtaining such soundness guarantees for rare events, i.e., where counts may be very low, requires an intractably large number of samples. Note that such events do arise in security applications (Carlini et al., 2018; Webb et al., ). Specialized Monte Carlo samplers for such low probability events have been investigated in such contexts (Webb et al., ), but they do not provide soundness guarantees. We aim for a general framework, that works irrespective of the probability of events measured.
5. NPAQ Design
Our tool takes as input a set of trained binarized neural networks and a property P and outputs “how much” P holds over with guarantees. We show a two-step construction from binarized neural nets to CNF. The main principle we adhere to is that at every step we formally prove that we obtain equi-witnessable formulas. While BNNs and, in general, neural nets can be encoded using different background theories, we choose a specialized encoding of BNNs to CNF. First, we express a BNN using cardinality constraints similar to (Narodytska et al., ) (Section 5.1). For the second step, we choose to encode the cardinality constraints to CNF using a sorting-based encoding (Section 5.2). We prove that NPAQ is preserving the equi-witnessability in Theorem 5.5. Finally, we use an approximate model counter that can handle model counting directly over a projected subset of variables for a CNF formula (Soos and Meel, ).
5.1. BNN to Cardinality Constraints
Consider a standard BNN that consists of internal blocks and an output block (Hubara et al., ). We denote the th internal block as and the output block as . More formally, given an input , the binarized neural network is: . For every block , we define the inputs to as the vector . We denote the output for block as the vector . For the output block, we use to denote its input. The input to is . We summarize the transformations for each block in Table 1.
Running Example.
Consider a binarized neural net with a single internal block and a single output (Figure 1). To show how one can derive the constraints from the BNN’s parameters, we work through the procedure to derive the constraint for or the output of the internal block’s first neuron. Suppose we have the following parameters: the weight column vector and bias for the linear layer; , parameters for the batch normalization layer. First, we apply the linear layer transformation (Eq. 1 in Table 1). We create a temporary variable for this intermediate output, . Second, we apply the batch normalization (Eq. 2 in Table 1) and obtain . After the binarization (Eq. 3 in Table 1), we obtain the constraints and . Next, we move all the constants to the right side of the inequality: . Lastly, we translate the input from the domain to the boolean domain, , resulting in the following constraint: . We use a sound approximation for the constant on the right side to get rid of the real values and obtain . For notational simplicity the variables in Figure 1 are boolean variables (since .
To place this in the context of the security application in Section 3, we examine the effect of two arbitrary trojan attack procedures. Their aim is to manipulate the output of a given neural network, , to a target class for inputs with a particular trigger. Let us consider the trigger to be and the target class for two trojaned neural nets, and (shown in Figure 1). Initially, outputs class [math] for only one input that has the trigger . The first observation is that is equivalent to , even though its parameters have changed. The second observation is that changes its output prediction for the input to the target class [math]. We want NPAQ to find how much do and change their predictions for the target class with respect to the inputs that have the trigger, i.e., , where , are trojan property specifications (property as outlined Section 3).
Encoding Details.
The details of our encoding in Table 2 are similar to (Narodytska et al., ). We first encode each block to mixed integer linear programming and implication constraints, applying the MILP rule for the internal block and MILP for the outer block (Table 2). To get rid of the reals, we use sound approximations to bring the constraints down to integer linear programming constraints (see ILP and ILP in Table 2). For the last step, we define a mapping between variables in the binary domain and variables in the boolean domain , . Equivalently, for there exists a unique : . Thus, for every block , we obtain a corresponding formula over booleans denoted as , as shown in rule Card (Table 2). Similarly, for the output block we obtain . We obtain the representation of as a formula BNN shown in Table 2. For notational simplicity, we denote the introduced intermediate variables and as . Since there is a 1:1 mapping between and we use the notation , when it is clear from context which domain has. We refer to BNN as the formula .
Lemma 5.1.
Given a binarized neural net over inputs and outputs , and a property P, let be the specification for P, , where we represent as . Then is equi-witnessable to .
Proof.
