Neural networks are increasingly being deployed in contexts where safety is a critical concern. In this work, we propose a way to construct neural network classifiers that dynamically repair violations of non-relational safety constraints called safe ordering properties. Safe ordering properties relate requirements on the ordering of a network's output indices to conditions on their input, and are sufficient to express most useful notions of non-relational safety for classifiers. Our approach is based on a novel self-repairing layer, which provably yields safe outputs regardless of the characteristics of its input. We compose this layer with an existing network to construct a self-repairing network (SR-Net), and show that in addition to providing safe outputs, the SR-Net is guaranteed to preserve the accuracy of the original network. Notably, our approach is independent of the size and architecture of the network being repaired, depending only on the specified property and the dimension of the network's output; thus it is scalable to large state-of-the-art networks. We show that our approach can be implemented using vectorized computations that execute efficiently on a GPU, introducing run-time overhead of less than one millisecond on current hardware -- even on large, widely-used networks containing hundreds of thousands of neurons and millions of parameters.
翻译:在安全是一个关键关切的背景下,神经网络正在越来越多地被部署。 在这项工作中,我们提出一种方法来建设神经网络分类器,以动态方式修复违反非关系安全限制的行为,称为安全订购属性。安全订购属性将网络产出指数的订购要求与其输入条件联系起来,足以表达对分类者来说非关系安全最有用的概念。我们的方法基于一个新的自我修复层,无论输入的特性如何,都可以安全地产生安全产出。我们用一个现有的网络组成这一层,以建造一个自我修复网络(SR-Net),并表明除了提供安全输出外,SR-Net还保证保持原始网络的准确性。值得注意的是,我们的方法独立于正在修复的网络的规模和结构,仅取决于特定属性和网络输出的层面;因此,它可以缩放到大型的状态网络。我们表明,我们的方法可以采用矢量计算方法,在GPU上高效地执行自我修复网络(SR-Net),在现有的100万个钢筋的运行时,甚至以不到一毫秒的钢筋的运行式网络。