Existing neural network verifiers compute a proof that each input is handled correctly under a given perturbation by propagating a convex set of reachable values at each layer. This process is repeated independently for each input (e.g., image) and perturbation (e.g., rotation), leading to an expensive overall proof effort when handling an entire dataset. In this work we introduce a new method for reducing this verification cost based on the key insight that convex sets obtained at intermediate layers can overlap across different inputs and perturbations. Leveraging this insight, we introduce the general concept of shared certificates, enabling proof effort reuse across multiple inputs and driving down overall verification costs. We validate our insight via an extensive experimental evaluation and demonstrate the effectiveness of shared certificates on a range of datasets and attack specifications including geometric, patch and $\ell_\infty$ input perturbations.
翻译:现有的神经网络核查员计算出一个证据,即通过在每一层传播一组可达值的曲线,每个输入在一定的扰动下得到正确处理。对于每个输入(如图像)和扰动(如旋转),这一过程是独立重复的,导致处理整个数据集的总体举证责任昂贵。在这项工作中,我们根据在中间层获得的锥形组合在不同输入和扰动中相互重叠的关键洞察力,引入了降低这种核查成本的新方法。我们利用了这一洞察力,引入了共享证书的一般概念,允许在多个输入中进行再利用并降低总体核查费用。我们通过广泛的实验性评估验证了我们的洞察力,并展示了一系列数据集和攻击性规格共有证书的有效性,包括几何测量、补和$\ellinffty$输入 Perturbations。