Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Patch Synthesis for Property Repair of Deep Neural Networks

Zhiming Chi, Jianan Ma, Pengfei Yang, Cheng-Chao Huang, Renjue Li, Xiaowei Huang, Lijun Zhang

TL;DR

PatchPro tackles local robustness repair for deep neural networks by introducing patch modules that are trained with a DeepPoly based loss to provably fix adversarial vulnerabilities within a perturbation neighborhood. An external indicator routes inputs to neighborhood specific patches, while a patch allocation strategy enables generalization to unseen data and maintains original network performance. The approach scales to large networks by performing repairs in a reduced feature space and by adding patches to the network output rather than altering the base model. Empirical results on MNIST, CIFAR-10, Tiny ImageNet, and ACAS Xu demonstrate provable repairs with high repair success, strong generalization, and competitive efficiency compared to state of the art.

Abstract

Deep neural networks (DNNs) are prone to various dependability issues, such as adversarial attacks, which hinder their adoption in safety-critical domains. Recently, NN repair techniques have been proposed to address these issues while preserving original performance by locating and modifying guilty neurons and their parameters. However, existing repair approaches are often limited to specific data sets and do not provide theoretical guarantees for the effectiveness of the repairs. To address these limitations, we introduce PatchPro, a novel patch-based approach for property-level repair of DNNs, focusing on local robustness. The key idea behind PatchPro is to construct patch modules that, when integrated with the original network, provide specialized repairs for all samples within the robustness neighborhood while maintaining the network's original performance. Our method incorporates formal verification and a heuristic mechanism for allocating patch modules, enabling it to defend against adversarial attacks and generalize to other inputs. PatchPro demonstrates superior efficiency, scalability, and repair success rates compared to existing DNN repair methods, i.e., realizing provable property-level repair for 100% cases across multiple high-dimensional datasets.

Patch Synthesis for Property Repair of Deep Neural Networks

TL;DR

PatchPro tackles local robustness repair for deep neural networks by introducing patch modules that are trained with a DeepPoly based loss to provably fix adversarial vulnerabilities within a perturbation neighborhood. An external indicator routes inputs to neighborhood specific patches, while a patch allocation strategy enables generalization to unseen data and maintains original network performance. The approach scales to large networks by performing repairs in a reduced feature space and by adding patches to the network output rather than altering the base model. Empirical results on MNIST, CIFAR-10, Tiny ImageNet, and ACAS Xu demonstrate provable repairs with high repair success, strong generalization, and competitive efficiency compared to state of the art.

Abstract

Deep neural networks (DNNs) are prone to various dependability issues, such as adversarial attacks, which hinder their adoption in safety-critical domains. Recently, NN repair techniques have been proposed to address these issues while preserving original performance by locating and modifying guilty neurons and their parameters. However, existing repair approaches are often limited to specific data sets and do not provide theoretical guarantees for the effectiveness of the repairs. To address these limitations, we introduce PatchPro, a novel patch-based approach for property-level repair of DNNs, focusing on local robustness. The key idea behind PatchPro is to construct patch modules that, when integrated with the original network, provide specialized repairs for all samples within the robustness neighborhood while maintaining the network's original performance. Our method incorporates formal verification and a heuristic mechanism for allocating patch modules, enabling it to defend against adversarial attacks and generalize to other inputs. PatchPro demonstrates superior efficiency, scalability, and repair success rates compared to existing DNN repair methods, i.e., realizing provable property-level repair for 100% cases across multiple high-dimensional datasets.
Paper Structure (23 sections, 2 theorems, 15 equations, 3 figures, 8 tables, 2 algorithms)

This paper contains 23 sections, 2 theorems, 15 equations, 3 figures, 8 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Preliminary
  3. Methodology
  4. Structure of the repaired DNN
  5. Training the patch modules
  6. Patch allocation
  7. Repair in a feature space
  8. Experimental Evaluation
  9. Setup
  10. Dataset
  11. Baselines
  12. Metrics
  13. Repair performance
  14. Generalization
  15. Scalability Evaluation
  16. ...and 8 more sections

Key Result

Theorem 1

Let $\varphi=(F,B(x_i,r))$ be a local robustness property. If $\mathcal{L}(\varphi) = 0$ on $B(x_i,r)$, i.e., where $\mathrm{elmax}$ and $\mathrm{elmin}$ are the element-wise $\max$ and $\min$ operation, $\bm 0$ and $\bm 1$ are the vector in $\mathbb R^{n_0}$ with all the entries $0$ and $1$, respectively, then the property $\varphi$ holds.

Figures (3)

  • Figure 1: The architecture of a DNN repaired by PatchPro. It contains multiple patch networks for each input properties. Each of them is enabled or disabled according to the allocation signal "1" or "0" determined by the indicator. The blue lines highlights the indicator's workflow. The final output is the sum of the outputs of all the enabled patches and the original network.
  • Figure 2: A fully connected neural network $N$ with ReLU activations.
  • Figure 3: Results under the extreme setting.

Theorems & Definitions (10)

  • Definition 1
  • Definition 2
  • Definition 3
  • Definition 4
  • Theorem 1
  • Definition 5
  • Definition 6
  • Theorem 1
  • proof
  • Example 1