We observe that the intermediate variables for each block in the neural network, namely for the th block, are introduced by double implication constraints. Hence, not only are both part (a) and part (b) of definition 4.1 true, but the satisfying assignments for the intermediate variables are uniquely determined by . Due to space constraints, we give our full proof in Appendix 10.1. ∎
5.2. Cardinality Constraints to CNF
Observe that we can express each block in BNN as a conjunction of cardinality constraints (Sinz, ; Asín et al., 2011; Abío et al., b). Cardinality constraints are constraints over boolean variables of the form , where . More specifically, by applying the Card rule (Table 2), we obtain a conjunction over cardinality constraints , together with an implication: . We obtain a similar conjunction of cardinality constraints for the output block (Card, Table 2). The last step for obtaining a Boolean formula representation for the BNN is encoding the cardinality constraints to CNF.
We choose cardinality networks (Asín et al., 2011; Abío et al., b) to encode the cardinality constraints to CNF formulas and show for this particular encoding that the resulting CNF is equi-witnessable to the cardinality constraint. Cardinality networks implement several types of gates, i.e., merge circuits, sorting circuits and 2-comparators, that compose to implement a merge sort algorithm. More specifically, a cardinality constraint of the form has a corresponding cardinality network, \text{Card}_{c}=\Big{(}(\text{Sort}_{c}(x_{1},\ldots,x_{n})=(y_{1},\ldots,y_{c}))\land y_{c}\Big{)}, where Sort is a sorting circuit. As shown by (Asín et al., 2011; Abío et al., b), the following holds true:
Proposition 5.2.
A Sortc network with an input of variables, outputs the first sorted bits. where .
We view as a circuit where we introduce additional variables to represent the output of each gate, and the output of is only if the formula S is true. This is similar to how a Tseitin transformation (Tseitin, 1983) encodes a propositional formula into CNF.
Running Example.
Revisiting our example in Section 5.1, consider ’s cardinality constraint corresponding to , denoted as . This constraint translates to the most basic gate of cardinality networks, namely a 2-comparator (Batcher, ; Asín et al., 2011) shown in Figure 2. Observe that while this efficient encoding ensures that is equi-satisfiable to the formula , counting over the CNF formula does not preserve the count, i.e., it over-counts due to variable . Observe, however, that this encoding is equi-witnessable and thus, a projected model count on gives the correct model count of . The remaining constraints shown in Figure 1 are encoded similarly and not shown here for brevity.
Lemma 5.3 (Substitution).
Let F be a Boolean formula defined over the variables Vars and . For all satisfying assignments .
Lemma 5.4.
For a given cardinality constraint, , let be the CNF formula obtained using cardinality networks, , where are the auxiliary variables introduced by the encoding. Then, is equi-witnessable to S.
- (a)
. 2. (b)
.
Proof.
- (a)
Let there are least ’s such that . Thus, under the valuation to the input variables , the sorting network outputs a sequence where , where (Proposition 5.2). Therefore, = is satisfiable. This implies that . 2. (b)
Let . By Lemma 5.3, . From Proposition 5.2, under the valuation , there are at least ’s such that . Therefore, .
∎
For every , , we have a CNF formula . The final CNF formula for is denoted as , where and is the set of variables introduced by encoding .
Encoding Size.
The total CNF formula size is linear in the size of the model. Given one cardinality constraint , where , a cardinality network encoding produces a CNF formula with clauses and variables. The constant is the maximum value that the parameters of the BNN can take, hence the encoding is linear in . For a given layer with neurons, this translates to cardinality constraints, each over variables. Hence, our encoding procedure produces clauses and variables for each layer. For the output block, is the number of output classes and is the number of neurons in the previous layer. Thus, there are clauses and variables for the output block. Therefore, the total size for a BNN with layers of the CNF is , which is linear in the size of the original model.
Alternative encodings.
Besides cardinality networks, there are many other encodings from cardinality constraints to CNF (Asín et al., 2011; Abío et al., b, a; Sinz, ; Eén and Sörensson, 2006) that can be used as long as they are equi-witnessable. We do not formally prove here but we strongly suspect that adder networks (Eén and Sörensson, 2006) and BDDs (Abío et al., a) have this property. Adder networks (Eén and Sörensson, 2006) provide a compact, linear transformation resulting in a CNF with variables and clauses. The idea is to use adders for numbers represented in binary to compute the number of activated inputs and a comparator to compare it to the constant . A BDD-based (Eén and Sörensson, 2006) encoding builds a BDD representation of the constraint. It uses clauses and variables.
