Skip to content
/ eran Public
forked from eth-sri/eran

ETH Robustness Analyzer for Deep Neural Networks

License

Apache-2.0 license
0 stars 103 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dimy93/eran

BranchesTags
 
 

Repository files navigation

ERAN portfolio_view

High Level

ETH Robustness Analyzer for Neural Networks (ERAN) is a state-of-the-art sound, precise, scalable, and extensible analyzer based on abstract interpretation for the complete and incomplete verification of MNIST, CIFAR10, and ACAS Xu based networks. ERAN produces state-of-the-art precision and performance for both complete and incomplete verification and can be tuned to provide best precision and scalability (see recommended configuration settings at the bottom). ERAN is developed at the SRI Lab, Department of Computer Science, ETH Zurich as part of the Safe AI project. The goal of ERAN is to automatically verify safety properties of neural networks with feedforward, convolutional, and residual layers against input perturbations (e.g., L∞-norm attacks, geometric transformations, vector field deformations, etc).

ERAN supports fully-connected, convolutional, and residual networks with ReLU, Sigmoid, Tanh, and Maxpool activations and is sound under floating point arithmetic. It employs custom abstract domains which are specifically designed for the setting of neural networks and which aim to balance scalability and precision. Specifically, ERAN supports the following four analysis:

  • DeepZ [NIPS'18]: contains specialized abstract Zonotope transformers for handling ReLU, Sigmoid and Tanh activation functions.

  • DeepPoly [POPL'19]: based on a domain that combines floating point Polyhedra with Intervals.

  • RefineZono [ICLR'19]: combines DeepZ analysis with MILP and LP solvers for more precision.

  • RefinePoly [NeurIPS'19]: combines DeepPoly analysis with MILP and k-ReLU framework for state-of-the-art precision while maintaining scalability.

All analysis are implemented using the ELINA library for numerical abstractions. More details can be found in the publications below.

ERAN vs AI2

Note that ERAN subsumes the first abstract interpretation based analyzer AI2, so if you aim to compare, please use ERAN as a baseline.

USER MANUAL

For a detailed desciption of the options provided and the implentation of ERAN, you can download the user manual.

Requirements

GNU C compiler, ELINA, Gurobi's Python interface,

python3.6 or higher, tensorflow 1.11 or higher, numpy.

Installation

Clone the ERAN repository via git as follows:

git clone https://github.com/eth-sri/ERAN.git
cd ERAN

The dependencies for ERAN can be installed step by step as follows (sudo rights might be required):

Install m4:

wget ftp://ftp.gnu.org/gnu/m4/m4-1.4.1.tar.gz
tar -xvzf m4-1.4.1.tar.gz
cd m4-1.4.1
./configure
make
make install
cp src/m4 /usr/bin
cd ..
rm m4-1.4.1.tar.gz

Install gmp:

wget https://gmplib.org/download/gmp/gmp-6.1.2.tar.xz
tar -xvf gmp-6.1.2.tar.xz
cd gmp-6.1.2
./configure --enable-cxx
make
make install
cd ..
rm gmp-6.1.2.tar.xz

Install mpfr:

wget https://files.sri.inf.ethz.ch/eran/mpfr/mpfr-4.1.0.tar.xz
tar -xvf mpfr-4.1.0.tar.xz
cd mpfr-4.1.0
./configure
make
make install
cd ..
rm mpfr-4.1.0.tar.xz

Install cddlib:

git clone https://github.com/cddlib/cddlib.git
cd cddlib
./bootstrap
./configure
make
make install
cd ..

