SpringerLink
Log in

The hexatope and octatope abstract domains for neural network verification

  • Research
  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

Efficient verification algorithms for neural networks often depend on various abstract domains such as intervals, zonotopes, and linear star sets. The choice of the abstract domain presents an expressiveness vs. scalability trade-off: simpler domains are less precise but yield faster algorithms. This paper investigates the hexatope and octatope abstract domains in the context of neural net verification. Hexatopes are affine transformations of higher-dimensional hexagons, defined by difference constraint systems, and octatopes are affine transformations of higher-dimensional octagons, defined by unit-two-variable-per-inequality constraint systems. These domains generalize the idea of zonotopes which can be viewed as affine transformations of hypercubes. On the other hand, they can be considered as a restriction of linear star sets, which are affine transformations of arbitrary \(\mathcal {H}\)-Polytopes. This distinction places hexatopes and octatopes firmly between zonotopes and linear star sets in their expressive power, but what about the efficiency of decision procedures? An important analysis problem for neural networks is the exact range computation problem that asks to compute the exact set of possible outputs given a set of possible inputs. For this, three computational procedures are needed: (1) optimization of a linear cost function; (2) affine map**; and (3) over-approximating the intersection with a half-space. While zonotopes allow an efficient solution for these approaches, star sets solves these procedures via linear programming. We show that these operations are faster for hexatopes and octatopes than they are for the more expressive linear star sets by reducing the linear optimization problem over these domains to the minimum cost network flow, which can be solved in strongly polynomial time using the Out-of-Kilter algorithm. Evaluating exact range computation on several ACAS Xu neural network benchmarks, we find that hexatopes and octatopes show promise as a practical abstract domain for neural network verification.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Algorithm 3.1
Fig. 2
Fig. 3
Fig. 4
Algorithm 4.1
Algorithm 5.1

Similar content being viewed by others

Data availability

Data is available upon request.

References

  1. Ahuja RK, Magnanti TL, Orlin JB (1993) Network flows: theory, algorithms, and applications. Prentice Hall, Upper Saddle River

    Google Scholar 

  2. Akintunde M, Lomuscio A, Maganti L, Pirovano E (2018). Reachability analysis for neural agent-environment systems. In: 16th international conference on principles of knowledge representation and reasoning

  3. Albarghouthi A (2021) Introduction to neural network verification. http://verifieddeeplearning.com

  4. Bak S (2021) nnenum: verification of ReLU neural networks with optimized abstraction refinement. In: NASA formal methods symposium, pp 19–36. Springer

  5. Bak S, Dohmen T, Subramani K, Trivedi A, Velasquez A, Wojciechowski P (2023) The octatope abstract domain for verification of neural networks. In: Chechik M, Katoen J-P, Leucker M (eds), Formal methods—25th international symposium, FM 2023, Lübeck, Germany, March 6-10, 2023, Proceedings, volume 14000 of Lecture Notes in Computer Science, pp 454–472. Springer

  6. Bak S, Liu C, Johnson T (2021) The second international verification of neural networks competition (VNN-comp 2021): summary and results. ar**v:2109.00498

  7. Bak S, Tran H-D, Hobbs K, Johnson TT (2020) Improved geometric path enumeration for verifying Relu neural networks. In: Proceedings of the 32nd international conference on computer aided verification. Springer

  8. Baluta T, Shen S, Shinde S, Meel KS, Saxena P (2019) Quantitative verification of neural networks and its security applications. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pp 1249–1264

  9. Bazaraa MS, Jarvis JJ, Sherali HD (2008) Linear programming and network flows. Wiley, New York

    Google Scholar 

  10. Behrmann G, David A, Larsen KG, Håkansson J, Pettersson P, Yi W, Hendriks M (2006) UPPAAL 4.0. In: 3rd international conference on the quantitative evaluation of systems (QEST 2006), 11-14 September 2006, Riverside, California, USA, pp 125–126. IEEE Computer Society

  11. Biswas S, Rajan H (2023) Fairify: fairness verification of neural networks. In: 2023 IEEE/ACM 45th international conference on software engineering (ICSE), pp 1546–1558. IEEE

  12. Casadio M, Komendantskaya E, Daggitt ML, Kokke W, Katz G, Amir G, Refaeli I (2022) Neural network robustness as a verification property: a principled case study. In: International conference on computer aided verification, pp 219–231. Springer

  13. Cohen MB, Lee YT, Song Z (2021) Solving linear programs in the current matrix multiplication time. J ACM 68(1):3:1-3:39