5.3. Projected Model Counting
We instantiate the property P encoded in CNF and the neural network encoded in a CNF formulae C. We make the powerful observation that we can directly count the number of satisfying assignment for over a subset of variables, known as projected model counting (Aziz et al., ). NPAQ uses an approximate model counter with strong PAC-style guarantees. ApproxMC3 (Soos and Meel, ) is an approximate model counter that can directly count on a projected formula making a logarithmic number of calls in the number of formula variables to an NP-oracle, namely a SAT solver.
Theorem 5.5.
NPAQ* is an .*
Proof.
First, by Lemma 4.3, since each cardinality constraint is equi-witnessable to (Lemma 5.4), the conjunction over the cardinality constraints is also equi-witnessable. Second, by Lemma 5.1, BNN is equi-witnessable to C. Since we use an approximate model counter with guarantees (Soos and Meel, ), NPAQ returns for a given BNN and a specification with guarantees. ∎
6. Implementation & Evaluation
We aim to answer the following research questions:
(RQ1) To what extent does NPAQ scale to, e.g., how large are the neural nets and the formulae that NPAQ can handle?
(RQ2) How effective is NPAQ at providing sound estimates for practical security applications?
(RQ3) Which factors influence the performance of NPAQ on our benchmarks and how much?
(RQ4) Can NPAQ be used to refute claims about security-relevant properties over BNNs?
Implementation.
We implemented NPAQ in LOC of Python and C++. We use the PyTorch (v1.0.1.post2) (Paszke et al., ) deep learning platform to train and test binarized neural networks. For encoding the BNNs to CNF, we build our own tool using the PBLib library (Philipp and Steinke, 2015) for encoding the cardinality constraints to CNF. The resulting CNF formula is annotated with a projection set and NPAQ invokes the approximate model counter ApproxMC3 (Soos and Meel, ) to count the number of solutions. We configure a tolerable error and confidence parameter as defaults throughout the evaluation.
Models.
Our benchmarks consist of BNNs, on which we tested the properties derived from the applications outlined in Section 3. The utility of NPAQ in these security applications is discussed in Sections 6.2- 6.4. For each application, we trained BNNs with the following different architectures:
- •
ARCH1 - BLK1()
- •
ARCH2 - BLK1(), BLK2()
- •
ARCH3 - BLK1(), BLK2()
- •
ARCH4 - BLK1(), BLK2(), BLK3()
For each architecture, we take snapshots of the model learnt at different epochs. In total, this results in total models, each with parameters. Encoding various properties (Sections 6.2- 6.4) results in a total of distinct formulae. For each formula, NPAQ returns i.e., the number of satisfying solutions. Given , we calculate PS i.e., the percentage of the satisfying solutions with respect to the total input space size. The meaning of PS percentage values is application-specific. In trojan attacks, PS(tr) represents inputs labeled as the target class. In robustness quantification, PS(adv) reports the adversarial samples.
Datasets.
We train models over standard datasets. Specifically, we quantify robustness and trojan attack effectiveness on the MNIST (LeCun and Cortes, 2010) dataset and estimate fairness queries on the UCI Adult dataset (uci, 2017). We choose them as prior work use these datasets (Galloway et al., ; Datta et al., b; Raghunathan et al., ; Gao et al., 2019; Albarghouthi et al., ).
MNIST.
The dataset contains gray-scale images of handwritten digits with classes. In our evaluation, we resize the images to and binarize the normalized pixels in the images.
UCI Adult Census Income.
The dataset is records with attributes such as age, gender, education, marital status, occupation, working hours, and native country. The task is to predict whether a given individual has an income of over \50,0005/1453366$ binary features in total.
Experimental Setup.
All experiments are performed on GHz CPUs, cores, GB RAM. Each counting process executed on one core and GB memory cap and a -hour timeout per formula.
6.1. NPAQ Benchmarking
We benchmark NPAQ and report breakdown on formulae.
Estimation Efficiency.
NPAQ successfully solves ( / ) formulae. In quantifying the effectiveness of trojan attacks and fairness applications, the raw size of the input space (over all possible choices of the free variables) is and , respectively. Naive enumeration for such large spaces is intractable. NPAQ returns estimates for of the formulae within hours and of the formulae within hours for these two applications. In robustness application, the total input sizes are a maximum of about .
Result 1: NPAQ solves formulae in -hour timeout.
Encoding Efficiency.