Install Gurobi:

wget https://packages.gurobi.com/9.0/gurobi9.0.0_linux64.tar.gz
tar -xvf gurobi9.0.0_linux64.tar.gz
cd gurobi900/linux64/src/build
sed -ie 's/^C++FLAGS =.*$/& -fPIC/' Makefile
make
cp libgurobi_c++.a ../../lib/
cd ../../
cp lib/libgurobi90.so /usr/lib
python3 setup.py install
cd ../../

Update environment variables:

export GUROBI_HOME="Current_directory/gurobi900/linux64"
export PATH="${PATH}:${GUROBI_HOME}/bin"
export CPATH="${CPATH}:${GUROBI_HOME}/include"
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib:${GUROBI_HOME}/lib

Install ELINA:

git clone https://github.com/eth-sri/ELINA.git
cd ELINA
./configure -use-deeppoly -use-gurobi -use-fconv
make
make install
cd ..

Install DeepG (note that with an already existing version of ERAN you have to start at step Install Gurobi):

git clone https://github.com/eth-sri/deepg.git
cd deepg/code
mkdir build
make shared_object
cp ./build/libgeometric.so /usr/lib
cd ../..

We also provide scripts that will install ELINA and all the necessary dependencies. One can run it as follows:

sudo ./install.sh
source gurobi_setup_path.sh

Note that to run ERAN with Gurobi one needs to obtain an academic license for gurobi from https://user.gurobi.com/download/licenses/free-academic.

To install the remaining python dependencies (numpy and tensorflow), type:

pip3 install -r requirements.txt

ERAN may not be compatible with older versions of tensorflow (we have tested ERAN with versions >= 1.11.0), so if you have an older version and want to keep it, then we recommend using the python virtual environment for installing tensorflow.

Usage

cd tf_verify

python3 . --netname <path to the network file> --epsilon <float between 0 and 1> --domain <deepzono/deeppoly/refinezono/refinepoly> --dataset <mnist/cifar10/acasxu> --zonotope <path to the zonotope specfile>  [optional] --complete <True/False> --timeout_complete <float> --timeout_lp <float> --timeout_milp <float> --use_area_heuristic <True/False> --mean <float(s)> --std <float(s)> --use_milp <True/False> --use_2relu --use_3relu --dyn_krelu --numproc <int>

  • <epsilon>: specifies bound for the L∞-norm based perturbation (default is 0). This parameter is not required for testing ACAS Xu networks.

  • <zonotope>: The Zonotope specification file can be comma or whitespace separated file where the first two integers can specify the number of input dimensions D and the number of error terms per dimension N. The following D*N doubles specify the coefficient of error terms. For every dimension i, the error terms are numbered from 0 to N-1 where the 0-th error term is the central error term. See an example here [https://github.com/eth-sri/eran/files/3653882/zonotope_example.txt]. This option only works with the "deepzono" or "refinezono" domain.

  • <use_area_heuristic>: specifies whether to use area heuristic for the ReLU approximation in DeepPoly (default is true).

  • <mean>: specifies mean used to normalize the data. If the data has multiple channels the mean for every channel has to be provided (e.g. for cifar10 --mean 0.485, 0.456, 0.406) (default is 0 for non-geometric mnist and 0.5 0.5 0.5 otherwise)

  • <std>: specifies standard deviation used to normalize the data. If the data has multiple channels the standard deviaton for every channel has to be provided (e.g. for cifar10 --std 0.2 0.3 0.2) (default is 1 1 1)

  • <use_milp>: specifies whether to use MILP (default is true).

  • <sparse_n>: specifies the size of "k" for the kReLU framework (default is 70).

  • <numproc>: specifies how many processes to use for MILP, LP and k-ReLU (default is the number of processors in your machine).

  • <geometric>: specifies whether to do geometric analysis (default is false).

  • <geometric_config>: specifies the geometric configuration file location.

  • <data_dir>: specifies the geometric data location.

  • <num_params>: specifies the number of transformation parameters (default is 0)

  • <attack>: specifies whether to verify attack images (default is false).

  • <specnumber>: the property number for the ACASXu networks

  • Refinezono and RefinePoly refines the analysis results from the DeepZ and DeepPoly domain respectively using the approach in our ICLR'19 paper. The optional parameters timeout_lp and timeout_milp (default is 1 sec for both) specify the timeouts for the LP and MILP forumlations of the network respectively.

