Boosting Few-Pixel Robustness Verification via Covering Verification Designs

We address the problem of determining the local robustness of an image classifier in an $L_{0}$ $t$-ball of an image $x$. An image classifier $N$ takes as input an image $x$ consisting of $v$ pixels, each ranges over $[0,1]$ (all definitions extend to colored images, but omitted for simplicity’s sake). It returns a vector consisting of a score for every possible class. The classification the classifier $N$ assigns to an input image $x$ is the class with the maximal score: $c_{x}=\texttt{argmax}(N(x))$. We focus on classifiers implemented by neural networks. Specifically, our focus is on fully-connected and convolutional networks, since many $L_{\infty}$ robustness verifiers can analyze them [31, 13, 21, 2, 33, 25]. However, like Calzone, CoVerD is not coupled to the underlying implementation of the classifier and can reason about any classifier for which there are $L_{\infty}$ robustness verifiers that it can rely on. The problem we study is determining whether a classifier $N$ is locally robust in the $L_{0}$ $t$-ball of an input $x$, for $t\geq 2$. That is, whether every input whose $L_{0}$ distance from $x$ is at most $t$ is classified by $N$ as $x$ is classified. Formally, the $t$-ball of $x$ is $B_{t}(x)=\{x^{\prime}\mid||x^{\prime}-x||_{0}\leq t\}$ and $N$ is locally robust in $B_{t}(x)$ if $\forall x^{\prime}\in B_{t}(x).\ \texttt{argmax}(N(x^{\prime}))=\texttt{argmax}(N(x))$. We note that the $L_{0}$ distance of two images is the number of pixels that the images differ, that is $||x^{\prime}-x||_{0}=|\{i\in[v]\mid x_{i}\neq x_{i}^{\prime}\}|$ (where $[v]=\{1,\ldots,v\}$). In other words, an $L_{0}$ perturbation to an image $x$ can arbitrarily perturb up to $t$ pixels in $x$.

Calzone, depicted in Figure 1, is an $L_{0}$ robustness verifier. It verifies by determining the robustness of a classifier $N$ in all neighborhoods in which a specific set of pixels $S$ is arbitrarily perturbed, for every $S\subseteq[v]$ of size $t$. Namely, to prove robustness, it has to determine for every such $S$ whether $N$ classifies the same all inputs in the neighborhood consisting of all images that are identical to $x$ in all pixels, but the pixels in $S$. We denote this neighborhood by $I_{S}(x)=\{x^{\prime}\in[0,1]^{v}\mid\forall i\notin S.\ x^{\prime}_{i}=x_{i}\}$. Such neighborhoods can be specified as a sequence of intervals, one for every pixel, where the $i^{\text{th}}$ interval is $[0,1]$ if $i\in S$ (i.e., it can be perturbed) or $[x_{i},x_{i}]$ if $i\notin S$ (i.e., it cannot be perturbed). Most existing $L_{\infty}$ robustness verifiers can determine the robustness of such interval neighborhoods. However, verifying $v\choose t$ interval neighborhoods, one for every selection of $t$ pixels to perturb, is practically infeasible for $t>2$. Instead, Calzone builds on the following observation: if $N$ is locally robust in a neighborhood $I_{S^{\prime}}(x)$ for $S^{\prime}\subseteq[v]$ of size $k>t$, then $N$ is also robust in every $I_{S}(x)$, for $S\subseteq S^{\prime}$ of size $t$. This observation allows Calzone to leverage covering designs to reduce the number of neighborhoods analyzed by an $L_{\infty}$ verifier. Given three numbers $(v,k,t)$, for $t\leq k\leq v$, a covering $C(v,k,t)$ is a set of blocks, where (1) each block is subset of size $k$ of $[v]$ and (2) the blocks cover all subsets of $[v]$ of size $t$: for every $S\subseteq[v]$ of size $t$, there is a block $B\in C(v,k,t)$ such that $S\subseteq B$. Coverings are evaluated by their size, $|C(v,k,t)|$, where the smaller the better. We next describe the components of Calzone: analysis, planning and covering database.

Calzone begins the analysis by obtaining a covering $C(v,k_{1},t)$ from its covering database, where $k_{1}$ is determined by the planning component (described shortly). It pushes all blocks in the covering into a stack. It then iteratively pops a block $S$ from the stack and verifies the robustness of $N$ in $I_{S}(x)$ by running GPUPoly [25]. GPUPoly is a sound $L_{\infty}$ robustness verifier which is highly scalable because it performs the analysis on a GPU. However, it relies on a linear relaxation and thus may fail proving robustness due to overapproximation errors. If it determines that $I_{S}(x)$ is robust, Calzone continues to the next block. Otherwise, Calzone performs an exact analysis or refines the block. If $|S|=t$, Calzone invokes a sound and complete mixed-integer linear programming (MILP) verifier [33]. If it determines that $I_{S}(x)$ is not robust, Calzone returns non-robust, otherwise Calzone continues to the next block. If $|S|$ is greater than $t$, Calzone refines $S$ by pushing to the stack all blocks in a covering for $S$ and $t$. The blocks’ size is $k_{i+1}$, which is the block size following the current block size $k_{i}=|S|$, as determined by the planning component. The covering is obtained by retrieving from the covering database the covering $C(|S|,k_{i+1},t)$ and renaming the numbers in the blocks to range over the numbers in $S$ (instead of $[|S|]$), denoted as $C_{S}(|S|,k_{i+1},t)$. If Calzone observes an empty stack, it returns robust. This analysis is proven sound and complete. To scale, Calzone parallelizes the analysis over multiple GPUs (for GPUPoly) and CPUs (for the MILP verifier). Technically, the first covering is split between the GPUs, each independently analyzes its assigned blocks and refines if needed.