NPAQ takes a maximum of minute to encode each model, which is less than of the total timeout. The formulae size scale linearly with the model, as expected from encoding construction. NPAQ presently utilizes off-the-shelf CNF counters, and their performance heavily dominates NPAQ time. NPAQ presently scales to formulae of ~ variables and ~ clauses. However, given the encoding efficiency, we expect NPAQ to scale to larger models with future CNF counters (Chakraborty et al., c; Soos and Meel, ).
Result 2: NPAQ takes ~ minute to encode the model.
Number of Formulae vs. Time.
Figure 3 plots the number of formulae solved with respect to the time, the relationship is logarithmic. NPAQ solves formulae in the first hours, whereas, it only solves more in the next hours. We notice that the neural net depth impacts the performance, most timeouts () stem from ARCH4. timeouts are for Property P1 (Section 3) to quantify adversarial robustness. Investigating why certain formulae are harder to count is an active area of independent research (Dudek et al., b; Achlioptas and Ricci-Tersenghi, ; Dudek et al., a).
Performance with varying ().
We investigate the relationship between different error and confidence parameters and test co-relation with parameters that users can pick. We select a subset of formulae 222Our timeout is hours per formula, so we resorted to checking a subset of formulae. which have varying degrees of the number of solutions, a large enough input space which is intractable for enumeration, and varying time performance for the baseline parameters of . Since these arise most naturally in fairness application encodings using ARCH2, we chose all the 3 formulae in it.
We first vary the error tolerance (or precision), while keeping the same for the fairness application, as shown in Table 3. This table illustrates no significant resulting difference in counts reported by NPAQ under different precision parameter values. More precisely, the largest difference as the natural logarithmic of the count is for and for the feature “Gender”. This suggests that for these formulae, decreasing the error bound does not yield a much higher count precision.
Higher precision does come at a higher performance cost, as the takes more time than . The results are similar when varying the confidence parameter (smaller is better) for (Table 3). This is because the number of calls to the SAT solver depends only on the parameter, while dictates how constrained the space of all inputs or how small the “bucket” of solutions is (Soos and Meel, ; Chakraborty et al., b). Both of these significantly increase the time taken. Users can tune and based on the required applications precision and the available time budget.
Result 3: NPAQ reports no significant difference in the counts produced when configured with different and .
PS vs. Time.
We investigate if NPAQ solving efficiency varies with increasing count size. Specifically, we measure the PS with respect to the time taken for all the formulae. Table 4 shows the PS plot for time intervals and density intervals. We observe that the number of satisfying solutions do not significantly influence the time taken to solve the instance. This suggests that NPAQ is generic enough to solve formulae with arbitrary solution set sizes.
Result 4: For a given and , NPAQ solving time is not significantly influenced by the PS.
6.2. Case Study 1: Quantifying Robustness
We quantify the model robustness and the effectiveness of defenses for model hardening with adversarial training.
Number of Adversarial Inputs.
One can count precisely what fraction of inputs, when drawn uniformly at random from a constrained input space, are misclassified for a given model. For demonstrating this, we first train BNNs on the MNIST dataset, one using each of the architectures ARCH1-ARCH4. We encode the Property P1 (Section 3) corresponding to perturbation bound . We take randomly sampled images from the test set, and for each one, we encoded one property constraining adversarial perturbation to each possible value of . This results in a total of formulae on which NPAQ runs with a timeout of hours per formula. If NPAQ terminates within the timeout limit, it either quantifies the number of solutions or outputs UNSAT, meaning that there are no adversarial samples with up to bit perturbation. Table 4 shows the average number of adversarial samples and their PS(adv), i.e., percentage of count to the total input space.
As expected, the number of adversarial inputs increases with . From these sound estimates, one can conclude that ARCH1, though having a lower accuracy, has less adversarial samples than ARCH2-ARCH4 for . ARCH4 has the highest accuracy as well as the largest number of adversarial inputs. Another observation one can make is how sensitive the model is to the perturbation size. For example, PS(adv) for ARCH3 varies from .
Effectiveness of Adversarial Training.
