Neural Network Verification with Branch-and-Bound for General Nonlinearities

Neural network (NN) verification aims to formally verify whether a neural network satisfies certain properties, such as safety or robustness properties, prior to its deployment in safety-critical applications. Existing NN verifiers typically compute certified bounds for the output given a pre-defined input region and check the desired properties on the output bounds. As computing exact bounds is NP-complete [18], it becomes crucial to relax the bound computation to improve the efficiency. Bound propagation methods [10, 15, 34, 40, 43, 48] have been commonly used, which relax nonlinearities in NNs into linear lower and upper bounds which can be efficiently propagated to finally bound the output of an entire NN.

To obtain tighter verified bounds, Branch-and-Bound (BaB) has been widely utilized [4, 5, 7, 11, 23, 41, 46] in state-of-the-art NN verifiers, where BaB iteratively branches the bounds of intermediate neurons, such that subproblems of verification are created and tighter bounds can be computed for each subproblem. However, previous works mostly focused on ReLU networks due to the simplicity of ReLU from its piecewise linear nature. Branching a ReLU neuron only requires branching at 0, and it immediately becomes linear in either branch around 0. Conversely, handling NNs with nonlinearities beyond ReLU introduces additional complexity as the convenience of piecewise linearity diminishes. It is important for verifying many models with non-ReLU nonlinearities, including: NNs with non-ReLU activation functions; more complex NNs such as LSTMs [17] and Transformers [38] which have nonlinearities including multiplication and division beyond activation functions; applications such as AC Optimal Power Flow (ACOPF) [14] where the verification problem is defined on a computational graph consisting of a NN and also several nonlinear operators encoding the nonlinear constraints to be verified. Although some previous works have considered BaB for NNs beyond ReLU networks, e.g., [15, 44] considered BaB on networks with S-shaped activations such as Sigmoid, these works still often specialize in specific and relatively simple types of nonlinearities. A more principled framework for handling general nonlinearities is lacking, leaving ample room for further advancements in verifying non-ReLU NNs.

We demonstrate the effectiveness of our GenBaB on a variety of networks, including feedforward networks with Sigmoid, Tanh, Sine, or GeLU activations, as well as LSTMs and Vision Transformers (ViTs). These models involve various nonlinearities including S-shaped activations, periodic trigonometric functions, and also multiplication and division which are multi-dimensional nonlinear operations beyond activation functions. We also enable verification on models for the AC Optimal Power Flow (ACOPF) application [14]. GenBaB is generally effective and outperforms existing baselines. The improvement from GenBaB is particularly significant for models involving functions with stronger nonlinearity. For example, on a \(4\times 100\) network with the Sine activation, GenBaB improves the verification from 4% to 60% instances verified (NNs with the Sine activation have been proposed for neural representations and neural rendering in Sitzmann et al. [35]).

The NN verification problem. Let \(f: {\mathbb {R}}^{d}\rightarrow {\mathbb {R}}^{K}\) be a neural network taking input \({\textbf{x}}\in {\mathbb {R}}^{d}\) and outputting \(f({\textbf{x}})\in {\mathbb {R}}^{K}\). Suppose \({\mathcal {C}}\) is the input region to be verified, and \(s:{\mathbb {R}}^{K}\rightarrow {\mathbb {R}}\) is an output specification function, \(h:{\mathbb {R}}^{d}\mapsto {\mathbb {R}}\) is the function that combines the NN and the output specification as \(h({\textbf{x}})=s(f({\textbf{x}}))\). NN verification can typically be formulated as verifying if \(h({\textbf{x}})>0, \forall {\textbf{x}}\in {\mathcal {C}}\) provably holds. A commonly adopted special case is robustness verification given a small input region, where \(f({\textbf{x}})\) is a K-way classifier and \(h({\textbf{x}}):==\min _{i\ne c}\{ f_c({\textbf{x}}) - f_i ({\textbf{x}})\}\) checks the worst-case margin between the ground-truth class c and any other class i. The input region is often taken as a small \(\ell _\infty \)-ball with radius \({\epsilon }\) around a data point \({\textbf{x}}_0\), i.e., \({\mathcal {C}}:==\{ {\textbf{x}}\mid \Vert {\textbf{x}}-{\textbf{x}}_0\Vert _\infty \!\le \!{\epsilon }\}\). This is a succinct and useful problem for provably verifying the robustness properties of a model and also for benchmarking NN verifiers, although there are other NN verification problems beyond robustness [3]. We mainly focus on this setting for its simplicity following prior works.