The planning determines the block sizes of the first covering and of the refinements’ coverings. These are given as a K strategy, a decreasing series $k_{1}>\ldots>k_{m}$, where $k_{1}\leq\text{MAX\_K}=99$ and $k_{m}=t$. Calzone predicts the K strategy that minimizes the overall analysis time using dynamic programming, defined over the analysis time of the first covering, the average fraction of blocks that will be refined, and the analysis time of the refined blocks. This computation requires GPUPoly’s success rate and average analysis time for neighborhoods $I_{S}(x)$, for all $|S|\leq\text{MAX\_K}$. These are estimated by sampling $n_{\text{samples}}=400$ sets $S$ for every $k\leq\text{MAX\_K}$ and submitting their neighborhood $I_{S}(x)$ to GPUPoly.

As described, the analysis obtains coverings from a database. This database has been populated by obtaining well-optimized coverings from online resources and extending them for large values of $v$ and $k$ using general covering constructions. Because of these general constructions, the database’s coverings tend to be far from the Schönheim bound [29], the best-known general lower bound, especially for large values of $v$ (the image dimension). This inefficiency results in longer analysis, since more blocks are analyzed.

Finite geometry covering constructions are widely known for obtaining small (sometimes optimal) coverings [27, 1, 16]. Popular finite geometry constructions rely on projective geometry (PG) or affine geometry (AG). We focus on PG, but our approach extends to AG. A PG construction views the problem of constructing a covering for a given ($v$, $k$, $t$) from a finite geometry point of view, where $v$ is the number of points in the geometry. It constructs coverings by computing flats (linear subspaces) of dimension $t-1$, each containing $k$ points. Since every $t$ points from $[v]$ are contained in at least one flat [27], the flats provide a covering. Figure 2 shows the Fano plane, a well-known example. In this example, there are $v=7$ points, the flats are of dimension $t-1=1$ (the lines and the circle), each containing $k=3$ points. The set of flats forms a covering, where each flat is a block: $C(7,3,2)=\{\{1,2,3\},\{1,4,6\},\{1,5,7\},\{2,4,7\},\{2,5,6\},\{3,4,5\},\{3,6,7\}\}$. PG coverings exist for triples where $v=\frac{q^{m+1}-1}{q-1}$ and $k=\frac{q^{t}-1}{q-1}$, for a prime power $q$ and $m\geq t\geq 2$ (it also exists for $m=t-1$, but then $v=k$, which is unhelpful to our analysis). Because PG is restricted to such triples, Calzone cannot effectively leverage it for the first covering, whose $v$ and $t$ are given. This is because for common image dimensions (e.g., $v=784$ for MNIST and $v=1024$ for CIFAR-10), there are no suitable $q$ and $m$. Even if there are suitable $q$ and $m$, there are very few possible $k$ values, which are unlikely to include or be close to an optimal value of $k$. Thus, either they are smaller than an optimal $k$, leading to larger coverings and a longer analysis time, or that they are larger than an optimal $k$ and have a lower success rate, leading to many refinements, resulting, again, in a longer analysis time. For example, for $v=364$ and $t=5$, the only suitable values are $q=3$ and $m=5$ (i.e., $364=({3^{5+1}-1})/({3-1})$), namely there is only one triple for these values of $v$ and $t$. In this triple, $k=({3^{5}-1})/({3-1})=121$. Since $k\approx\frac{v}{3}$, neighborhoods $I_{S}(x)$ for which $|S|=121$ are not likely to be robust, thus such $k$ is likely to have a low success rate. Induced coverings [16] enable to leverage finite geometry coverings for other $(v,k,t)$ triples, as next explained.

