Understanding Local Robustness of Deep Neural Networks under Natural Variations

TL;DR

This paper investigates the local robustness of deep neural networks to natural variations in input data, proposing tools to identify specific inputs that are vulnerable to small, natural changes, thereby improving safety and reliability.

Contribution

It introduces DeepRobust-W and DeepRobust-B, novel methods for localizing non-robust inputs under natural variations in DNNs, filling a gap in existing robustness research.

Findings

DeepRobust methods achieve up to 91.4% F1 score in image classification.

DeepRobust-B achieves up to 99.1% F1 score in identifying non-robust points.

DeepRobust-W is effective in a regression task for self-driving car models.

Abstract

Deep Neural Networks (DNNs) are being deployed in a wide range of settings today, from safety-critical applications like autonomous driving to commercial applications involving image classifications. However, recent research has shown that DNNs can be brittle to even slight variations of the input data. Therefore, rigorous testing of DNNs has gained widespread attention. While DNN robustness under norm-bound perturbation got significant attention over the past few years, our knowledge is still limited when natural variants of the input images come. These natural variants, e.g. a rotated or a rainy version of the original input, are especially concerning as they can occur naturally in the field without any active adversary and may lead to undesirable consequences. Thus, it is important to identify the inputs whose small variations may lead to erroneous DNN behaviors. The very few studies that looked at DNN's robustness under natural variants, however, focus on estimating the overall robustness of DNNs across all the test data rather than localizing such error-producing points. This work aims to bridge this gap. To this end, we study the local per-input robustness properties of the DNNs and leverage those properties to build a white-box (DeepRobust-W) and a black-box (DeepRobust-B) tool to automatically identify the non-robust points. Our evaluation of these methods on three DNN models spanning three widely used image classification datasets shows that they are effective in flagging points of poor robustness. In particular, DeepRobust-W and DeepRobust-B are able to achieve an F1 score of up to 91.4% and 99.1%, respectively. We further show that DeepRobust-W can be applied to a regression problem in another domain. Our evaluation on three self-driving car models demonstrates that DeepRobust-W is effective in identifying points of poor robustness with F1 score up to 78.9%.