Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

VeriFlow: Modeling Distributions for Neural Network Verification

Faried Abu Zaid, Daniel Neider, Mustafa Yalçıner

TL;DR

The paper addresses the challenge of formally verifying neural networks on inputs that are meaningful in practice, rather than the entire input space. It introduces VeriFlow, a flow-based density model that is bijective and piecewise affine, preserving density level sets between the base distribution $B$ and the data distribution $D$ so verification can be confined to upper density level sets (UDLs) described by linear constraints in the latent space via $p_D(x)=p_B(F^{-1}(x))\left|\det \frac{\partial F^{-1}}{\partial x^T}\right|$. For radial base distributions, UDLs map to simple norm-based intervals, enabling straightforward latent-space descriptions and seamless integration with constraint-based verifiers and neuro-symbolic pipelines. Empirical results on MNIST and FashionMNIST demonstrate faithful latent norm distributions, competitive density estimation (vs. MACow) with a learnable radial base, and practical verification gains, with an open-source VeriFlow library and ONNX export to support broader adoption.

Abstract

Formal verification has emerged as a promising method to ensure the safety and reliability of neural networks. However, many relevant properties, such as fairness or global robustness, pertain to the entire input space. If one applies verification techniques naively, the neural network is checked even on inputs that do not occur in the real world and have no meaning. To tackle this shortcoming, we propose the VeriFlow architecture as a flow-based density model tailored to allow any verification approach to restrict its search to some data distribution of interest. We argue that our architecture is particularly well suited for this purpose because of two major properties. First, we show that the transformation that is defined by our model is piecewise affine. Therefore, the model allows the usage of verifiers based on constraint solving with linear arithmetic. Second, upper density level sets (UDL) of the data distribution are definable via linear constraints in the latent space. As a consequence, representations of UDLs specified by a given probability are effectively computable in the latent space. This property allows for effective verification with a fine-grained, probabilistically interpretable control of how a-typical the inputs subject to verification are.

VeriFlow: Modeling Distributions for Neural Network Verification

TL;DR

The paper addresses the challenge of formally verifying neural networks on inputs that are meaningful in practice, rather than the entire input space. It introduces VeriFlow, a flow-based density model that is bijective and piecewise affine, preserving density level sets between the base distribution and the data distribution so verification can be confined to upper density level sets (UDLs) described by linear constraints in the latent space via . For radial base distributions, UDLs map to simple norm-based intervals, enabling straightforward latent-space descriptions and seamless integration with constraint-based verifiers and neuro-symbolic pipelines. Empirical results on MNIST and FashionMNIST demonstrate faithful latent norm distributions, competitive density estimation (vs. MACow) with a learnable radial base, and practical verification gains, with an open-source VeriFlow library and ONNX export to support broader adoption.

Abstract

Formal verification has emerged as a promising method to ensure the safety and reliability of neural networks. However, many relevant properties, such as fairness or global robustness, pertain to the entire input space. If one applies verification techniques naively, the neural network is checked even on inputs that do not occur in the real world and have no meaning. To tackle this shortcoming, we propose the VeriFlow architecture as a flow-based density model tailored to allow any verification approach to restrict its search to some data distribution of interest. We argue that our architecture is particularly well suited for this purpose because of two major properties. First, we show that the transformation that is defined by our model is piecewise affine. Therefore, the model allows the usage of verifiers based on constraint solving with linear arithmetic. Second, upper density level sets (UDL) of the data distribution are definable via linear constraints in the latent space. As a consequence, representations of UDLs specified by a given probability are effectively computable in the latent space. This property allows for effective verification with a fine-grained, probabilistically interpretable control of how a-typical the inputs subject to verification are.
Paper Structure (24 sections, 5 theorems, 14 equations, 12 figures)

This paper contains 24 sections, 5 theorems, 14 equations, 12 figures.

Table of Contents

  1. Introduction
  2. Summary
  3. Preliminaries
  4. Base Distributions
  5. Piecewise Affine Flows
  6. VeriFlow: A Density-Preserving Architecture
  7. The Components of VeriFlow
  8. Additive Coupling (NICE)
  9. Allowing Rescaling
  10. Computing log-Densities
  11. Masked Additive Coupling
  12. Additive Auto-Regression
  13. Masked Additive Convolutions
  14. LUNets
  15. Bijective Affine Layers
  16. ...and 9 more sections

Key Result

Proposition 1

Let $F:\mathbb{R}^d\to\mathbb{R}^d$ be a piecewise affine bijection, with affine regions $\mathcal{X}_1,\ldots,\mathcal{X}_n\in\mathcal{B}(\mathbb{R})^d$ and let $B$ be an absolutely continuous random variable. Then, $p_{F(B)}(x) = p_{B}(F^{-1}(x))\left|\det\frac{\partial F^{-1}}{\partial x}\right|$

Figures (12)

  • Figure 1: Verification of a global property
  • Figure 2: Visualization of a verification pipeline for an in-distribution verification of a classifier using VeriFlow. The procedure starts by defining the UDL exactly in the latent space. The true classification range w.r.t. the UDL equals the result of pushing the set consecutively through the flow and the classifier. An over-approximation can be obtained via abstract interpretation.
  • Figure 3: Comparison of PP-plots for VeriFlow on MNIST and FashionMNIST datasets. In both cases, the flexibility of the learnable norm distribution allows the model to tightly align norm distributions and the latent norms of the data.
  • Figure 4: Runtime verification results and model samples.
  • Figure 5: Negative log-likelihood (NLL) comparison of MACow and VeriFlow across datasets
  • ...and 7 more figures

Theorems & Definitions (12)

  • definition thmcounterdefinition: Radial Distributions and Radial Profile
  • definition thmcounterdefinition: $k$-Radial Distribution Construction
  • definition thmcounterdefinition
  • Proposition 1
  • proof
  • lemma thmcounterlemma
  • proof
  • Proposition 2: Density Level Set Preservation
  • proof
  • Corollary 1
  • ...and 2 more