On Integer Programming for the Binarized Neural Network Verification Problem

Woojin Kim, James Luedtke

October 01, 2025

Abstract

Binarized neural networks (BNNs) are feedforward neural networks with binary weights and activation functions. In the context of using a BNN for classification, the verification problem seeks to determine whether a small perturbation of a given input can lead it to be misclassified by the BNN, and the robustness of the BNN can be measured by solving the verification problem over multiple inputs. The BNN verification problem can be formulated as an integer programming (IP) problem. However, the natural IP formulation is often challenging to solve due to a large integrality gap induced by big-\(M\) constraints. We present two techniques to improve the IP formulation. First, we introduce a new method for obtaining a linear objective for the multi-class setting. Second, we introduce a new technique for generating valid inequalities for the IP formulation that exploits the recursive structure of BNNs. We find that our techniques enable verifying BNNs against a higher range of input perturbation than existing IP approaches within a limited time.

1 Introduction↩︎

Binarized neural networks (BNNs) are feedforward neural networks with binary weights and activation functions ([1]). BNNs consist of the input layer \(\ell=0\), \(L\) hidden layers \(\ell=1,\ldots,L\), and the output layer \(\ell=L+1\). Each layer \(\ell\in \{0,1,\ldots,L+1\}\) consists of \(n^\ell\) neurons, \(N^\ell = \{1, \ldots, n^\ell \}\). Every \(i\in N^\ell\) is connected to every \(j\in N^{\ell- 1}\) with weight \(W_{ij}^\ell\in \{-1, 0, 1\}\) and has bias \(b_i^\ell\in \mathbb{Z}\) for \(\ell\in \{1, \ldots, L+ 1\}\).

Thanks to binary weights and activation functions, BNNs drastically reduce memory size and accesses and substantially improve power-efficiency over standard neural networks, replacing most arithmetic operations with bit-wise operations ([1]). BNNs have also achieved nearly state-of-the-art results in image classification ([1]). Moreover, BNNs have achieved results comparable to feedforward neural networks in image detection ([2]), image super resolution ([3]), and text classification ([4]). For these reasons, BNNs have been applied in small embedded devices ([5]).

In this work, we study the verification problem associated with a given BNN that is used to classify feature vectors. BNNs map a feature vector in \([0, 1]^{n^0}\) whose coordinates are quantized as multiples of \(\frac{1}{q}\) for \(q\in \mathbb{N}\) to the real output vector by the function \(f= (f_1, \ldots, f_{n^{L+ 1}}): \frac{1}{q} \mathbb{Z}_+^{n^0} \cap [0, 1]^{n^0} \to \mathbb{R}^{n^{L+ 1}}\) which is defined recursively using weights and biases in each layer. (See Section 2 for the detailed definition of \(f\).) Each \(t\in N^{L+ 1}\) corresponds to a class. A feature vector \(\bar{\mathbf{x}}\in \frac{1}{q} \mathbb{Z}_+^{n^0} \cap [0, 1]^{n^0}\) is classified as the class \(\bar{t}\in N^{L+ 1}\) that corresponds to \(\mathop{\mathrm{arg\,max}}_{t\in N^{L+ 1}} f_t(\bar{\mathbf{x}})\).

Verifying BNNs against input perturbation for multiple feature vectors provides a measure of their robustness. The BNN verification problem is defined for a given trained BNN, a given feature vector \(\bar{\mathbf{x}}\) with class \(\bar{t}\), and input perturbation \(\epsilon> 0\). We say that \(\bar{\mathbf{x}}\) is \(\epsilon\)-verified if the BNN classifies \(\mathbf{x}^0\) as \(\bar{t}\) for every feature vector \(\mathbf{x}^0 \in \frac{1}{q} \mathbb{Z}_+^{n^0} \cap [0, 1]^{n^0}\) having distance between \(\mathbf{x}^0\) and \(\bar{\mathbf{x}}\) at most \(\epsilon\). The BNN verification problem is to determine whether a given \(\bar{\mathbf{x}}\) can be \(\epsilon\)-verified in the BNN. The answer is true if and only if there does not exist a feature vector \(\mathbf{x}^0\) with distance at most \(\epsilon\) from \(\bar{\mathbf{x}}\) satisfying \(f_t(\mathbf{x}^0) > f_{\bar{t}}(\mathbf{x}^0)\) for some class \(t\ne \bar{t}\), which is equivalent to the following maximum \(z^*_\epsilon(\bar{\mathbf{x}})\) being non-positive: \[z^*_\epsilon(\bar{\mathbf{x}}) = \max_{\substack{\mathbf{x}^0 \in \frac{1}{q} \mathbb{Z}_+^{n^0} \cap [0, 1]^{n^0}\\ \lVert\mathbf{x}^0 - \bar{\mathbf{x}}\rVert_p \le \epsilon}} \Big\{f_t(\mathbf{x}^0) - f_{\bar{t}}(\mathbf{x}^0): t\in N^{L+ 1} \setminus \{\bar{t}\}\Big\}.\label{eq:bnnVeri}\tag{1}\] Here, the maximum perturbation from \(\bar{\mathbf{x}}\) is defined using an \(\ell_p\) norm. For the most part, in this work we focus on the case of \(p= 1\), but the integer programming (IP) approaches we consider can also be directly applied to the cases of \(p= \infty\) and \(p= 2\), with the caveat that when using an \(\ell_2\) norm, the resulting IP formulations we consider become integer (convex) quadratic programs, as opposed to integer linear programs.