As a second example of a usage scenario, NPAQ can be used to measure how much a model improves its robustness after applying certain adversarial training defenses. In particular, prior work has claimed that plain (unhardened) BNNs are possibly more robust than hardened models—one can quantitatively verify such claims (Galloway et al., ). Of the many proposed adversarial defenses (Goodfellow et al., ; Galloway et al., ; Papernot et al., b; Liao et al., ; Xie et al., ), we select two representative defenses (Galloway et al., ), though our methods are agnostic to how the models are obtained. We use a fast gradient sign method (Goodfellow et al., ) to generate adversarial inputs with up to bits perturbation for both. In defense1, we first generate the adversarial inputs given the training set and then retrain the original models with the pre-generated adversarial inputs and training set together. In defense2 (Galloway et al., ), alternatively, we craft the adversarial inputs while retraining the models. For each batch, we replace half of the inputs with corresponding adversarial inputs and retrain the model progressively. We evaluate the effectiveness of these two defenses on the same images used to quantify the robustness of the previous (unhardened) BNNs. We take snapshots for each model, one at training epoch and another at epoch . This results in a total of formulae corresponding to adversarially trained (hardened) models. Table 5 shows the number of adversarial samples and PS(adv).
Observing the sound estimates from NPAQ, one can confirm that plain BNNs are more robust than the hardened BNNs for models, as suggested in prior work. Further, the security analyst can compare the two defenses. For both epochs, defense1 and defense2 outperform the plain BNNs only for and models respectively. Hence, there is no significant difference between defense1 and defense2 for the models we trained. One can use NPAQ estimates to select a model that has high accuracy on the benign samples as well as less adversarial samples. For example, the ARCH4 model trained with defense2 at epoch has the highest accuracy () and adversarial samples.
6.3. Case Study 2: Quantifying Effectiveness of Trojan Attacks
The effectiveness of trojan attacks is often evaluated on a chosen test set, drawn from a particular distribution of images with embedded trojan triggers (Liu et al., ; Gao et al., 2019). Given a trojaned model, one may be interested in evaluating how effective is the trojaning outside this particular test distribution (Liu et al., ). Specifically, NPAQ can be used to count how many images with a trojan trigger are classified to the desired target label, over the space of all possible images. Property P2 from Section 3 encodes this. We can then compare the NPAQ count vs. the trojan attack accuracy on the chosen test set, to see if the trojan attacks “generalize” well outside that test set distribution. Note that space of all possible inputs is too large to enumerate.
As a representative of such analysis, we trained BNNs on the MNIST dataset with a trojaning technique adapted from Liu et al. (Liu et al., ) (the details of the procedure are outlined later). Our BNNs models may obtain better attack effectivenessas the trojaning procedure progresses over time. Therefore, for each model, we take a snapshot during the trojaning procedure at epochs , , and . There are models (ARCH1-ARCH4), and for each, we train different models each classifying the trojan input to a distinct output label. Thus, there are a total of models leading to total snapshotted models and encoded formulae. If NPAQ terminates within the timeout of hours, it either quantifies the number of solutions or outputs UNSAT, indicating that no trojaned input is labeled as the target output at all. The effectiveness of the trojan attack is measured by two metrics:
- •
PS(tr): The percentage of trojaned inputs labeled as the target output to the size of input space, generated by NPAQ.
- •
ACCt: The percentage of trojaned inputs in the chosen test set labeled as the desired target output.
Table 6 reports the PS(tr) and ACCt. Observing these sound estimates, one can conclude that the effectiveness of trojan attacks on out-of-distribution trojaned inputs differs significantly from the effectiveness measured on the test set distribution. In particular, if we focus on the models with the highest PS(tr) for each architecture and target class (across all epochs), only ( out ) are the same as when we pick the model with highest ACCt instead.
Attack Procedure.
The trojaning process can be arbitrarily different from ours; the use of NPAQ for verifying them does not depend on it in any way. Our procedure is adapted from that of Liu et al. which is specific to models with real-valued weights. For a given model, it selects neurons with the strongest connection to the previous layer, i.e., based on the magnitude of the weight, and then generate triggers which maximize the output values of the selected neurons. This heuristic does not apply to BNNs as they have weights. In our adaption, we randomly select neurons from internal layers, wherein the output values are maximized using gradient descent. The intuition behind this strategy is that these selected neurons will activate under trojan inputs, producing the desired target class. For this procedure, we need a set of trojan and benign samples. In our procedure, we assume that we have access to a benign images, unlike the work in Liu et al. which generates this from the model itself. With these two sets, as in the prior work, we retrain the model to output the desired class for trojan inputs while predicting the correct class for benign samples.