Linear bound propagation. We develop our GenBaB based on linear bound propagation [45, 48] for computing the verified bounds of each subproblem during the BaB. Linear bound propagation can lower bound \(h({\textbf{x}})\) by propagating linear bounds w.r.t. the output of one or more intermediate layers as \(h({\textbf{x}})\ge \sum \nolimits _i {\textbf{A}}_i \hat{{\textbf{x}}}_i + {\textbf{c}}~(\forall {\textbf{x}}\in {\mathcal {C}})\), where \( \hat{{\textbf{x}}}_i~(i\le n)\) is the output of intermediate layer i in the network \(f({\textbf{x}})\) with n layers, \({\textbf{A}}_i\) are the coefficients w.r.t. layer i, and \({\textbf{c}}\) is a bias term. In the beginning, the linear bound is simply \(h({\textbf{x}})\ge {\textbf{I}}\cdot h({\textbf{x}}) + {\boldsymbol{0}}\) which is actually an equality. In the bound propagation, \( {\textbf{A}}_i \hat{{\textbf{x}}}_i \) is recursively substituted by the linear bound of \(\hat{{\textbf{x}}}_i\) w.r.t its input. For simplicity, suppose layer \(i-1\) is the input to layer i and \(\hat{{\textbf{x}}}_i=h_i(\hat{{\textbf{x}}}_{i-1})\), where \(h_i(\cdot )\) is the computation for layer i. And suppose we have the linear bounds of \(\hat{{\textbf{x}}}_i\) w.r.t its input \(\hat{{\textbf{x}}}_{i-1}\) as:with parameters \(\underline{{\textbf{a}}}_i,\underline{{\textbf{b}}}_i,\overline{{\textbf{a}}}_i,\overline{{\textbf{b}}}_i\) for the linear bounds, and “\(\le \)” holds elementwise. Then \({\textbf{A}}_i\hat{{\textbf{x}}}_i\) can be substituted and lower bounded by \({\textbf{A}}_i\hat{{\textbf{x}}}_i\ge {\textbf{A}}_{i-1} \hat{{\textbf{x}}}_{i-1} +\big ({\textbf{A}}_{i,+} \underline{{\textbf{b}}}_i +{\textbf{A}}_{i,-} \overline{{\textbf{b}}}_i\big )\), where \({\textbf{A}}_{i-1}={\textbf{A}}_{i,+} \underline{{\textbf{a}}}_i +{\textbf{A}}_{i,-} \overline{{\textbf{a}}}_i\), (“+” and “-” in the subscripts denote taking positive and negative elements, respectively). In this way, the linear bounds are propagated from layer i to layer \(i-1\). Ultimately, the linear bounds can be propagated to the input of the network \({\textbf{x}}\) as \( h({\textbf{x}})\ge {\textbf{A}}_0 {\textbf{x}}+ {\textbf{c}}~({\textbf{A}}_0\in {\mathbb {R}}^{1\times d})\), where the input can be viewed as the 0-th layer. Depending on \({\mathcal {C}}\), this linear bound can be concretized into a lower bound without \({\textbf{x}}\). We focus on settings where \({\mathcal {C}}\) is an \(\ell _\infty \)-ball as mentioned above, and thereby we have:To obtain (1), if \(h_i\) is a linear operator, we simply have \(\underline{{\textbf{a}}}_i \hat{{\textbf{x}}}_{i-1} + \underline{{\textbf{b}}}_i= \overline{{\textbf{a}}}_i \hat{{\textbf{x}}}_{i-1} + \overline{{\textbf{b}}}_i=h_i(\hat{{\textbf{x}}}_{i-1})\) which is \(h_i\) itself. Otherwise, linear relaxation is used, which relaxes a nonlinearity and bound the nonlinearity by linear functions. An intermediate bound on \(\hat{{\textbf{x}}}_{i-1}\) as \({\textbf{l}}_{i-1}\le \hat{{\textbf{x}}}_{i-1}\le {\textbf{u}}_{i-1}\) is usually required for the relaxation, which can be obtained by treating the intermediate layer as the output of a network and running additional bound propagation.

Due to the NP-complete nature of the NN verification [18], linear bound propagation [34, 43, 48] has been proposed to relax nonlinearities in a NN network using linear lower and upper bounds and then propagate the linear relationship between different layers, so that tractable output bounds can be efficiently computed for much larger NNs with various architectures [2, 19, 31, 45]. A limitation of using linear bound propagation only is that the linear relaxation, which depends on the output bounds of intermediate layers, can often have a limited tightness as the intermediate bounds gradually become looser in later layers. Therefore, branch-and-bound (BaB) has been an essential technique in state-of-the-art verifiers [5, 7, 16, 20, 23, 30, 39, 41, 44, 46] leveraging linear relaxation, which iteratively branches the intermediate bounds of selected neurons to enable tight linear relaxation and compute tighter output bounds. However, most of the existing works on the BaB for NN verification have focused on ReLU networks with the piecewise-linear ReLU activation function, and they are not directly applicable to NNs with nonlinearities beyond ReLU. Nevertheless, there are several previous works on the BaB for verifying NNs with nonlinearities other than ReLU. Henriksen and Lomuscio [15] conducted BaB on Sigmoid and Tanh networks, but their framework depends on a commercial LP solver which has been argued as less effective than recent NN verification methods using linear bound propagation [41]. Besides, Wu et al. [44] studied verifying Sigmoid networks with counter-example-guided abstraction refinement. These works have focused on S-shaped activations such as Sigmoid and Tanh, and there still lacks a general framework supporting general nonlinearities beyond a particular type of activation functions, which we address in this paper.

Orthogonal to our contributions on BaB for general nonlinearities, many works studied the verification of NNs with various nonlinearities without considering BaB, by improving the linear relaxation or extending the support of verification to various architectures or specifications: Sigmoid and Tanh networks [2, 6, 48], RNNs and LSTMs [9, 19, 26, 29, 37, 49], Transformers [1, 32, 42, 50], general computational graphs [45], and specifications on activation patterns instead of input [12]. Contributions along these lines may be combined with our work, as our BaB is independent from the underlying linear relaxation adopted. Moreover, some works improved the branching heuristic for verifying ReLU networks: Lu and Mudigonda [23] proposed to use a Graph Neural Network for the branching heuristic; De Palma et al. [7] proposed Filtered Smart Branching (FSB) which filters initial candidates by a heuristic score and then uses a more accurate bound computation to select an optimal neuron from a shortlist; Ferrari et al. [11] considered the effect of a tighter multi-neuron relaxation in the branching heuristic. These insights originally for ReLU networks may inspire future improvement of the BaB for general nonlinearities.

To conclude, we propose a general BaB framework for NN verification involving general nonlinearities in general computational graphs. We also propose a new branching heuristic for deciding branched neurons and a pre-optimization procedure for deciding branching points. Experiments on verifying NNs with various nonlinearities demonstrate the effectiveness of our method.