This paper contributes to the literature exploring IP methods to solve the BNN verification problem. IP methods to solve the BNN verification problem can be implemented by solving 1 to optimality – we refer to this as the BNN verification optimization problem. However, to verify a BNN, the process of solving 1 can be terminated as soon as the sign of \(z^*_\epsilon(\bar{\mathbf{x}})\) is determined. Specifically, the solution process of 1 can be terminated when a feasible solution with a positive objective value is found, or a non-positive upper bound for the optimal objective value is obtained. If we terminate an optimization algorithm for solving 1 according to this condition, we refer to this as the BNN verification problem.

Our first contribution is to present a new way for obtaining a linear objective of the BNN verification problem by creating a single optimization problem that incorporates the decision of which alternative class a perturbed feature vector is misclassified as, rather than considering each alternative class separately. Our second contribution is to describe a new technique for generating valid inequalities for the IP formulation by exploiting the recursive structure of BNNs. These valid inequalities, called layerwise derived valid inequalities, are generated by considering one layer at a time and solving IP subproblems to check validity among a set of natural candidate inequalities. While deriving these valid inequalities requires solving IP subproblems, these IP subproblems are much easier to solve than the full BNN verification problem because they consider only a single layer at a time and do not include any of the “big-\(M\)” constraints required for the IP formulation of the BNN verification problem.

[6] study the problem of attacking a BNN, which is equivalent to the BNN verification problem. They present a mixed-integer linear programming (MILP) formulation of the problem and propose a heuristic for generating solutions that works by propagating a target from the last layer to the first layer by solving a single-layer MILP at each step. This approach is proven to be successful at finding successful attacks (i.e., showing an input \(\bar{x}\) cannot be \(\epsilon\)-verified) but cannot positively verify a solution. Interestingly, our method also proceeds in layers, but from the initial layer forwards, and its strength is in being able to \(\epsilon\)-verify inputs. [7] also study the MILP formulation of the BNN verification problem and study the convex hull for a single neuron to improve this MILP formulation. [8] extended Han and Gómez’s work by exploring the convex hull for a pair of neurons in the same hidden layer. Using this convex hull, they proposed a constraint generation framework to solve the MILP problem for the BNN verification problem. In related work on feedforward (not binarized) neural networks, [9] addressed the problem of verifying such networks. They formulated this problem as an MILP problem and exploited the idea of fixing variables to solve this MILP problem. Our layerwise derived valid inequalities represent an adaptation and extension of this approach to the BNN setting.

Another approach for solving the BNN verification problem is to formulate it as a Boolean satisfiability problem ([10][13]). These papers formulated the condition that \(\bar{\mathbf{x}}\) can be \(\epsilon\)-verified in a given BNN with Boolean formulas in the case that the maximum perturbation from \(\bar{\mathbf{x}}\) is defined using an \(\ell_\infty\) norm. [14] explored a different method for solving the BNN verification problem by describing the set of all feasible output vectors or an overapproximation of this set as a star set and checking whether this star set contains an output vector from a perturbed feature vector misclassified by the BNN. This work also handles the case that the maximum perturbation is defined using an \(\ell_\infty\) norm. [15] and [16] addressed a different problem of counting the number of perturbed feature vectors misclassified by the BNN in the case that the maximum perturbation is defined using an \(\ell_1\) norm. We focus on the IP approach due to its inherent flexibility, for example, in easily adapting the set of allowed perturbations from \(\bar{\mathbf{x}}\) to be defined by an \(\ell_1\), \(\ell_2\), or \(\ell_\infty\) norm, and to investigate and extend the limits of the IP approach.

While our work focuses on verifying a given BNN after it has been trained, for completeness, we briefly mention some methods for training BNNs. [1] trained BNNs by using a gradient descent method similar to the training of feedforward neural networks, and [17] trained BNNs by using a pseudo-gradient method. [18] and [19] trained BNNs by solving constraint programming or mixed integer programming problems. To improve training BNNs, [20] applied activation scaling, and [21] applied activation approximation.

Finally, we mention that the BNN verification problem is closely related to the problem of finding counterfactual explanations for such networks. Counterfactual explanations seek to find a feature vector that is as close as possible to a given feature vector while leading to a specific alternative desired prediction ([22], [23]). Recently, counterfactual explanations for several machine learning prediction models, including k-nearest neighbors, have been explored ([24], [25]). A method for solving the BNN verification problem can be used to solve the counterfactual explanation problem by conducting a binary search to (approximately) find the smallest \(\epsilon\) such that the feature is classified as a target class.