  • Since Refinezono and RefinePoly uses timeout for the gurobi solver, the results will vary depending on the processor speeds.

  • Setting the parameter "complete" (default is False) to True will enable MILP based complete verification using the bounds provided by the specified domain.

  • When ERAN fails to prove the robustness of a given network in a specified region, it searches for an adversarial example and prints an adversarial image within the specified adversarial region along with the misclassified label and the correct label. ERAN does so for both complete and incomplete verification.

Example

L_oo Specification

python3 . --netname ../nets/pytorch/mnist/convBig__DiffAI.pyt --epsilon 0.1 --domain deepzono --dataset mnist

will evaluate the local robustness of the MNIST convolutional network (upto 35K neurons) with ReLU activation trained using DiffAI on the 100 MNIST test images. In the above setting, epsilon=0.1 and the domain used by our analyzer is the deepzono domain. Our analyzer will print the following:

  • 'Verified safe' for an image when it can prove the robustness of the network

  • 'Verified unsafe' for an image for which it can provide a concrete adversarial example

  • 'Failed' when it cannot.

  • It will also print an error message when the network misclassifies an image.

  • the timing in seconds.

  • The ratio of images on which the network is robust versus the number of images on which it classifies correctly.

Zonotope Specification

python3 . --netname ../nets/pytorch/mnist/convBig__DiffAI.pyt --zonotope some_path/zonotope_example.txt --domain deepzono

will check if the Zonotope specification specified in "zonotope_example" holds for the network and will output "Verified safe", "Verified unsafe" or "Failed" along with the timing.

Similarly, for the ACAS Xu networks, ERAN will output whether the property has been verified along with the timing.

ACASXu Specification

python3 . --netname ../data/acasxu/nets/ACASXU_run2a_3_3_batch_2000.onnx --dataset acasxu --domain deepzono  --specnumber 9

will run DeepZ for analyzing property 9 of ACASXu benchmarks. The ACASXU networks are in data/acasxu/nets directory and the one chosen for a given property is defined in the Reluplex paper.

Geometric analysis

python3 . --netname ../nets/pytorch/mnist/convBig__DiffAI.pyt --geometric --geometric_config ../deepg/code/examples/example1/config.txt --num_params 1 --dataset mnist

will on the fly generate geometric perturbed images and evaluate the network against them. For more information on the geometric configuration file please see Format of the configuration file in DeepG.

python3 . --netname ../nets/pytorch/mnist/convBig__DiffAI.pyt --geometric --data_dir ../deepg/code/examples/example1/ --num_params 1 --dataset mnist --attack

will evaluate the generated geometric perturbed images in the given data_dir and also evaluate generated attack images.

Recommended Configuration for Scalable Complete Verification

Use the "deeppoly" or "deepzono" domain with "--complete True" option

Recommended Configuration for More Precise but relatively expensive Incomplete Verification

Use the "refinepoly" domain with "--use_milp True", "--sparse_n 12", "--refine_neurons", "timeout_milp 10", and "timeout_lp 10" options

Recommended Configuration for Faster but relatively imprecise Incomplete Verification

Use the "deeppoly" domain

Certification of Vector Field Deformations

High Level

Vector field deformations, which displace pixels instead of directly manipulating pixel values, can be intuitively parametrized by their displacement magnitude delta, i.e., how far every pixel can move, and their smoothness gamma, i.e., how much neighboring displacement vectors can differ from each other (more details can be found in Section 3 of our paper). ERAN can certify both non-smooth vector fields:

python3 . --netname ../nets/pytorch/mnist/convBig__DiffAI.pyt --dataset mnist --domain deeppoly --spatial --t-norm inf --delta 0.3

and smooth vector fields:

python3 . --netname ../nets/pytorch/mnist/convBig__DiffAI.pyt --dataset mnist --domain deeppoly --spatial --t-norm inf --delta 0.3 --gamma 0.1

Certification of vector field deformations is compatible with the "deeppoly" and "refinepoly" domains, and can be made more precise with the kReLU framework (e.g., "--use_milp True", "--sparse_n 15", "--refine_neurons", "timeout_milp 10", and "timeout_lp 10") or complete certification ("--complete True").