    Article  MathSciNet  Google Scholar 

  14. Cormen TH, Leiserson CE, Rivest RL, Stein C (2009) Introduction to algorithms, 3rd edn. MIT Press, Cambridge

    Google Scholar 

  15. Cousot P, Cousot R (1977) Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on principles of programming languages, POPL ’77, pp 238–252, New York, NY, USA. Association for Computing Machinery

  16. De Moura L, Bjørner N (2008). Z3: an efficient SMT solver. In: International conference on tools and algorithms for the construction and analysis of systems, pp 337–340. Springer

  17. Duggirala PS, Viswanathan M (2016). Parsimonious, simulation based verification of linear systems. In: International conference on computer aided verification, pp 477–494. Springer

  18. Friedmann O, Hansen TD, Zwick U (2011) Subexponential lower bounds for randomized pivoting rules for the simplex algorithm. In: Symposium on theory of computing, STOC’11, pp 283–292, New York, NY, USA. ACM

  19. Gehr T, Mirman M, Drachsler-Cohen D, Tsankov P, Chaudhuri S, Vechev M (2018). Ai2: safety and robustness certification of neural networks with abstract interpretation. In: 2018 IEEE symposium on security and privacy (SP), pp 3–18. IEEE

  20. Ghorbal K, Goubault E, Putot S (2009). The zonotope abstract domain Taylor1+. In: International conference on computer aided verification, pp 627–633. Springer

  21. Goldberg AV, Tarjan RE (1989) Finding minimum-cost circulations by canceling negative cycles. J ACM 36(4):873–886

    Article  MathSciNet  Google Scholar 

  22. Henriksen P, Lomuscio A (2020). Efficient neural network verification via adaptive refinement and adversarial search. In: ECAI 2020, pp 2513–2520. IOS Press

  23. Henriksen P, Lomuscio A (2021). Deepsplit: an efficient splitting method for neural network verification via indirect effect analysis. In: Proceedings of the 30th international joint conference on artificial intelligence (IJCAI21), To appear

  24. Huang X, Kroening D, Ruan W, Sharp J, Sun Y, Thamo E, Wu M, Yi X (2020) A survey of safety and trustworthiness of deep neural networks: verification, testing, adversarial attack and defence, and interpretability. Comput Sci Rev 37:100270

    Article  MathSciNet  Google Scholar 

  25. Huang X, Kwiatkowska M, Wang S, Wu M (2017) Safety verification of deep neural networks. In: Computer aided verification: 29th international conference, CAV 2017, Heidelberg, Germany, July 24-28, 2017, Proceedings, Part I 30, pp 3–29. Springer

  26. Katz G, Barrett C, Dill DL, Julian K, Kochenderfer MJ (2017) Reluplex: an efficient SMT solver for verifying deep neural networks. In: International conference on computer aided verification, pp 97–117. Springer

  27. Katz G, Huang DA, Ibeling D, Julian K, Lazarus C, Lim R, Shah P, Thakoor S, Wu H, Al Z, Dill DL, Kochenderfer MJ, Barrett C (2019) The marabou framework for verification and analysis of deep neural networks. In: Dillig I, Serdar T (eds) Comput Aided Verif. Springer, Cham, pp 443–452

    Chapter  Google Scholar 

  28. Khachiyan LG (1979), A polynomial time algorithm for linear programming. Doklady Akademii Nauk SSSR, 244(5), 1093–1096, English translation in Soviet Math. Dokl. 20:191–194

  29. Klee F, Minty GJ (1972) How good is the simplex algorithm? Inequalities III:159–175

    MathSciNet  Google Scholar 

  30. Kuutti S, Bowden R, ** Y, Barber P, Fallah S (2020) A survey of deep learning applications to autonomous vehicle control. IEEE Trans Intell Transp Syst 22(2):712–733

    Article  Google Scholar 

  31. Lahiri SK, Musuvathi M (2005) An efficient decision procedure for UTVPI constraints. In: Gramlich B (ed) Frontiers of combining systems. Springer, Berlin, pp 168–183

    Chapter  Google Scholar 

  32. Liu C, Arnon T, Lazarus C, Barrett C, Kochenderfer MJ (2019). Algorithms for verifying deep neural networks. ar**v:1903.06758

  33. Manzanas Lopez D, Johnson T, Tran H-D, Bak S, Chen X, Hobbs KL (2021) Verification of neural network compression of ACAS Xu lookup tables with star set reachability. In: AIAA Scitech 2021 Forum, p 0995