This paper is organized as follows. In Section 2, we introduce an existing IP formulation of the BNN verification problem and describe methods for obtaining linear constraints and a linear objective in this IP formulation, including our method for obtaining a linear objective by incorporating the decision of which alternative class a perturbed feature vector is misclassified into a single optimization problem. In Section 3, we describe our technique for deriving layerwise derived valid inequalities and our approach for using these valid inequalities to solve the BNN verification problem. We present the results of a computational study in Section 4 and conclude with a discussion of potential future directions in Section 5.

Notation. We use \([M]\) to represent the set \(\{1, \ldots, M\}\) for \(M \in \mathbb{N}\).

2 IP Formulations↩︎

To obtain an IP formulation for problem 1 , \(\mathbf{x}^0 \in \frac{1}{q} \mathbb{Z}_+^{n^0} \cap [0, 1]^{n^0}\) is defined as a vector of the decision variables that represent a perturbed feature vector, and \(\mathbf{x}^\ell\in \{0, 1\}^{n^\ell}\) is defined as the vector of decision variables that represent the output of the \(\ell^{\mathrm{th}}\) hidden layer for \(\ell\in [L]\), which is obtained recursively from \(\mathbf{x}^{\ell- 1}\) as explained in the following paragraphs. Also, \(X^0\) is defined as the set of all perturbed feature vectors to verify over: \[X^0 = \Big\{\mathbf{x}^0 \in \frac{1}{q} \mathbb{Z}_+^{n^0} \cap [0, 1]^{n^0}: \lVert\mathbf{x}^0 - \bar{\mathbf{x}}\rVert_p \le \epsilon\Big\}.\]

The usual description of a BNN describes the output of each neuron as \(+1\) or \(-1\). In order to derive an IP formulation that can be directly solved by IP solvers, we will instead encode the outputs with binary (\(0/1\)) valued variables. Given a binary output vector \(\mathbf{x}^{\ell-1}\), it can be converted to a \(+1/-1\) valued vector via the transformation \(2 \mathbf{x}^{\ell-1} - \mathbf{1}\). Thus, for each layer \(\ell\in [L+ 1]\), the first component of BNN propagation is to multiply the input \(2 \mathbf{x}^{\ell- 1} - \mathbf{1}\) with \(\mathbf{W}^\ell\) and add \(\mathbf{b}^\ell\). We introduce the notation \(a^\ell= (a_1^\ell, \ldots, a_{n^\ell}^\ell)\) for this affine function of \(\mathbf{x}^{\ell- 1}\): \[a^\ell(\mathbf{x}^{\ell- 1}) = \mathbf{W}^\ell(2 \mathbf{x}^{\ell- 1} - \mathbf{1}) + \mathbf{b}^\ell.\] Then, the output of each each \(\ell\in [L]\) is obtained from its input \(\mathbf{x}^{\ell- 1}\) via the transformation \[\mathbf{x}^\ell= \mathtt{1}_{\mathbb{R}_+}(a^\ell(\mathbf{x}^{\ell- 1})),\] where \(\mathtt{1}_{\mathbb{R}_+}\) is the indicator function mapping non-negative numbers to \(1\) and negative numbers to \(0\).1

Applying \(a^\ell\) and \(\mathtt{1}_{\mathbb{R}_+}\) alternately \(L\) times and \(a^{L+ 1}\) lastly results in \(f\). Thus, \(f\) can be written as follows: \[f(\mathbf{x}^0) = a^{L+ 1}(\mathtt{1}_{\mathbb{R}_+}(a^L(\mathtt{1}_{\mathbb{R}_+}(a^{L- 1}( \cdots \mathtt{1}_{\mathbb{R}_+}(a^1(\mathbf{x}^0)) \cdots ))))).\]

Using these observations, 1 can be written as the following (nonlinear) IP problem:

|s| ^0, …, ^L {a_t^L+ 1(^L) - a_|t^L+ 1(^L): tN^L+ 1 {|t}}

2.1 Constraint Formulation↩︎

The layer propagation constraints [eq:origFormPropConstr] and the input perturbation constraint [eq:origFormXInpVar] include nonlinear constraints in their description. We review how these constraints can be reformulated using linear constraints in order to obtain a linear IP formulation.

2.1.1 Layer Propagation Constraint Formulation↩︎

To formulate the layer propagation constraints [eq:origFormPropConstr] with linear constraints, the following constants are defined for \(\ell\in [L]\) and \(i\in N^\ell\): \[\begin{align} &\mathrm{LB}_i^\ell:= \sum_{j\in N^{\ell- 1}} (W_{ij}^\ell- |W_{ij}^\ell|)\\ &\mathrm{UB}_i^\ell:= \sum_{j\in N^{\ell- 1}} (W_{ij}^\ell+ |W_{ij}^\ell|)\\ &R_i^\ell:= \begin{cases} \frac{2}{q} \bigg\lceil\frac{q(\sum_{j\in N^0} W_{ij}^1 - b_i^1)}{2}\bigg\rceil - \frac{1}{q} & (\ell= 1)\\ 2 \bigg\lceil\frac{\sum_{j\in N^{\ell- 1}} W_{ij}^\ell- b_i^\ell}{2}\bigg\rceil - 1 & (\ell\in \{2, \ldots, L\}) .\end{cases}. \end{align} \label{eq:const}\tag{2}\] Since \(W_{ij}^\ell\in \{-1, 0, 1\}\) it follows that for any \(\mathbf{x}^{\ell- 1} \in [0, 1]^{n^{\ell- 1}}\) \[\mathrm{LB}_i^\ell \leq 2 \sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1} \leq \mathrm{UB}_i^\ell.\] The following lemma describes how the layer propagation constraints can be modeled with linear constraints. This extends the formulation of [7], which assumes \(W_{ij}^\ell\in \{-1, 1\}\) and \(b_i^\ell= 0\). The proof is in the Appendix.

