38 research outputs found
DeepBern-Nets: Taming the Complexity of Certifying Neural Networks using Bernstein Polynomial Activations and Precise Bound Propagation
Formal certification of Neural Networks (NNs) is crucial for ensuring their
safety, fairness, and robustness. Unfortunately, on the one hand, sound and
complete certification algorithms of ReLU-based NNs do not scale to large-scale
NNs. On the other hand, incomplete certification algorithms are easier to
compute, but they result in loose bounds that deteriorate with the depth of NN,
which diminishes their effectiveness. In this paper, we ask the following
question; can we replace the ReLU activation function with one that opens the
door to incomplete certification algorithms that are easy to compute but can
produce tight bounds on the NN's outputs? We introduce DeepBern-Nets, a class
of NNs with activation functions based on Bernstein polynomials instead of the
commonly used ReLU activation. Bernstein polynomials are smooth and
differentiable functions with desirable properties such as the so-called range
enclosure and subdivision properties. We design a novel algorithm, called
Bern-IBP, to efficiently compute tight bounds on DeepBern-Nets outputs. Our
approach leverages the properties of Bernstein polynomials to improve the
tractability of neural network certification tasks while maintaining the
accuracy of the trained networks. We conduct comprehensive experiments in
adversarial robustness and reachability analysis settings to assess the
effectiveness of the proposed Bernstein polynomial activation in enhancing the
certification process. Our proposed framework achieves high certified accuracy
for adversarially-trained NNs, which is often a challenging task for certifiers
of ReLU-based NNs. Moreover, using Bern-IBP bounds for certified training
results in NNs with state-of-the-art certified accuracy compared to ReLU
networks. This work establishes Bernstein polynomial activation as a promising
alternative for improving NN certification tasks across various applications
Polynomial-Time Reachability for LTI Systems with Two-Level Lattice Neural Network Controllers
In this paper, we consider the computational complexity of bounding the
reachable set of a Linear Time-Invariant (LTI) system controlled by a Rectified
Linear Unit (ReLU) Two-Level Lattice (TLL) Neural Network (NN) controller. In
particular, we show that for such a system and controller, it is possible to
compute the exact one-step reachable set in polynomial time in the size of the
size of the TLL NN controller (number of neurons). Additionally, we show that
it is possible to obtain a tight bounding box of the reachable set via two
polynomial-time methods: one with polynomial complexity in the size of the TLL
and the other with polynomial complexity in the Lipschitz constant of the
controller and other problem parameters. Crucially, the smaller of the two can
be decided in polynomial time for non-degenerate TLL NNs. Finally, we propose a
pragmatic algorithm that adaptively combines the benefits of (semi-)exact
reachability and approximate reachability, which we call L-TLLBox. We evaluate
L-TLLBox with an empirical comparison to a state-of-the-art NN controller
reachability tool. In these experiments, L-TLLBox was able to complete
reachability analysis as much as 5000x faster than this tool on the same
network/system, while producing reach boxes that were from 0.08 to 1.42 times
the area
PolyARBerNN: A Neural Network Guided Solver and Optimizer for Bounded Polynomial Inequalities
Constraints solvers play a significant role in the analysis, synthesis, and
formal verification of complex embedded and cyber-physical systems. In this
paper, we study the problem of designing a scalable constraints solver for an
important class of constraints named polynomial constraint inequalities (also
known as non-linear real arithmetic theory). In this paper, we introduce a
solver named PolyARBerNN that uses convex polynomials as abstractions for
highly nonlinear polynomials. Such abstractions were previously shown to be
powerful to prune the search space and restrict the usage of sound and complete
solvers to small search spaces. Compared with the previous efforts on using
convex abstractions, PolyARBerNN provides three main contributions namely (i) a
neural network guided abstraction refinement procedure that helps selecting the
right abstraction out of a set of pre-defined abstractions, (ii) a Bernstein
polynomial-based search space pruning mechanism that can be used to compute
tight estimates of the polynomial maximum and minimum values which can be used
as an additional abstraction of the polynomials, and (iii) an optimizer that
transforms polynomial objective functions into polynomial constraints (on the
gradient of the objective function) whose solutions are guaranteed to be close
to the global optima. These enhancements together allowed the PolyARBerNN
solver to solve complex instances and scales more favorably compared to the
state-of-art non-linear real arithmetic solvers while maintaining the soundness
and completeness of the resulting solver. In particular, our test benches show
that PolyARBerNN achieved 100X speedup compared with Z3 8.9, Yices 2.6, and
NASALib (a solver that uses Bernstein expansion to solve multivariate
polynomial constraints) on a variety of standard test benches
Attack Resilience and Recovery using Physical Challenge Response Authentication for Active Sensors Under Integrity Attacks
Embedded sensing systems are pervasively used in life- and security-critical
systems such as those found in airplanes, automobiles, and healthcare.
Traditional security mechanisms for these sensors focus on data encryption and
other post-processing techniques, but the sensors themselves often remain
vulnerable to attacks in the physical/analog domain. If an adversary
manipulates a physical/analog signal prior to digitization, no amount of
digital security mechanisms after the fact can help. Fortunately, nature
imposes fundamental constraints on how these analog signals can behave. This
work presents PyCRA, a physical challenge-response authentication scheme
designed to protect active sensing systems against physical attacks occurring
in the analog domain. PyCRA provides security for active sensors by continually
challenging the surrounding environment via random but deliberate physical
probes. By analyzing the responses to these probes, and by using the fact that
the adversary cannot change the underlying laws of physics, we provide an
authentication mechanism that not only detects malicious attacks but provides
resilience against them. We demonstrate the effectiveness of PyCRA through
several case studies using two sensing systems: (1) magnetic sensors like those
found wheel speed sensors in robotics and automotive, and (2) commercial RFID
tags used in many security-critical applications. Finally, we outline methods
and theoretical proofs for further enhancing the resilience of PyCRA to active
attacks by means of a confusion phase---a period of low signal to noise ratio
that makes it more difficult for an attacker to correctly identify and respond
to PyCRA's physical challenges. In doing so, we evaluate both the robustness
and the limitations of PyCRA, concluding by outlining practical considerations
as well as further applications for the proposed authentication mechanism.Comment: Shorter version appeared in ACM ACM Conference on Computer and
Communications (CCS) 201