Reachable Sets of Classifiers and Regression Models: (Non-)Robustness Analysis and Robust Training

TL;DR

This paper introduces methods to compute and analyze the reachable sets of neural networks, enhancing understanding of their robustness, reliability, and feature influence, with applications to robust training and prediction assessment.

Contribution

It presents versatile approaches for over- and under-approximating neural network reachable sets, enabling robustness verification, robust training, and feature importance analysis.

Findings

Outperforms existing methods in robustness verification against non-norm bound perturbations.

Provides effective techniques for distinguishing reliable from non-reliable predictions.

Enhances neural network robustness and interpretability through reachable set analysis.

Abstract

Neural networks achieve outstanding accuracy in classification and regression tasks. However, understanding their behavior still remains an open challenge that requires questions to be addressed on the robustness, explainability and reliability of predictions. We answer these questions by computing reachable sets of neural networks, i.e. sets of outputs resulting from continuous sets of inputs. We provide two efficient approaches that lead to over- and under-approximations of the reachable set. This principle is highly versatile, as we show. First, we use it to analyze and enhance the robustness properties of both classifiers and regression models. This is in contrast to existing works, which are mainly focused on classification. Specifically, we verify (non-)robustness, propose a robust training procedure, and show that our approach outperforms adversarial attacks as well as state-of-the-art methods of verifying classifiers for non-norm bound perturbations. Second, we provide techniques to distinguish between reliable and non-reliable predictions for unlabeled inputs, to quantify the influence of each feature on a prediction, and compute a feature ranking.