lemmalinpropconstr Each \((\mathbf{x}^0, \mathbf{x}^1) \in X^0 \times \{0, 1\}^{n^1}\) satisfies [eq:origFormPropConstr] for \(\ell=1\) if and only if it satisfies the following inequalities: \[\begin{align} &2 \sum_{j\in N^0} W_{ij}^1 x_j^0 \ge \Big(R_i^1 - \mathrm{LB}_i^1 + \frac{1}{q}\Big)x_i^1 + \mathrm{LB}_i^1, \quad \forall i\in N^1,\tag{3}\\ &2 \sum_{j\in N^0} W_{ij}^1 x_j^0 \le \Big(\mathrm{UB}_i^1 - R_i^1 + \frac{1}{q}\Big)x_i^1 + \Big(R_i^1 - \frac{1}{q}\Big), \quad \forall i\in N^1.\tag{4} \end{align}\] For \(\ell\in \{2, \ldots, L\}\), \((\mathbf{x}^{\ell- 1}, \mathbf{x}^\ell) \in \{0, 1\}^{n^{\ell- 1}} \times \{0, 1\}^{n^\ell}\) satisfies [eq:origFormPropConstr] if and only if it satisfies the following inequalities: \[\begin{align} &2 \sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1} \ge (R_i^\ell- \mathrm{LB}_i^\ell+ 1)x_i^\ell+ \mathrm{LB}_i^\ell, \quad \forall i\in N^\ell,\tag{5}\\ &2 \sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1} \le (\mathrm{UB}_i^\ell- R_i^\ell+ 1)x_i^\ell+ (R_i^\ell- 1), \quad \forall i\in N^\ell.\tag{6} \end{align}\]

Thus, the nonlinear constraints [eq:origFormPropConstr] can be replaced with the linear constraints 3 - 6 .

2.1.2 Input Perturbation Constraint Formulation↩︎

The input perturbation constraint [eq:origFormXInpVar] can be formulated by defining the integer-valued decision variable \(y_i\) to represent \(qx_i^0\), for \(i\in N^0\). Then, \(\mathbf{x}^0 \in X^0\) if and only if \(\mathbf{x}^0 \in \mathbb{R}_+^{n^0}\), and there exist \(\mathbf{y}\in \mathbb{Z}_+^{n^0}\) satisfying the following constraints: \[\begin{align} &\mathbf{y}= q\mathbf{x}^0,\tag{7}\\ &\mathbf{y}\le q\mathbf{1},\tag{8}\\ &\lVert\mathbf{x}^0 - \bar{\mathbf{x}}\rVert_p \le \epsilon.\tag{9} \end{align}\] In the case of \(p= 1\) or \(p= \infty\), 9 can be formulated with linear constraints using standard techniques. In the case of \(p= 2\), 9 can be formulated as a convex quadratic constraint.

2.2 Objective Formulation↩︎

Finally, to obtain a linear IP formulation of [eq:origForm] we explore two methods to obtain a linear objective.

The first approach, which has been used in [7], [8], is to consider separately each alternative class \(t\in N^{L+ 1} \setminus \{\bar{t}\}\). Each such class \(t\) results in the following IP problem with linear objective:

|s| a_t^L+ 1(^L) - a_|t^L+ 1(^L) z^*_(|, t) =

The optimal solution of [eq:origForm] can be obtained by solving [eq:indivForm] for each \(t\in N^{L+ 1} \setminus \{\bar{t}\}\) and choosing \(t\) that achieves the maximum of \(z^*_\epsilon(\bar{\mathbf{x}}, t)\).

For problems with more than two classes, we propose an alternative approach for obtaining a linear objective which directly includes the choice of the alternative class \(t\) in the formulation, thereby avoiding the need to solve [eq:indivForm] for each \(t\in N^{L+ 1} \setminus \{\bar{t}\}\). Thus, for each \(t\in N^{L+ 1} \setminus \{\bar{t}\}\) let \(z_t\in \{0, 1\}\) be a decision variable indicating whether \(t\) is selected as the alternative class, and for each \(i\in N^L\) let \(v_{ti} \in \{0, 1\}\) be a decision variable that is used to represent the product \(z_tx_i^L\). The proof of the following lemma is in the appendix.

