Deployment of deep neural networks (DNNs) in safety-or security-critical systems requires provable guarantees on their correct behaviour. A common requirement is robustness to adversarial perturbations in a neighbourhood around an input. In this paper we focus on the L0 norm and aim to compute, for a trained DNN and an input, the maximal radius of a safe norm ball around the input within which there are no adversarial examples. Then we define global robustness as an expectation of the maximal safe radius over a test data set. We first show that the problem is NP-hard, and then propose an approximate approach to iteratively compute lower and upper bounds on the network's robustness. The approach is anytime, i.e., it returns intermediate bounds and robustness estimates that are gradually, but strictly, improved as the computation proceeds; tensor-based, i.e., the computation is conducted over a set of inputs simultaneously, instead of one by one, to enable efficient GPU computation; and has provable guarantees, i.e., both the bounds and the robustness estimates can converge to their optimal values. Finally, we demonstrate the utility of the proposed approach in practice to compute tight bounds by applying and adapting the anytime algorithm to a set of challenging problems, including global robustness evaluation, competitive L0 attacks, test case generation for DNNs, and local robustness evaluation on large-scale ImageNet DNNs. We release the code of all case studies via GitHub 1 . 1 The code is available in https://github.com/TrustAI/L0-TRE arXiv:1804.05805v2 [cs.LG] 20 Nov 2018Safety certification for DNNs is challenging owing to the black-box nature of DNNs and the lack of rigorous foundations. An important low-level requirement for DNNs is the robustness to input perturbations. DNNs have been shown to suffer from poor robustness because of their susceptibility to adversarial examples [29]. These are small modifications to an input, sometimes imperceptible to humans, that make the network unstable. As a result, significant effort has been directed towards approaches for crafting adversarial examples or defending against them [2,5,18]. However, the cited approaches provide no formal guarantees, i.e., no conclusion can be made whether adversarial examples remain or how close crafted adversarial examples are to the optimal ones.Recent efforts in the area of automated verification [8,9] have instead focused on methods that generate adversarial examples, if they exist, and provide rigorous robustness proofs otherwise. These techniques rely on either a layer-by-layer exhaustive search of the neighbourhood of an image [8], or a reduction to a constraint solving problem by encoding the network as a set of constraints [9]. Constraint-based approaches are limited to small networks. Exhaustive search, on the other hand, applies to large networks but suffers from the state-space explosion problem. To mitigate this, a Monte-Carlo tree search has been employed [31]. Moreover, a game-based approximate verification approach that...
