Most work on the formal verification of neural networks has focused on bounding forward images of neural networks, i.e., the set of outputs of a neural network that correspond to a given set of inputs (for example, bounded perturbations of a nominal input). However, many use cases of neural network verification require solving the inverse problem, i.e, over-approximating the set of inputs that lead to certain outputs. In this work, we present the first efficient bound propagation algorithm, INVPROP, for verifying properties over the preimage of a linearly constrained output set of a neural network, which can be combined with branch-and-bound to achieve completeness. Our efficient algorithm allows multiple passes of intermediate bound refinements, which are crucial for tight inverse verification because the bounds of an intermediate layer depend on relaxations both before and after this layer. We demonstrate our algorithm on applications related to quantifying safe control regions for a dynamical system and detecting out-of-distribution inputs to a neural network. Our results show that in certain settings, we can find over-approximations that are over 2500 times tighter than prior work while being 2.5 times faster on the same hardware.

翻译：大多数关于神经网络形式化验证的工作聚焦于网络前向像的边界，即给定输入集（例如名义输入的有界扰动）对应的神经网络输出集。然而许多神经网络验证应用需要解决逆问题——即过逼近导致特定输出的输入集。本文提出首个高效的边界传播算法INVPROP，用于验证神经网络线性约束输出集原像上的性质，该算法可与分支定界法结合实现完备性。我们的高效算法支持中间边界的多轮精化，这对紧致逆验证至关重要——因为中间层的边界同时依赖于该层前后的松弛操作。我们在动态系统安全控制区域量化及神经网络分布外输入检测等应用中验证了该算法。结果表明，特定场景下我们获得的过逼近结果比现有方法紧致超过2500倍，且在相同硬件上速度提升2.5倍。