Paper Info
Title
Verifying Neural Networks with Mixed Integer Programming.
Abstract
Neural networks have demonstrated considerable success in a wide variety of real-world problems. However, the presence of adversarial examples - slightly perturbed inputs that are misclassified with high confidence - limits our ability to guarantee performance for these networks in safety-critical applications. We demonstrate that, for networks that are piecewise affine (for example, deep networks with ReLU and maxpool units), proving no adversarial example exists - or finding the closest example if one does exist - can be naturally formulated as solving a mixed integer program. Solves for a fully-connected MNIST classifier with three hidden layers can be completed an order of magnitude faster than those of the best existing approach. To address the concern that adversarial examples are irrelevant because pixel-wise attacks are unlikely to happen in natural images, we search for adversaries over a natural class of perturbations written as convolutions with an adversarial blurring kernel. When searching over blurred images, we find that as opposed to pixelwise attacks, some misclassifications are impossible. Even more interestingly, a small fraction of input images are provably robust to blurs: every blurred version of the input is classified with the same, correct label.
Year
Venue
Field
2017
arXiv: Learning
Integer,Kernel (linear algebra),Affine transformation,MNIST database,Algorithm,Theoretical computer science,Integer programming,Classifier (linguistics),Artificial neural network,Mathematics,Piecewise
DocType
Volume
Citations 
Journal
abs/1711.07356
17
PageRank 
References 
Authors
0.77
16
2
Name
Order
Citations
PageRank
Vincent Tjeng1171.45
Russ Tedrake21429107.81