TY - JOUR
T1 - Reachable sets of classifiers and regression models
T2 - (non-)robustness analysis and robust training
AU - Kopetzki, Anna Kathrin
AU - Günnemann, Stephan
N1 - Publisher Copyright:
© 2021, The Author(s).
PY - 2021/6
Y1 - 2021/6
N2 - Neural networks achieve outstanding accuracy in classification and regression tasks. However, understanding their behavior still remains an open challenge that requires questions to be addressed on the robustness, explainability and reliability of predictions. We answer these questions by computing reachable sets of neural networks, i.e. sets of outputs resulting from continuous sets of inputs. We provide two efficient approaches that lead to over- and under-approximations of the reachable set. This principle is highly versatile, as we show. First, we use it to analyze and enhance the robustness properties of both classifiers and regression models. This is in contrast to existing works, which are mainly focused on classification. Specifically, we verify (non-)robustness, propose a robust training procedure, and show that our approach outperforms adversarial attacks as well as state-of-the-art methods of verifying classifiers for non-norm bound perturbations. Second, we provide techniques to distinguish between reliable and non-reliable predictions for unlabeled inputs, to quantify the influence of each feature on a prediction, and compute a feature ranking.
AB - Neural networks achieve outstanding accuracy in classification and regression tasks. However, understanding their behavior still remains an open challenge that requires questions to be addressed on the robustness, explainability and reliability of predictions. We answer these questions by computing reachable sets of neural networks, i.e. sets of outputs resulting from continuous sets of inputs. We provide two efficient approaches that lead to over- and under-approximations of the reachable set. This principle is highly versatile, as we show. First, we use it to analyze and enhance the robustness properties of both classifiers and regression models. This is in contrast to existing works, which are mainly focused on classification. Specifically, we verify (non-)robustness, propose a robust training procedure, and show that our approach outperforms adversarial attacks as well as state-of-the-art methods of verifying classifiers for non-norm bound perturbations. Second, we provide techniques to distinguish between reliable and non-reliable predictions for unlabeled inputs, to quantify the influence of each feature on a prediction, and compute a feature ranking.
KW - Neural network
KW - Reachable set
KW - Robustness
KW - Verification
UR - http://www.scopus.com/inward/record.url?scp=85105400257&partnerID=8YFLogxK
U2 - 10.1007/s10994-021-05973-0
DO - 10.1007/s10994-021-05973-0
M3 - Article
AN - SCOPUS:85105400257
SN - 0885-6125
VL - 110
SP - 1175
EP - 1197
JO - Machine Learning
JF - Machine Learning
IS - 6
ER -