Formal Verification of Object Detection

In computer vision, various tasks aim to understand and interpret visual data, each with its own unique challenges. Image classification models categorize entire images into predefined classes. Formally, such a model takes an input image $\mathcal{I}$ and maps it to a class label $c$, chosen from a discrete set of possible labels $\mathcal{C}$. Each label is assigned a confidence score, and the highest score indicates the predicted class.

Object Detection (OD) extends this by not only identifying the classes present in an image but also localizing each object by predicting bounding boxes. An OD model takes an input image $\mathcal{I}$ and produces a set of bounding boxes $\mathcal{B}$. Each bounding box in $\mathcal{B}$ is a tuple ${(x,y,w,h,c)}$, where ${(x,y)}$ represents the coordinates of the top-left corner, ${(w,h)}$ denotes its dimensions, and $c$ signifies the detected object’s class label.

An adversarial attack involves intentionally altering an original data point $\mathcal{I}_{0}\in\mathbb{R}^{d}$ to a different one, $\mathcal{I}\in\mathbb{R}^{d}$, with $\mathcal{I}\neq\mathcal{I}_{0}$, so that the altered data is interpreted differently by the model, potentially leading to incorrect or unintended outputs.

In formal verification, the objective is to ensure that the neural network satisfies certain desired properties under all possible input scenarios within a specified input set. The input set $\mathcal{I}$ is often defined by a set of constraints $\mathcal{C}_{in}$, which bound the possible values the input can take. For instance, given an input $\mathcal{I}_{0}$, the input set could be defined as all points $\mathcal{I}$ such that the difference between $\mathcal{I}$ and $\mathcal{I}_{0}$ is within a specified range: $|\mathcal{I}-\mathcal{I}_{0}|\leq\delta$, where $\delta$ represents the allowable perturbation.

The model’s output, denoted as $\mathcal{O}=f(\mathcal{I})$, is then verified against a set of output constraints $\mathcal{C}_{out}$, which define the expected or acceptable behavior of the model. The task is to prove that for all inputs $\mathcal{I}$ satisfying $\mathcal{C}_{in}$, the outputs $\mathcal{O}$ will satisfy $\mathcal{C}_{out}$. Formally, the verification problem can be stated as:

This ensures that the neural network behaves correctly for all possible inputs within the defined constraints, providing a strong guarantee of the model’s reliability in practical scenarios.

For image classification verification, the goal is to ensure that a model reliably predicts the correct class label under input variations. The input constraints $\mathcal{C}_{in}$ define permissible modifications to an original image $\mathcal{I}_{0}$, forming a set of inputs $\mathcal{I}$ where $|\mathcal{I}-\mathcal{I}_{0}|\leq\delta$. This ensures that all modified inputs remain sufficiently similar to the original.

The output constraints $\mathcal{C}_{out}$ require that the predicted class label remains consistent for any input $\mathcal{I}$ within $\mathcal{C}_{in}$. This consistency is crucial for maintaining classification accuracy despite input perturbations within the specified range. So far, such verification techniques in computer vision have been limited to image classification tasks.

Unlike the classification domain, which typically revolves around a singular option – misclassification – OD presents a broader range of potential attack vectors. In OD, adversaries have multiple avenues to explore, including:

1. 1.

   Misclassification: This attack vector mirrors classification-based adversarial attacks and involves deliberately causing OD models to incorrectly label detected objects. Formally, when the output of the OD model is a tuple $\mathcal{D}=(x,y,h,w,c)$, misclassification occurs when $c\neq\text{ground truth}$.

2. 2.

   Mislocalization: This attack vector involves perturbing the localization aspect of OD models, thereby causing them to erroneously estimate the position and extent of objects within the image. Formally, mislocalization occurs when any of the localization parameters ($x$, $y$, $h$, or $w$) deviates significantly from their ground truth values, leading to inaccurate object localization. Given that perfect matching is rarely attainable, the success of the mislocalization attack is assessed by calculating the Intersection over Union (IoU) between the original detection and the perturbed one. If the IoU is below a predefined threshold, it signifies the effectiveness of the attack.