6.4. Case Study 3: Quantifying Model Fairness
We use NPAQ to estimate how often a given neural net treats similar inputs, i.e., inputs differing in the value of a single feature, differently. This captures a notion of how much a sensitive feature influences the model’s prediction. We quantify fairness for BNNs, one for each architecture ARCH1-ARCH4, trained on the UCI Adult (Income Census) dataset (uci, 2017). We check fairness against sensitive features: marital status, gender, and race. We encode queries for each model using Property P3— P5 (Section 3). Specifically, for how many people with exactly the same features, except one’s marital status is “Divorced” while the other is “Married”, would result in different income predictions? We form similar queries for gender (“Female” vs. “Male”) and race (“White” vs. “Black”) 333We use the category and feature names verbatim as in the dataset. They do not reflect the authors’ views..
Effect of Sensitive Features.
models, queries, and different sensitive features give formulae. Table 7 reports the percentage of counts generated by NPAQ. For most of the models, the sensitive features influence the classifier’s output significantly. Changing the sensitive attribute while keeping the remaining features the same, results in % of all possible inputs having a different prediction. Put another way, we can say that for less than % when two individuals differ only in one of the sensitive features, the classifier will output the same output class. This means most of our models have a “fairness score” of less than %.
Quantifying Direction of Bias.
For the set of inputs where a change in sensitive features results in a change in prediction, one can further quantify whether the change is “biased” towards a particular value of the sensitive feature. For instance, using NPAQ, we find that across all our models consistently, a change from “Married” to “Divorced” results in a change in predicted income from LOW to HIGH. 444An income prediction of below \50,0009.132.0710.193$ models, ARCH1, ARCH2, and ARCH4 will predict that an individual with the same features except for the sensitive feature would likely have a LOW income if the race attribute is set to be “Black”.
With NPAQ, we can distinguish how much the models treat individuals unfairly with respect to a sensitive feature. One can encode other fairness properties, such as defining a metric of similarity between individuals where non-sensitive features are within a distance, similar to individual fairness (Dwork et al., ). NPAQ can be helpful for such types of fairness formulations.
7. Related Work
We summarize the closely related work to NPAQ.
Non-quantitative Neural Network Verification.
Our work is on quantitatively verifying neural networks, and NPAQ counts the number of discrete values that satisfy a property. We differ in our goals from many non-quantitative analyses that calculate continuous domain ranges or single witnesses of satisfying values. Pulina and Tacchella (Pulina and Tacchella, ), who first studied the problem of verifying neural network safety, implement an abstraction-refinement algorithm that allows generating spurious examples and adding them back to the training set. Reluplex (Katz et al., ), an SMT solver with a theory of real arithmetic, verifies properties of feed-forward networks with ReLU activation functions. Huang et al. (Huang et al., ) leverage SMT by discretizing an infinite region around an input to a set of points and then prove that there is no inconsistency in the neural net outputs. Ehlers (Ehlers, ) scope the work to verifying the correctness and robustness properties on piece-wise activation functions, i.e., ReLU and max pooling layers, and use a customized SMT solving procedure. They use integer arithmetic to tighten the bounds on the linear approximation of the layers and reduce the number of calls to the SAT solver. Wang et al. (Wang et al., ) extend the use of integer arithmetic to reason about neural networks with piece-wise linear activations. Narodytska et al. (Narodytska et al., ) propose an encoding of binarized neural networks as CNF formulas and verifies robustness properties and equivalence using SAT solving techniques. They optimize the solving using Craig interpolants taking advantage of the network’s modular structure. AI2 (Gehr et al., ), DeepZ (Singh et al., a), DeepPoly (Singh et al., b) use abstract interpretation to verify the robustness of neural networks with piece-wise linear activations. They over-approximate each layer using an abstract domain, i.e., a set of logical constraints capturing certain shapes (e.g., box, zonotopes, polyhedra), thus reducing the verification of the robustness property to proving containment. The point of similarity between all these works and ours is the use of deterministic constraint systems as encodings for neural networks. However, our notion of equi-witnessability encodings applies to only specific constructions and is the key to preserving model counts.
Non-quantitative verification as Optimization.
