Most work on the formal verification of neural networks has focused on bounding forward images of neural networks, i.e., the set of outputs of a neural network that correspond to a given set of inputs (for example, bounded perturbations of a nominal input). However, many use cases of neural network verification require solving the inverse problem, i.e, over-approximating the set of inputs that lead to certain outputs. In this work, we present the first efficient bound propagation algorithm, INVPROP, for verifying properties over the preimage of a linearly constrained output set of a neural network, which can be combined with branch-and-bound to achieve completeness. Our efficient algorithm allows multiple passes of intermediate bound refinements, which are crucial for tight inverse verification because the bounds of an intermediate layer depend on relaxations both before and after this layer. We demonstrate our algorithm on applications related to quantifying safe control regions for a dynamical system and detecting out-of-distribution inputs to a neural network. Our results show that in certain settings, we can find over-approximations that are over 2500 times tighter than prior work while being 2.5 times faster on the same hardware.

翻译：大多数关于神经网络形式化验证的工作，都聚焦于界定神经网络的前向像，即对应于给定输入集（例如，标称输入的有界扰动）的神经网络输出集。然而，许多神经网络验证用例需要解决逆向问题，即过逼近导致特定输出的一组输入。在这项工作中，我们首次提出了高效的界传播算法INVPROP，用于验证神经网络线性约束输出集的前像上的性质，该算法可与分支定界结合以实现完备性。我们的高效算法允许中间界的多轮细化过程，这对于紧致的逆向验证至关重要，因为中间层的界取决于该层前后的松弛。我们通过量化动力系统安全控制区域和检测神经网络分布外输入的应用来演示该算法。结果表明，在某些场景下，我们可得到较先前工作紧致超过2500倍的过逼近，同时在相同硬件上速度提升2.5倍。