Lemma 1. The following IP problem is equivalent to [eq:origForm]:

|s| _tN^L+ 1 {|t} _iN^L 2(W_ti^L- W_|ti^L)v_ti

2.3 Valid Inequalities for Neurons↩︎

[7] explored the following convex hull for a single neuron for \(\ell\in \{2, \ldots, L\}\) and \(i\in N^\ell\) in the case of \(\mathbf{b}^\ell= \mathbf{0}\): \[\mathrm{conv}(\{(\mathbf{x}^{\ell- 1}, x_i^\ell) \in \{0, 1\}^{n^{\ell- 1}} \times \{0, 1\}: x_i^\ell= \mathtt{1}_{\mathbb{R}_+}(a_i^\ell(\mathbf{x}^{\ell- 1}))\}). \label{eq:singleConvHull}\tag{10}\]

In the following theorem, we extend the results in [7] to a general case where \(\mathbf{b}^\ell\) are not necessarily zero. This theorem is proved in the Appendix.

Theorem 1. For \(\ell\in \{2, \ldots, L\}\) and \(i\in N^\ell\), 10 is the set of \((\mathbf{x}^{\ell- 1}, x_i^\ell) \in [0, 1]^{n^{\ell- 1}} \times [0, 1]\) satisfying the following inequalities for \(J\subset \{j\in N^{\ell- 1}: W_{ij}^\ell\ne 0\}\): \[\label{eq:singleConvHullIneq} \begin{align} &\sum_{j\in J} (W_{ij}^\ell(2 x_j^{\ell- 1} - 1) - (2 x_i^\ell- 1)) \ge (R_i^\ell- \mathrm{UB}_i^\ell+ 1)x_i^\ell,\label{eq:singleConvHullLowerBoundIneq}\\ &\sum_{j\in J} (W_{ij}^\ell(2 x_j^{\ell- 1} - 1) - (2 x_i^\ell- 1)) \le (R_i^\ell- \mathrm{LB}_i^\ell- 1)(-x_i^\ell+ 1).\label{eq:singleConvHullUpperBoundIneq} \end{align}\] {#eq: sublabel=eq:eq:singleConvHullIneq,eq:eq:singleConvHullLowerBoundIneq,eq:eq:singleConvHullUpperBoundIneq}

Since the number of inequalities described in this theorem grows exponentially with the number of nodes in a hidden layer, these would be used to improve the LP relaxation of the formulation [eq:incorpForm] by adding them via a cutting plane procedure.

[8] extended [7] by investigating the following convex hull for a pair of neurons in the same hidden layer for \(\ell\in \{2, \ldots, L\}\) and \(i, k\in N^\ell\) satisfying \(i< k\) in the case where \(n^{\ell- 1}\) is an even integer larger than \(2\), every entry in \(\mathbf{W}^\ell\) is nonzero, and \(\mathbf{b}^\ell= 0\): \[\mathrm{conv}(\{(\mathbf{x}^{\ell- 1}, x_i^\ell, x_k^\ell): \mathbf{x}^{\ell- 1} \in \{0, 1\}^{n^{\ell- 1}}, x_i^\ell= \mathtt{1}_{\mathbb{R}_+}(a_i^\ell(\mathbf{x}^{\ell- 1})), x_k^\ell= \mathtt{1}_{\mathbb{R}_+}(a_k^\ell(\mathbf{x}^{\ell- 1}))\}).\] In this work, a relaxation IP problem to the IP problem [eq:indivForm] is solved for a fixed alternative class \(t\in N^{L+ 1}\) to tackle the BNN verification problem. This computational study shows some improvement in the optimal objective value of the LP relaxation of the IP formulation compared to [7], but this does translate to significant improvement in the ability to solve the BNN verification problem.

3 Layerwise Derived Valid Inequalities↩︎

We explore an alternative approach for deriving valid inequalities for [eq:indivForm] that is based on recursively approximating the set of “reachable vectors” at each layer.

Starting from \(X^0\), \(X^\ell\) is defined recursively as follows for \(\ell\in [L]\): \[X^\ell= \mathtt{1}_{\mathbb{R}_+}(a^\ell(X^{\ell- 1})).\] Then, \(X^\ell\) is the set of all output vectors of layer \(\ell\) that can be obtained from a perturbed input vector in the set \(X^0\). Since the objective [eq:origFormObj] only depends on \(\mathbf{x}^L\), [eq:origForm] can be formulated as the following IP problem:

|s| ^L {a_t^L+ 1(^L) - a_|t^L+ 1(^L): tN^L+ 1 {|t}}

The above IP problem implies that [eq:origForm] can be solved with access to a description for \(X^L\), which motivates studying valid inequalities for this set. We observe that valid inequalities for \(X^\ell\) can be obtained using a relaxation of the set \(X^{\ell-1}\) since \(X^\ell= \mathtt{1}_{\mathbb{R}_+}(a^\ell(X^{\ell- 1}))\). Since a full description for \(X^0\) is given, this motivates an iterative approach in which we derive valid inequalities for the set \(X^{\ell}\) based on an outer approximation of the set \(X^{\ell-1}\) for \(\ell=2,\ldots,L\). We refer to such inequalities as layerwise derived valid inequalities.

