Certified Invertibility in Neural Networks via MixedInteger Programming
Abstract
Neural networks are known to be vulnerable to adversarial attacks, which are small, imperceptible perturbations that can significantly alter the network's output. Conversely, there may exist large, meaningful perturbations that do not affect the network's decision (excessive invariance). In our research, we investigate this latter phenomenon in two contexts: (a) discretetime dynamical system identification, and (b) the calibration of a neural network's output to that of another network. We examine noninvertibility through the lens of mathematical optimization, where the global solution measures the ``safety" of the network predictions by their distance from the noninvertibility boundary. We formulate mixedinteger programs (MIPs) for ReLU networks and $L_p$ norms ($p=1,2,\infty$) that apply to neural network approximators of dynamical systems. We also discuss how our findings can be useful for invertibility certification in transformations between neural networks, e.g. between different levels of network pruning.
 Publication:

arXiv eprints
 Pub Date:
 January 2023
 DOI:
 10.48550/arXiv.2301.11783
 arXiv:
 arXiv:2301.11783
 Bibcode:
 2023arXiv230111783C
 Keywords:

 Computer Science  Machine Learning;
 Electrical Engineering and Systems Science  Systems and Control;
 Mathematics  Optimization and Control
 EPrint:
 22 pages, 7 figures