  34. Miné A (2006) The octagon abstract domain. Higher-order Symb Comput 19(1):31–100

    Article  Google Scholar 

  35. Orlin JB (1996) A polynomial time primal network simplex algorithm for minimum cost flows. In: Proceedings of the 7th annual ACM-SIAM symposium on discrete algorithms, SODA ’96, 474-481, USA. Society for Industrial and Applied Mathematics

  36. Singh G, Gehr T, Mirman M, Püschel M, Vechev MT (2018) Fast and effective robustness certification. NeurIPS 1(4):6

    Google Scholar 

  37. Singh G, Gehr T, Püschel M, Vechev M (2019) An abstract domain for certifying neural networks. Proc ACM Program Lang 3(POPL):1–30

    Article  Google Scholar 

  38. Sutton RS, Barto AG (2018) Reinforcement learning: an introduction, 2nd edn. MIT Press, Cambridge

    Google Scholar 

  39. Tjeng V, **ao KY, Tedrake R (2018) Evaluating robustness of neural networks with mixed integer programming. In: International conference on learning representations

  40. Tran H-D, Bak S, **ang W, Johnson TT (2020). Verification of deep convolutional neural networks using imagestars. In: International conference on computer aided verification, pp 18–42. Springer

  41. Tran H-D, Cai F, Diego ML, Musau P, Johnson TT, Koutsoukos X (2019) Safety verification of cyber-physical systems with reinforcement learning control. ACM Trans Embed Comput Syst (TECS) 18(5s):1–22

    Article  Google Scholar 

  42. Tran H-D, Manzanas Lopez D, Musau P, Yang X, Nguyen LV, **ang W, Johnson TT (2019) Star-based reachability analysis of deep neural networks. In: ter Beek MH, McIver A, Oliveira JN (eds) Formal methods—the next 30 years. Springer, Cham, pp 670–686

    Chapter  Google Scholar 

  43. Tran H-D, Pal N, Musau P, Lopez DM, Hamilton N, Yang X, Bak S, Johnson TT (2021) Robustness verification of semantic segmentation neural networks using relaxed reachability. In: International conference on computer aided verification, pp 263–286. Springer

  44. Tran H-D, Yang X, Lopez DM, Musau P, Nguyen LV, **ang W, Bak S, Johnson TT (2020) NNV: the neural network verification tool for deep neural networks and learning-enabled cyber-physical systems. In: International conference on computer aided verification, pp 3–17. Springer

  45. Wang S, Pei K, Whitehouse J, Yang J, Jana S (2018) Efficient formal safety analysis of neural networks. In: Advances in neural information processing systems, vol 31

  46. Wang S, Zhang H, Xu K, Lin X, Jana S, Hsieh C-J, Kolter JZ (2021) Beta-crown: efficient bound propagation with per-neuron split constraints for complete and incomplete neural network verification. ar**v:2103.06624

Download references

Acknowledgement

This material is based upon work supported by the Air Force Office of Scientific Research and the Office of Naval Research under award numbers FA9550-19-1-0288, FA9550-21-1-0121, FA9550-22-1-0450, FA9550-22-1-0029, N00014-22-1-2156, and FA9550-23-1-0066. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Air Force or the United States Navy. This research was supported in part by the Air Force Research Laboratory Information Directorate through the Air Force Office of Scientific Research Summer Faculty Fellowship Program, contract numbers FA8750-15-3-6003, FA9550-15-0001, and FA9550-20-F-0005. This work is also supported by the National Science Foundation (NSF) grant CCF-2009022 and by NSF CAREER awards CCF-2146563 and CNF-2237229.

Author information

Authors and Affiliations

  1. Stony Brook University, Stony Brook, USA

    Stanley Bak

  2. University of Colorado Boulder, Boulder, USA

    Taylor Dohmen, Ashutosh Trivedi & Alvaro Velasquez

  3. West Virginia University, Morgantown, USA

    K. Subramani & Piotr Wojciechowski

Authors
  1. Stanley Bak
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Taylor Dohmen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. K. Subramani
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ashutosh Trivedi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alvaro Velasquez
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Piotr Wojciechowski
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

All authors contributed equally.

Corresponding author

Correspondence to K. Subramani.

Ethics declarations

Conflict of interest

We declare that we have no Conflict of interest.

Ethical approval

This manuscript was created by following all the ethical guidelines. In particular, an extended abstract of this work was published in FM 2023. This has been indicated in the abstract as a footnote.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bak, S., Dohmen, T., Subramani, K. et al. The hexatope and octatope abstract domains for neural network verification. Form Methods Syst Des (2024). https://doi.org/10.1007/s10703-024-00457-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10703-024-00457-y

Keywords

Search

Navigation