3.1 Variable Fixing↩︎

We first investigate layerwise derived valid inequalities for \(X^\ell\) for \(\ell\in [L]\) of the form \[x_i^\ell= \frac{1-c_i}{2} \label{eq:varFix}\tag{11}\] for \(i\in N^\ell\) and \(c_i\in \{-1, 1\}\). In the case of \(c_i= -1\), 11 is equivalent to \(x_i^\ell= 1\) and 11 is equivalent to \(x_i^\ell= 0\) in the case of \(c_i= 1\). For these reasons, valid equalities for \(X^\ell\) of the form 11 are called variable fixings. This idea of identifying variable fixings is related to the work of [9] who apply a similar technique to fix binary variables in the IP formulation of the feedforward neural network verification problem.

Our approach is to consider each equality of the form 11 and determine if it is a valid equality. The following theorem describes an IP problem that can be solved to determine validity of such an equality.

Theorem 2. Consider \(\ell\in [L]\), \(i\in N^\ell\), and \(c_i\in \{-1, 1\}\). Let \(X_{\mathrm{out}}^{\ell- 1} \subset \{0, 1\}^{n^{\ell- 1}}\) satisfy \(X_{\mathrm{out}}^{\ell- 1} \supseteq X^{\ell- 1}\) and define \[z^*= \max\Big\{c_i\sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1}: \mathbf{x}^{\ell- 1} \in X_{\mathrm{out}}^{\ell- 1}\Big\} .\label{eq:varFixForm}\qquad{(1)}\] If \(z^*\le c_iR_i^\ell/2\), where \(R_i^\ell\) is defined in 2 , then 11 is a valid equality for \(X^{\ell}\).

The details are described in Section 3.3, but to preview this, the idea is to use Theorem 2 to obtain outer approximations of the sets \(X^\ell\) by setting \(X_{\mathrm{out}}^0\) as \(X^0\), and then recursively using the theorem to derive valid inequalities to define valid inequalities to define \(X_{\mathrm{out}}^{\ell}\) based on the previously determined \(X_{\mathrm{out}}^{\ell-1}\) for \(\ell=1,\ldots,L\).

To prove this theorem, we use the following lemma.

Lemma 2. Consider \(\ell\in [L]\), \(i\in N^\ell\), and \(c_i\in \{-1, 1\}\). Then \(\mathbf{x}^{\ell-1} \in \{0, 1\}^{n^{\ell- 1}}\) satisfies \(c_i\sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1} \le c_iR_i^\ell/2\) if and only if \(\mathtt{1}_{\mathbb{R}_+}(a_i^\ell(\mathbf{x}^{\ell- 1})) = \frac{1-c_i}{2}\).

Proof. Proof. In the case of \(c_i= -1\), the following statements hold for \(\ell= 1\): \[\begin{align} &2 c_i\sum_{j\in N^0} W_{ij}^1 x_{j}^0 \le c_iR_i^1,&\\ \Leftrightarrow\quad &2 \sum_{j\in N^0} W_{ij}^1 x_{j}^0 \ge R_i^1,&\\ \Leftrightarrow\quad &2 \sum_{j\in N^0} W_{ij}^1 x_{j}^0 \ge R_i^1 + \frac{1}{q},\quad &(2 \sum_{j\in N^0} W_{ij}^1 x_j^0, R_i^1 + \frac{1}{q} \in \frac{2}{q}\mathbb{Z})\\ \Leftrightarrow\quad &2 \sum_{j\in N^0} W_{ij}^1 x_{j}^0 \ge \sum_{j\in N^0} W_{ij}^1 - b_i^1,\quad &(\text{R_i^1 + \frac{1}{q} is the smallest element of \frac{2}{q} \mathbb{Z}}\\ &&\text{not smaller than \sum_{j\in N^0} W_{ij}^1 - b_i^1})\\ \Leftrightarrow\quad &a_i^1(\mathbf{x}^0) \ge 0,&\\ \Leftrightarrow\quad &\mathtt{1}_{\mathbb{R}_+}(a_i^1(\mathbf{x}^0)) = 1 = \frac{1-c_i}{2}.& \end{align}\] For \(\ell\in \{2, \ldots, L\}\), the same arguments hold because \(2 \sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1}\) and \(R_i^\ell+ 1\) are even integers, and \(R_i^\ell+ 1\) is the smallest even integer not smaller than \(\sum_{j\in N^{\ell- 1}} W_{ij}^\ell- b_i^\ell\).