Publications

Neural Networks and Datasets

We provide a number of pretrained MNIST and CIAFR10 defended and undefended feedforward and convolutional neural networks with ReLU, Sigmoid and Tanh activations trained with the PyTorch and TensorFlow frameworks. The adversarial training to obtain the defended networks is performed using PGD and DiffAI.

Dataset Model Type #units #layers Activation Training Defense Download
MNIST 3x50 fully connected 110 3 ReLU None ⬇️
3x100 fully connected 210 3 ReLU None ⬇️
5x100 fully connected 510 5 ReLU DiffAI ⬇️
6x100 fully connected 510 6 ReLU None ⬇️
9x100 fully connected 810 9 ReLU None ⬇️
6x200 fully connected 1,010 6 ReLU None ⬇️
9x200 fully connected 1,610 9 ReLU None ⬇️
6x500 fully connected 3,000 6 ReLU None ⬇️
6x500 fully connected 3,000 6 ReLU PGD ε=0.1 ⬇️
6x500 fully connected 3,000 6 ReLU PGD ε=0.3 ⬇️
6x500 fully connected 3,000 6 Sigmoid None ⬇️
6x500 fully connected 3,000 6 Sigmoid PGD ε=0.1 ⬇️
6x500 fully connected 3,000 6 Sigmoid PGD ε=0.3 ⬇️
6x500 fully connected 3,000 6 Tanh None ⬇️
6x500 fully connected 3,000 6 Tanh PGD ε=0.1 ⬇️
6x500 fully connected 3,000 6 Tanh PGD ε=0.3 ⬇️
4x1024 fully connected 3,072 4 ReLU None ⬇️
ConvSmall convolutional 3,604 3 ReLU None ⬇️
ConvSmall convolutional 3,604 3 ReLU PGD ⬇️
ConvSmall convolutional 3,604 3 ReLU DiffAI ⬇️
ConvMed convolutional 5,704 3 ReLU None ⬇️
ConvMed convolutional 5,704 3 ReLU PGD ε=0.1 ⬇️
ConvMed convolutional 5,704 3 ReLU PGD ε=0.3 ⬇️
ConvMed convolutional 5,704 3 Sigmoid None ⬇️
ConvMed convolutional 5,704 3 Sigmoid PGD ε=0.1 ⬇️
ConvMed convolutional 5,704 3 Sigmoid PGD ε=0.3 ⬇️
ConvMed convolutional 5,704 3 Tanh None ⬇️
ConvMed convolutional 5,704 3 Tanh PGD ε=0.1 ⬇️
ConvMed convolutional 5,704 3 Tanh PGD ε=0.3 ⬇️
ConvMaxpool convolutional 13,798 9 ReLU None ⬇️
ConvBig convolutional 48,064 6 ReLU DiffAI ⬇️
ConvSuper convolutional 88,544 6 ReLU DiffAI ⬇️
Skip Residual 71,650 9 ReLU DiffAI ⬇️
CIFAR10 4x100 fully connected 410 4 ReLU None ⬇️
6x100 fully connected 610 6 ReLU None ⬇️
9x200 fully connected 1,810 9 ReLU None ⬇️
6x500 fully connected 3,000 6 ReLU None ⬇️
6x500 fully connected 3,000 6 ReLU PGD ε=0.0078 ⬇️
6x500 fully connected 3,000 6 ReLU PGD ε=0.0313 ⬇️
6x500 fully connected 3,000 6 Sigmoid None ⬇️
6x500 fully connected 3,000 6 Sigmoid PGD ε=0.0078 ⬇️
6x500 fully connected 3,000 6 Sigmoid PGD ε=0.0313 ⬇️
6x500 fully connected 3,000 6 Tanh None ⬇️
6x500 fully connected 3,000 6 Tanh PGD ε=0.0078 ⬇️
6x500 fully connected 3,000 6 Tanh PGD ε=0.0313 ⬇️
7x1024 fully connected 6,144 7 ReLU None ⬇️
ConvSmall convolutional 4,852 3 ReLU None ⬇️
ConvSmall convolutional 4,852 3 ReLU PGD ⬇️
ConvSmall convolutional 4,852 3 ReLU DiffAI ⬇️
ConvMed convolutional 7,144 3 ReLU None ⬇️
ConvMed convolutional 7,144 3 ReLU PGD ε=0.0078 ⬇️
ConvMed convolutional 7,144 3 ReLU PGD ε=0.0313 ⬇️
ConvMed convolutional 7,144 3 Sigmoid None ⬇️
ConvMed convolutional 7,144 3 Sigmoid PGD ε=0.0078 ⬇️
ConvMed convolutional 7,144 3 Sigmoid PGD ε=0.0313 ⬇️
ConvMed convolutional 7,144 3 Tanh None ⬇️
ConvMed convolutional 7,144 3 Tanh PGD ε=0.0078 ⬇️
ConvMed convolutional 7,144 3 Tanh PGD ε=0.0313 ⬇️
ConvMaxpool convolutional 53,938 9 ReLU None ⬇️
ConvBig convolutional 62,464 6 ReLU DiffAI ⬇️
ResNet18 Residual 558K 18 ReLU DiffAI ⬇️

