Towards Reliable Neural Specifications

TL;DR

This paper introduces neural activation patterns (NAPs) as a new, more reliable specification method for neural networks, enabling larger verifiable regions and better practical applicability than existing data-based specifications.

Contribution

The paper proposes NAPs as a novel specification approach using neural activation patterns, improving verification scope and reliability over traditional data-centric methods.

Findings

Verified larger input regions on MNIST and CIFAR10 datasets.

Achieved 84% data recall on MNIST with NAPs.

Expanded verifiable bounds to ten times larger on CIFAR10.

Abstract

Having reliable specifications is an unavoidable challenge in achieving verifiable correctness, robustness, and interpretability of AI systems. Existing specifications for neural networks are in the paradigm of data as specification. That is, the local neighborhood centering around a reference input is considered to be correct (or robust). While existing specifications contribute to verifying adversarial robustness, a significant problem in many research domains, our empirical study shows that those verified regions are somewhat tight, and thus fail to allow verification of test set inputs, making them impractical for some real-world applications. To this end, we propose a new family of specifications called neural representation as specification, which uses the intrinsic information of neural networks - neural activation patterns (NAPs), rather than input data to specify the correctness and/or robustness of neural network predictions. We present a simple statistical approach to mining neural activation patterns. To show the effectiveness of discovered NAPs, we formally verify several important properties, such as various types of misclassifications will never happen for a given NAP, and there is no ambiguity between different NAPs. We show that by using NAP, we can verify a significant region of the input space, while still recalling 84% of the data on MNIST. Moreover, we can push the verifiable bound to 10 times larger on the CIFAR10 benchmark. Thus, we argue that NAPs can potentially be used as a more reliable and extensible specification for neural network verification.