In the case of \(c_i= 1\), the following statements hold for \(\ell= 1\): \[\begin{align} &2 c_i\sum_{j\in N^0} W_{ij}^1 x_{j}^0 \le c_iR_i^1,&\\ \Leftrightarrow\quad &2 \sum_{j\in N^0} W_{ij}^1 x_{j}^0 \le R_i^1,&\\ \Leftrightarrow\quad &2 \sum_{j\in N^0} W_{ij}^1 x_{j}^0 < R_i^1 + \frac{1}{q},\quad &(2 \sum_{j\in N^0} W_{ij}^1 x_j^0, R_i^1 + \frac{1}{q} \in \frac{2}{q} \mathbb{Z})\\ \Leftrightarrow\quad &2 \sum_{j\in N^0} W_{ij}^1 x_{j}^0 < \sum_{j\in N^0} W_{ij}^1 - b_i^1,\quad &(\text{R_i^1 + \frac{1}{q} is the smallest element in \frac{2}{q} \mathbb{Z}}\\ &&\text{not smaller than \sum_{j\in N^0} W_{ij}^1 - b_i^1})\\ \Leftrightarrow\quad &a_i^1(\mathbf{x}^0) < 0,&\\ \Leftrightarrow\quad &\mathtt{1}_{\mathbb{R}_+}(a_i^1(\mathbf{x}^0)) = 0 = \frac{1-c_i}{2}.& \end{align}\] For \(\ell\in \{2, \ldots, L\}\), the same arguments hold because \(2 \sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1}\) and \(R_i^\ell+ 1\) are even integers, and \(R_i^\ell+ 1\) is the smallest even integer not smaller than \(\sum_{j\in N^{\ell- 1}} W_{ij}^\ell- b_i^\ell\). \(\square\) ◻

Although checking whether a variable fixing is valid requires solving the IP ?? , this IP is much easier to solve than the original verification IP as it considers only a single layer at a time and the constraints defining the outer approximation of \(X^{\ell- 1}\) do not involve any “big-\(M\)” constraint ?? . Furthermore, it can be solved very efficiently for certain structures of \(X_{\mathrm{out}}^{\ell-1}\) as discussed in the following paragraphs.

First, consider the case \(\ell\in \{2, \ldots, L\}\) and assume \(X_{\mathrm{out}}^{\ell- 1}\) is defined only by variable fixings, e.g., as is the case if it is defined recursively only the result of Theorem 2. Then, ?? can be solved by setting \(x_j^{\ell- 1}\) to \(1\) if \(c_iW_{ij}^\ell= 1\) and the variable \(x_{j}^{\ell-1}\) is not fixed in \(X_{\mathrm{out}}^{\ell- 1}\), and setting all other unfixed variables to \(0\).

For \(\ell= 1\), the special form of the set \(X^0\) also allows ?? to be solved efficiently. We describe here how this is done for the case \(p= 1\). The methods for solving ?? for the cases \(p=2\) and \(p=\infty\) are described in Appendix 6.4. For \(p=1\), the following inequality holds because \(\mathbf{x}^0 \in [0, 1]^{n^0}\): \[\label{eq:ubcx} c_i\sum_{j\in N^0} W_{ij}^1 x_j^0 \le \sum_{j\in N^0} \max(c_iW_{ij}^1, 0).\tag{12}\] Inequality 12 is satisfied at equality by \(\hat{\mathbf{x}}\) defined by \(\hat{x}_j=\bar{x}_j\) for \(j\) with \(W_{ij}^1 = 0\), \(\hat{x}_j=1\) for \(j\) with \(W_{ij}^1 = c_i\), and \(\hat{x}_j=0\) for \(j\) with \(W_{ij}^1 = \;-c_i\). If \(\|\hat{\mathbf{x}}- \bar{\mathbf{x}}\|_1 \le \epsilon\), \(\hat{\mathbf{x}}\in X^0\), so the optimal objective value is \(\sum_{j\in N^0} \max(c_iW_{ij}^1, 0)\). Otherwise, by iteratively decreasing \(\hat{x}_j\) by \(\frac{1}{q}\) for \(j\) with \(W_{ij}^1=c_i\) and \(\hat{x}_j > \bar{x}_j\) or increasing \(\hat{x}_j\) by \(\frac{1}{q}\) for \(j\) with \(W_{ij}^1=-c_i\) and \(\hat{x}_j < \bar{x}_j\) we can obtain a solution \(\mathbf{x}^* \in X^0\) satisfying \(\|\mathbf{x}^* - \bar{\mathbf{x}}\|_1 = \frac{1}{q}\lfloor q\epsilon\rfloor\), \(x^*_j=\bar{x}_{j}\) for \(j\) with \(W_{ij}^1 = 0\), \(x^*_j>\bar{x}_{j}\) for \(j\) with \(W_{ij}^1 = c_i\), and \(x^*_j< \bar{x}_{j}\) for \(j\) with \(W_{ij}^1 = -c_i\). The following inequalities are satisfied by every \(\mathbf{x}\in X^0\) and hold at equality for \(\mathbf{x}^*\): \[\begin{align} c_i\sum_{j\in N^0} W_{ij}^1 x_j^0 &= \sum_{j\in N^0} c_iW_{ij}^1 (x_j^0 - \bar{x}_j) + c_i\sum_{j\in N^0} W_{ij}^1 \bar{x}_j&\\ &\le \sum_{j\in N^0} |x_j^0 - \bar{x}_j| + c_i\sum_{j\in N^0} W_{ij}^1 \bar{x}_j&(c_iW_{ij}^1 \in \{-1, 0, 1\} )\\ &\le \frac{1}{q}\lfloor q\epsilon\rfloor + c_i\sum_{j\in N^0} W_{ij}^1 \bar{x}_j& \end{align}\] where the last inequality follows because \(\sum_{j\in N^0} |x_j^0 - \bar{x}_j| = \|\mathbf{x}^0 - \bar{\mathbf{x}}\|_1 \le \epsilon\) and \(\sum_{j\in N^0} |x_j^0 - \bar{x}_j|\) is a multiple of \(\frac{1}{q}\). It follows that the optimal objective value of ?? in this case is \(\frac{1}{q}\lfloor q\epsilon\rfloor + c_i\sum_{j\in N^0} W_{ij}^1 \bar{x}_j\) and this value is achieved by \(\mathbf{x}^*\).