We provide the first 100 images from the testset of both MNIST and CIFAR10 datasets in the 'data' folder. Our analyzer first verifies whether the neural network classifies an image correctly before performing robustness analysis. In the same folder, we also provide ACAS Xu networks and property specifications.

Experimental Results

We ran our experiments for the feedforward networks on a 3.3 GHz 10 core Intel i9-7900X Skylake CPU with a main memory of 64 GB whereas our experiments for the convolutional networks were run on a 2.6 GHz 14 core Intel Xeon CPU E5-2690 with 512 GB of main memory. We first compare the precision and performance of DeepZ and DeepPoly vs Fast-Lin on the MNIST 6x100 network in single threaded mode. It can be seen that DeepZ has the same precision as Fast-Lin whereas DeepPoly is more precise while also being faster.

High Level

In the following, we compare the precision and performance of DeepZ and DeepPoly on a subset of the neural networks listed above in multi-threaded mode. In can be seen that DeepPoly is overall more precise than DeepZ but it is slower than DeepZ on the convolutional networks.

High Level

High Level

High Level

High Level

The table below compares the performance and precision of DeepZ and DeepPoly on our large networks trained with DiffAI.

Dataset Model ε % Verified Robustness % Average Runtime (s)
DeepZ DeepPoly DeepZ DeepPoly
MNIST ConvBig 0.1 97 97 5 50
ConvBig 0.2 79 78 7 61
ConvBig 0.3 37 43 17 88
ConvSuper 0.1 97 97 133 400
Skip 0.1 95 N/A 29 N/A
CIFAR10 ConvBig 0.006 50 52 39 322
ConvBig 0.008 33 40 46 331

The table below compares the timings of complete verification with ERAN for all ACASXu benchmarks.

Property Networks % Average Runtime (s)
1 all 45 15.5
2 all 45 11.4
3 all 45 1.9
4 all 45 1.1
5 1_1 26
6 1_1 10
7 1_9 83
8 2_9 111
9 3_3 9
10 4_5 2.1

More experimental results can be found in our papers.

Contributors

License and Copyright

About

ETH Robustness Analyzer for Deep Neural Networks

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 70.5%
  • HCL 28.9%
  • Shell 0.6%