Tool for certifying local robustness in deep networks.
This tool implements the algorithm described in the work, Fast Geometric Projections for Local Robustness Certification, appearing in ICLR 2021, and is maintained by the authors, Aymeric Fromherz, Klas Leino, Matt Fredrikson, Bryan Parno, and Corina Păsăreanu.
If you use this tool, please use the following citation:
@INPROCEEDINGS{fromherz20projections,
title={Fast Geometric Projections for Local Robustness Certification},
author={Aymeric Fromherz and Klas Leino and Matt Fredrikson and Bryan Parno and Corina Păsăreanu},
booktitle={International Conference on Learning Representations (ICLR)},
year={2021},
}
Simply install via pip:
pip install fgp-cert
Alternatively, you can install from the source repository:
-
Clone the repository and change into its root directory.
-
Install from source via
pip install -e .
The main routine for checking robustness is the check
function in fgp.certification
. This takes the following arguments:
network
: the neural network to be certified. Must be an instance ofCheckableModel
(found in thefgp.checkable_models
module).x
: anumpy.Array
containing the instance to check robustness for.epsilon
: the value of ε to check robustness for.timeout
: (optional) the number of seconds to compute for before returning aTIMED_OUT
result. IfNone
, the computation will continue until the search has completed. NOTE: the time-out functionality will not work on Windows, since it uses signals. We recommend running on a unix machine.lowerbound
: (default False) boolean flag specifying that we would like to use the certified lower bound algorithm (presented in Section 2.3) rather than the standard FGP algorithm (presented in Section 2.1).keepgoing
: (default False) when True, uses the heuristic given in Section 2.2 for decreasing the number ofUNKNOWN
results by continuing to search the queue when a possible false-positive is found. This heuristic can only be used whenlowerbound
isFalse
.batch_size
: (default 1) batch size for processing the queue. Setting to 10-100 for medium to large examples significantly speeds up the FGP algorithm; however, for very large networks, this becomes very memory-intensive. The batch size must be 1 whenlowerbound
isTrue
.return_num_visited
: (optional) if set toTrue
, the algorithm will return a tuple containing the robustness result followed by the number of regions visited. Otherwise it will return the robustness result only.recap
: (default False) if set toTrue
, the algorithm will print out a few statistics as it computes.debug_steps
: (default False) if set toTrue
, the algorithm will print out more detailed statistics as it computes.debug_print_rate
: (default 1) ifdebug_steps
is True, detailed information will be printed everydebug_print_rate
iterations of the algorithm.
The functionality required to compute projections to internal and decision boundaries is contained in the wrapper class, CheckableModel
.
The check
routine only functions on instances of CheckableModel
.
The constructor for Checkable
model takes an input shape, a list of internal layer widths, and a number of output classes.
For example, to create a dense network on the MNIST dataset with three hidden layers of 20 neurons each, the following would be used:
from fgp import CheckableModel
network = CheckableModel((784,), [20, 20, 20], 10)
Before running the check
function on a model, the graph for computing boundaries and projections (for the desired norm) must be compiled.
This can be done using the following:
# Defaults to the L2 norm.
network.compile_backprop()
# The norm can also be specified:
network.compile_backprop('l2')
network.compile_backprop('linf')
An example script demonstrating the use of check
can be found in examples/scripts/evaluation_script.py
.
This script can be called from the command line; an example usage can be found in examples/scripts/example.sh
.
A number of pre-trained weights for the models used in the paper are provided in examples/models/
.
- Klas Leino
- Aymeric Fromherz