   IoU is the shared area between the actual object and the detected one, formally defined using bounding box (bb) notations as:

   $$\text{IoU}=\frac{\text{Area of Overlap between the detected bb and the ground truth bb}}{\text{Area of Union between the detected bb and the ground truth bb}}$$

   Using mathematical symbols, this can be represented as:

   $$\text{IoU}=\frac{|A\cap B|}{|A\cup B|}$$

   where $A$ represents the area of the detected bounding box, and $B$ represents the area of the ground truth bounding box.

3. 3.

   Misdetection/False Positives: In this scenario, the aim is to manipulate the model into either missing the detection of genuine objects or generating false positives—detecting objects that are not present in the image. Assume there are $d$ objects in a given image, each represented as a ground truth tuple $\mathcal{G}_{i}=(x_{i},y_{i},h_{i},w_{i},c_{i})$ for $i=1,2,\ldots,d$. The output of the OD model is represented as a set of tuples $\mathcal{D}=\{\mathcal{D}_{1},\mathcal{D}_{2},\ldots,\mathcal{D}_{n}\}$, where each $\mathcal{D}_{j}=(x_{j},y_{j},h_{j},w_{j},c_{j})$ corresponds to a detected object by the model. An attack of this type could manifest in one of two ways:

   Missing Genuine Objects: For any $\mathcal{G}_{i}$, if there exists no $\mathcal{D}_{j}$ such that $c_{j}=c_{i}$ and the IoU between $\mathcal{G}_{i}$ and $\mathcal{D}_{j}$ exceeds a predefined threshold, it indicates that a genuine object has been missed by the OD model.

   False Positives: If there exists $\mathcal{D}_{j}$ for which $c_{j}$ does not match any ground truth class label and the IoU between $\mathcal{D}_{j}$ and all $\mathcal{G}_{i}$ is below a predefined threshold, it suggests the generation of false positives, where non-existent objects are erroneously detected. The effectiveness of the attack is determined by assessing the occurrences of these two scenarios.

After establishing the preliminaries and defining formal verification for image classification, we expand the scope to include other key computer vision tasks. We begin by explaining the different types of attacks in detail, then integrate them into a comprehensive, unified formulation.

Object detection involves both locating and classifying one or more objects in an image. The most straightforward attack targets the classification aspect, similar to traditional neural network verification methods. However, the more intriguing challenge lies in extending beyond classification to handle the unique characteristics of OD. Unlike classification, OD deals with multiple objects in an image, introducing the possibility of attacks that manipulate the number of detected objects. Furthermore, the natural extension of these attacks focuses on localization, aiming to deceive the detector into identifying objects but placing them in incorrect locations.

Up to this point, the unique attacks specific to object detection, which is not found in classification, have been outlined: targeting multiple objects and localization errors. While the input constraints remain the same, the output constraints differ. However, these constraints share a common foundation, allowing for a generic formulation. As previously stated, the most general form of the output constraint is $\forall\mathcal{I}\in\mathcal{C}_{in},\quad f(\mathcal{I})\in\mathcal{C}_{out}$. First, let’s demonstrate how each type of attack aligns with this form:

For the attack on the number of detected objects, the verification process aims to align the detected objects with the ground truth. Naively, the number of detected object ($\#\mathcal{B}$) should be aligned with the number of ground truth $\#GT$. Since false-positives and false-negatives cancel each other in $\#\mathcal{B}$, the desired property is changed: $\#\mathcal{B}_{\text{positive}}=\#GT_{\text{positive}}$. This constraint ensures that the true positive detections align with the ground truth, providing a more reliable assessment of object detection performance and effectively capturing both false positives and false negatives.

For localization, the focus is on the positions of the detected objects. The Intersection over Union (IoU) measure quantifies the overlap between detections and ground truth objects. If the IoU of each detected object exceeds a predefined threshold, $\tau$, and the detected class labels are accurate, then the objects are considered to be correctly located. This measure indicates the degree of agreement between the detected bounding box and the ground truth. The motivation here is to verify that the IoU of each detected object is indeed higher than $\tau$, ensuring accurate localization and reliable assessment of detection performance.

