Towards Practical Robustness Analysis for DNNs based on PAC-Model Learning

TL;DR

This paper introduces DeepPAC, a scalable black-box framework for analyzing DNN robustness using PAC-model learning, providing more accurate and practical robustness guarantees compared to existing methods.

Contribution

We integrate model learning into PAC robustness analysis, constructing PAC guarantees at the model level for more faithful robustness evaluation, and implement a scalable tool called DeepPAC.

Findings

DeepPAC outperforms PROVERO in robustness analysis accuracy.

DeepPAC achieves more practical robustness evaluation than ERAN.

Results are consistent with existing DNN testing methods like DeepGini.

Abstract

To analyse local robustness properties of deep neural networks (DNNs), we present a practical framework from a model learning perspective. Based on black-box model learning with scenario optimisation, we abstract the local behaviour of a DNN via an affine model with the probably approximately correct (PAC) guarantee. From the learned model, we can infer the corresponding PAC-model robustness property. The innovation of our work is the integration of model learning into PAC robustness analysis: that is, we construct a PAC guarantee on the model level instead of sample distribution, which induces a more faithful and accurate robustness evaluation. This is in contrast to existing statistical methods without model learning. We implement our method in a prototypical tool named DeepPAC. As a black-box method, DeepPAC is scalable and efficient, especially when DNNs have complex structures or high-dimensional inputs. We extensively evaluate DeepPAC, with 4 baselines (using formal verification, statistical methods, testing and adversarial attack) and 20 DNN models across 3 datasets, including MNIST, CIFAR-10, and ImageNet. It is shown that DeepPAC outperforms the state-of-the-art statistical method PROVERO, and it achieves more practical robustness analysis than the formal verification tool ERAN. Also, its results are consistent with existing DNN testing work like DeepGini.