Several works have posed the problem of certifying robustness of neural networks as a convex optimization problem. Ruan, Huang, & Kwiatkowska (Ruan et al., ) reduce the robustness verification of a neural network to the generic reachability problem and then solve it as a convex optimization problem. Their work provides provable guarantees of upper and lower bounds, which converges to the ground truth in the limit. Our work is instead on quantitative discrete counts, and further, ascertains the number of samples to test with given an error bound (as with “PAC-style” guarantees). Raghunathan, Steinhardt, & Percy (Raghunathan et al., ) verify the robustness of one-hidden layer networks by incorporating the robustness property in the optimization function. They compute an upper bound which is the certificate of robustness against all attacks and inputs, including adversarial inputs, within ball of radius . Similarly, Wong and Kolter (Wong and Kolter, ) train networks with linear piecewise activation functions that are certifiably robust. Dvijotham et al. (Dvijotham et al., 2018) address the problem of formally verifying neural networks as an optimization problem and obtain provable bounds on the tightness guarantees using a dual approach.
Quantitative Verification of Programs.
Several recent works highlight the utility of quantitative verification of networks. They target the general paradigm of probabilistic programming and decision-making programs (Albarghouthi et al., ; Holtzen et al., ). FairSquare (Albarghouthi et al., ) proposes a probabilistic analysis for fairness properties based on weighted volume computation over formulas defining real closed fields. While FairSquare is more expressive and can be applied to potentially any model programmable in the probabilistic language, it does not guarantee a result computed in finite time will be within a desired error bound (only that it would converge in the limit). Webb et al. (Webb et al., ) using a statistical approach for quantitative verification but without provable error bounds for computed results as in NPAQ.
CNF Model Counting.
In his seminal paper, Valiant showed that #CNF is #P-complete, where #P is the set of counting problems associated with NP decision problems (Valiant, 1979). Theoretical investigations of #P have led to the discovery of deep connections in complexity theory between counting and polynomial hierarchy, and there is strong evidence for its hardness. In particular, Toda showed that every problem in the polynomial hierarchy could be solved by just one invocation of #P oracle; more formally, (Toda, 1989).
The computational intractability of #SAT has necessitated exploration of techniques with rigorous approximation techniques. A significant breakthrough was achieved by Stockmeyer who showed that one couls compute approximation with guarantees given access to an NP oracle. The key algorithmic idea relied on the usage of hash functions but the algorithmic approach was computationally prohibitive at the time and as such did not lead to development of practical tools until early 2000s (Meel, 2017). Motivated by the success of SAT solvers, in particular development of solvers capable of handling CNF and XOR constraints, there has been a surge of interest in the design of hashing-based techniques for approximate model counting for the past decade (Gomes et al., ; Chakraborty et al., b; Ermon et al., b; Chakraborty et al., c; Meel et al., ; Meel, 2017; Achlioptas and Theodoropoulos, ; Soos and Meel, ).
8. Conclusion
We present a new algorithmic framework for approximate quantitative verification of neural networks with formal PAC-style soundness. The framework defines a notion of equi-witnessability encodings of neural networks into CNF formulae. Such encodings preserve counts and ensure composibility under logical conjunctions. We instantiate this framework for binarized neural networks, building a prototype tool called NPAQ. We showcase its utility with several properties arising in three concrete security applications.
9. Acknowledgments
This research is supported by research grant DSOCL17019 from DSO, Singapore. This research was partially supported by a grant from the National Research Foundation, Prime Minister’s Office, Singapore under its National Cybersecurity R&D Program (TSUNAMi project, No. NRF2014NCR-NCR001-21) and administered by the National Cybersecurity R&D Directorate. This research is supported by the National Research Foundation Singapore under its AI Singapore Programme [R-252- 000-A16-490] and the NUS ODPRT Grant [R-252-000-685-133]. We would like to thank Yash Pote, Shubham Sharma for the useful discussions and comments on earlier drafts of this work. We also thank Zheng Leong Chua for his help in setting up experiments. Part of the computational work for this article was performed on resources of the National Supercomputing Centre, Singapore 555https://www.nscc.sg/.
10. Appendix
10.1. Lemma 5.1 Detailed Proof
For the ease of proof of Lemma 5.1, we first introduce the notion of independent support.
Independent Support.
An independent support for a formula is a subset of variables appearing in formula F, , that uniquely determine the values of the other variables in any satisfying assignment (Chakraborty et al., d). In other words, if there exist two satisfying assignments and that agree on then . Then .
Proof.
We prove that by showing that is an independent support for BNN. This follows directly from the construction of BNN. If is an independent support then the following has to hold true:
[TABLE]
As per Table 2, we expand :
[TABLE]
G is valid if and only if is unsatisfiable.