Given $v\leq v^{\prime}$ and $k\leq k^{\prime}$, a covering $C(v^{\prime},k^{\prime},t)$ can be induced to form a covering $C(v,k,t)$ [16]. The induced covering is obtained in three steps. First, we select a subset of numbers of size $v$, denoted $L\subseteq[v^{\prime}]$, and remove every $l\in[v^{\prime}]\setminus L$ from every block in $C(v^{\prime},k^{\prime},t^{\prime})$. This results in a set of blocks of different sizes that covers all subsets of $L$ of size $t$ [27, Lemma 1]. This follows since every subset $S\subseteq L$ of size $t$ is a subset of $[v^{\prime}]$ and thus there is $B\in C(v^{\prime},k^{\prime},t)$ such that $S\subseteq B$. The first step removes from $B$ only numbers from $[v^{\prime}]\setminus L$ and thus $S$ is contained in the respective block to $B$ after this step. The next two steps fix blocks whose size is not $k$. The second step extends every block whose size is smaller than $k$ with numbers from $L$. The third step refines every block whose size is larger than $k$ to multiple blocks of size $k$ that cover all of its subsets of size $t$. This step significantly increases the number of blocks, unless the number of blocks larger than $k$ is negligible. We note that these steps provide a covering over the numbers in $L$ (i.e., $C_{L}(|L|,k,t)$). A covering for $(|L|,k,t)$ can be obtained by renaming the numbers to range over $[|L|]$.

Our new covering design is an instance of a partially-induced covering. A partially-induced covering is the set of blocks obtained by the first step, where the blocks cover all subsets of $L$ of size $t$ and are of different sizes. For example, for the Fano plane and $L_{1}=\{4,5,6,7\}$, the partially-induced covering is: $C_{1}=\{\{\},\{4,6\},\{5,7\},\{4,7\},\{5,6\},\{4,5\},\{6,7\}\}$, while for $L_{2}=\{1,2,3,4\}$, it is: $C_{2}=\{\{1,2,3\},\{1,4\},\{1\},\{2,4\},\{2\},\{3,4\},\{3\}\}$. Partially-induced coverings have two benefits in our setting: (1) by not extending blocks whose size is smaller than $k$, we increase the likelihood that GPUPoly will prove their robustness, and (2) by not refining blocks whose size is larger than $k$, we (a) preserve the number of blocks as in the original covering, (b) provide GPUPoly an opportunity to verify these blocks, and (c) rely on the optimal refinement sizes (computed by the dynamic programming) for blocks that GPUPoly fails proving robustness. Our covering design partially induces PG coverings, to obtain additional benefits for $L_{0}$ robustness verification.

Given the number of pixels $v$ and the number of pixels to perturb $t$, a covering verification design (CVD) is the set of blocks obtained by partially inducing a PG covering $C(v^{\prime},k^{\prime},t)$, where $v\leq v^{\prime}$, using a random set of numbers $L\subseteq[v^{\prime}]$ of size $v$. The numbers in the blocks can later be renamed to range over $[v]$. For example, since the Fano plane is a PG covering, the partially-induced coverings $C_{1}$ and $C_{2}$ are CVDs. A CVD has two important properties. First, it is a partially-induced covering and thus has all the aforementioned advantages in our setting. In particular, its size is equal to the size of the original covering, which is highly beneficial since CVD induces from PG coverings, known for their small size. Second, although different sets $L$ lead to different block size distributions, we prove that the mean block size and its variance are the same regardless of the choice of $L$. Further, we identify closed-form expressions for them and show that the variance is bounded by the mean. For example, although the block size distributions of $C_{1}$ and $C_{2}$ are different, they have the same average block size ($\frac{12}{7}$) and the same variance ($\frac{24}{49}$). This property has practical advantages: (1) it allows us to estimate the block size distribution (Section 4.2), and (2) since the variance is bounded by the mean, the smaller the mean block size, the less likely that there are very large blocks, which are less likely to be proven robust by GPUPoly. To prove this property, we rely on the fact that PG coverings (and AG coverings) are also a combinatorial design called a balanced incomplete block design (BIBD) [7, Part VII, Proposition 2.36]. We next describe BIBD and then state our theorem on its mean and variance.

Given positive integers $(v,b,r,k,\lambda)$, a BIBD is a set of $b$ blocks, each is a subset of $[v]$ of size $k$, such that every $i\in[v]$ appears in $r$ blocks and every $i\neq j\in[v]$ appear together in $\lambda$ blocks. For example, the Fano plane is a BIBD with $v=7,b=7,r=3,k=3,\lambda=1$. This is because it has $b=7$ blocks, each block is a subset of $[v]=\{1,\dots,7\}$ of size $k=3$, every number in $\{1,\dots,7\}$ appears in $r=3$ blocks and every two different numbers appear together in $\lambda=1$ block. Given a BIBD with parameters $(v^{\prime},b,r,k^{\prime},\lambda)$, we define a partially-induced BIBD for $v\leq v^{\prime}$ by selecting a subset of numbers $L\subseteq[v^{\prime}]$ of size $v$ and removing every $l\in[v^{\prime}]\setminus L$ from every block in the BIBD (empty blocks or repetitive blocks are kept). While the distribution of the induced blocks’ sizes depends on $L$, the mean block size and its variance depend only on $v,v^{\prime},k^{\prime}$.