To implement these operations and constraints, we explored two directions, each with its pros and cons, which we will discuss. The first approach, the more direct and naïve one, aims to be as implicit as possible. This means running a given network, taking its native output, and querying it using a verifier with minimal required modifications. The second approach is to be explicit: encode each unique operation as a neural network layer, which can be verified natively. While the first method is general and offloads most of the process to behind the scenes, it forces the verifier to abstract all network operations. In contrast, the second approach, being more explicit, shifts the responsibility to us and leaves the verifier to encode known operations. This method is, of course, more complex but offers greater control and enables more feasible scenarios.

Since the first method requires no additional formal definitions we focus here on the formulation of the second approach. A verifier originally designed for classification can be adapted to other tasks by encoding unique operators or stages as DNN layers, which can then be integrated into the verifier. The network itself is standard, consisting of linear layers and non-linear activations. Those layers and activations are commonly encoded into the verifier, and we add encoding for specialized tasks, such as matching detection and ground truth for OD. This approach ensures that these specialized operators are rigorously formulated and effectively encoded into the standard verifier.

Given two bounding boxes $B_{gt}=(x_{g},y_{g},w_{g},h_{g})$ and $B_{dt}=(x_{d},y_{d},w_{d},h_{d})$, the IoU can be calculated using the following definitions and constraints:

The coordinates of the intersection rectangle between $B_{gt}$ and $B_{dt}$ are:

The width ($w_{i}$) and height ($h_{i}$) of the intersection are given by:

The area of the intersection ($A_{I}$) is $w_{i}\cdot h_{i}$.

The areas of each bounding box are:

The area of the union is:

The IoU is defined as:

To enforce the constraint $IoU>\tau$, we express this as a linear constraint,which can be encoded using ReLU activation:

Fig. 2 illustrates how the IoU between a single ground truth and a single detection can be encoded as a piecewise layer.

The matching between all ground truth and detection objects requires handling multiple bounding boxes, which necessitates using this encoding and adding another layer. When working with lists of detection boxes $dts=\{B_{dt1},B_{dt2},\ldots,B_{dtn}\}$ and ground truth boxes $gts=\{B_{gt1},B_{gt2},\ldots,B_{gtm}\}$, we introduce binary variables $z_{ij}$ to indicate whether the IoU condition is met for each pair $(dt_{i},gt_{j})$:

In order to verify whether at least one or all objects are accurately detected. At least one pair meets the IoU condition of:

Where we aim to verify that all objects are detected correctly, with no false positives, each detection $dt_{i}$ must match one ground truth $gt_{j}$, and vice versa. Here, we define $z_{ij}$ as a binary indicator where $z_{ij}=1$ if detection $dt_{i}$ matches ground truth $gt_{j}$, and 0 otherwise:

This binarization is approximate, as explained at the end of section 3. It is important to note that this approximation makes this particular verification incomplete. Using the binarized values of $z_{ij}$, the following constraints ensure accurate matching:

1. 1.

   Each detection matches exactly one ground truth:

   $$\sum_{j=1}^{m}z_{ij}=1,\quad\forall i\in\{1,\ldots,n\}.$$

2. 2.

   Each ground truth is matched by exactly one detection:

   $$\sum_{i=1}^{n}z_{ij}=1,\quad\forall j\in\{1,\ldots,m\}.$$

These constraints ensure that detections accurately match the ground truths without false positives or false negatives.

Fig. 3 illustrates how the final constraints $C_{out}$ are encoded to verify both cases: missing all objects and not detecting all of them.

The Heaviside step function, traditionally denoted as $H(x)$, is defined as zero for $x<0$ and one for $x\geq 0$. In computational settings, where a smooth and differentiable approximation is required, the sigmoid function can be utilized as an effective surrogate. The sigmoid function $S(x)$, defined by the formula:

provides a smooth transition between 0 and 1. The parameter ‘slope’ adjusts the steepness of the sigmoid function’s curve, making it versatile for different levels of approximation granularity. This property makes the sigmoid function particularly useful in scenarios where a gradual change is more physically realistic or numerically stable than an abrupt switch.

Figure 4 illustrates the approximation of the Heaviside function by the sigmoid function over a range of slope values, $\text{slope}\in\{1,10,100,1000\}$. As depicted, for high slope values, $S(x)$ serves as a very good approximation of $H(x)$, closely mirroring its behavior due to the sharper transition at $x=0$.

In our context, we used this approximation for binarizing variables, allowing us to encode them as a single layer. However, verification properties that rely on this approximation are inherently incomplete.