[TABLE]
The first block’s formula’s introduced variables are uniquely determined by . For every formula corresponding to an internal block the introduced variables are uniquely determined by the input variables. Similarly, for the output block (formula OUT in Table 2). If then , so the second clause is not satisfied. Then, since . Thus, G is a valid formula which implies that forms an independent support for the BNN formula .
∎
10.2. Quantitative Verification is #P-hard
We prove that quantitative verification is #P-hard by reducing the problem of model counting for logical formulas to quantitative verification of neural networks. We show how an arbitrary CNF formula can be transformed into a binarized neural net and a specification such that the number of models for is the same as , i.e., . Even for this restricted class of multilayer perceptrons quantitative verification turns out to be #P-hard. Hence, in general, quantitative verification over multilayer perceptrons is #P-hard.
Theorem 10.1.
NQV* () is #P-hard, where is a specification for a property P over binarized neural nets.*
Proof.
We proceed by constructing a mapping between the propositional variables of the formula and the inputs of the BNN. We represent the logical formula as a logical circuit with the gates AND, OR, NOT corresponding to . In the following, we show that for each of the gates there exist an equivalent representation as a perceptron. For the OR gate we construct an equivalent perceptron, i.e., for every clause of the formula , we construct a perceptron. The perceptron is activated only if the inputs correspond to a satisfying assignment to the formula . Similarly, we show a construction for the AND gate. Thus, we construct a BNN that composes these gates such that it can represent the logical formula exactly.
Let be a CNF formula over the propositional variables . We denote the literals appearing in clause as , , i.e., . Let be an assignment for . We say is satisfiable if there exists an assignment such that . The binarized neural net has inputs and one output , , and . This can easily we extended to multi-class output.
We first map the propositional variables to variables in the binary domain . For every clause , for every literal there is a corresponding input to the neural net : . For each input variable the weight of the neuron connection is if the propositional variable appears as a positive literal in the clause and if it appears as a negative literal in .
For every clause appearing the formula , we construct a disjunction gadget, a perceptron with an equivalent function as the OR gate. Given inputs , the disjunction gadget outputs a node that is 1 only if , otherwise the output of is -1. The intermediate variable . The output is 1 only if at least one literal is true, i.e., not all terms evaluate to -1. Notice that we only need neurons for each clause with literals.
We next introduce the conjunction gadget which, given inputs outputs a node that is only if . The intermediate result over which we apply the sign activation function. The output of this conjunction is which is 1 only if all of the variables are 1, i.e., if all the clauses are satisfied.
If the output of is the formula is SAT, otherwise it is UNSAT. For every satisfying assignment for the formula , there exists an accepting output for the binarized neural net, i.e., . Hence, if there exists a procedure #SAT() that accepts formula and outputs a number which is the number of satisfying assignments, it will also compute the number of inputs for which the output of the BNN is . Specifically, we can construct a quantitative verifier for the neural net and a specification using #SAT().
Reduction is polynomial.
The size of the formula is the size of the input to the neural net, i.e., . The neural net has perceptrons ( for each disjunction gadget and one for the conjunction gadget).
∎
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1(1)
- 2com (2012) 2012. Correctional Offender Management Profiling for Alternative Sanctions. http://www.northpointeinc.com/files/downloads/FAQ_Document.pdf . (2012).
- 3uci (2017) 2017. UCI Machine Learning Repository. http://archive.ics.uci.edu/ml. (2017).
- 4Abío et al . (a) Ignasi Abío, Robert Nieuwenhuis, Albert Oliveras, and Enric Rodríguez-Carbonell. BD Ds for pseudo-Boolean constraints–revisited. In SAT’11 .
- 5Abío et al . (b) Ignasi Abío, Robert Nieuwenhuis, Albert Oliveras, and Enric Rodríguez-Carbonell. A parametric approach for smaller and better encodings of cardinality constraints. In CP’13 .
- 6(6) Dimitris Achlioptas and Federico Ricci-Tersenghi. On the solution-space geometry of random constraint satisfaction problems. In STOC’06 .
- 7(7) Dimitris Achlioptas and P. Theodoropoulos. Probabilistic Model Counting with Short XO Rs. In SAT’17 .
- 8(8) Aws Albarghouthi, Loris D’Antoni, Samuel Drews, and Aditya V Nori. Fair Square: probabilistic verification of program fairness. In OOPSLA’17 .