3.2 Two-variable Inequalities↩︎

We next seek to derive sufficient conditions for inequalities of the following form to be valid inequalities for \(X^\ell\) for \(\ell\in [L]\): \[c_ix_i^\ell+ c_kx_k^\ell\le \frac{c_i+ c_k}{2}, \label{eq:twoVarIneq}\tag{13}\] for \(i, k\in N^\ell\) satisfying \(i> k\), and \(c_i, c_k\in \{-1, 1\}\). The following theorem presents an IP that yields a sufficient condition for 13 to be a valid inequality for \(X^\ell\).

Theorem 3. Consider \(\ell\in [L]\), \(i, k\in N^\ell\) satisfying \(i< k\), and \(c_i, c_k\in \{-1, 1\}\). Let \(X_{\mathrm{out}}^{\ell- 1} \subset \{0, 1\}^{n^{\ell- 1}}\) satisfy \(X_{\mathrm{out}}^{\ell- 1} \supseteq X^{\ell- 1}\) and define \[z^*= \max\Big\{ c_i\sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1}: \mathbf{x}^{\ell- 1} \in X_{\mathrm{out}}^{\ell- 1}, c_k\sum_{j\in N^{\ell- 1}} W_{kj}^\ell x_j^{\ell- 1} \ge c_kR_k^\ell/2 \Big\} .\label{eq:twoVarIneqForm}\qquad{(2)}\] If \(z^*\le c_iR_i^\ell/2\), where \(R_i^\ell\) is defined in 2 , then 13 is a valid inequality for \(X^\ell\).

Proof. Proof. Let \(\mathbf{x}^\ell\in X^{\ell}\) and let \(\mathbf{x}^{\ell-1} \in X^{\ell-1}\) be such that \(\mathbf{x}^{\ell}=\mathtt{1}_{\mathbb{R}_+}(a^\ell(\mathbf{x}^{\ell- 1}))\) and observe \(\mathbf{x}^{\ell-1} \in X_{\mathrm{out}}^{\ell-1}\) since \(X_{\mathrm{out}}^{\ell-1} \supseteq X^{\ell-1}\).

Observe that for a binary variable \(x\) and \(c \in \{-1,1\}\), it holds that \(cx\in \{ \frac{c+1}{2},\frac{c-1}{2} \}\).

Suppose that \(c_k x^\ell_k = \frac{c_k-1}{2}\). Then, \[c_i x^\ell_i+ c_k x^\ell_k\leq \frac{c_i+1}{2} + \frac{c_k-1}{2} = \frac{c_i + c_k}{2}\] and hence 13 is satisfied.

Thus, assume now that \(c_k x_k^\ell = \frac{c_k+1}{2}\), and hence \(x_k^\ell = \frac{c_k + 1}{2}\) because \(c_k \in \{-1,1\}\). Then Lemma 2 implies \[c_k\sum_{j\in N^{\ell- 1}} W_{kj}^\ell x_j^{\ell- 1} > c_kR_k^\ell/2\] and hence \(\mathbf{x}^{\ell-1}\) is feasible to ?? . Hence, \[c_i\sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1} \leq z^*\le c_iR_i/2\] which again by Lemma 2 implies \[x^{\ell}_i= \mathtt{1}_{\mathbb{R}_+}(a_i^\ell(\mathbf{x}^{\ell- 1})) = \frac{1-c_i}{2}.\] Thus, \(c_{i}x^{\ell}_{i} = \frac{c_i-1}{2}\) and hence \[c_i x^\ell_i+ c_k x^\ell_k= \frac{c_i-1}{2} + \frac{c_k+1}{2} = \frac{c_i + c_k}{2}\] and hence gain 13 is satisfied. \(\square\) ◻

Once again, solving 13 is expected to be much simpler than solving the original verification problem as it only includes the constraints defining the outer approximation of \(X^{\ell- 1}\) and one other constraint and does not contain any “big-\(M\)” constraints.

3.3 Algorithms↩︎

We now describe how we propose to use the layerwise derived valid inequalities to solve the IP problem for BNN verification.

Figure 1: \mathrm{VerifyBnn}(\bar{\mathbf{x}}, \epsilon)

Our proposed method is described in Algorithm 1. The algorithm consists of two phases. In the first phase, we only try to fix variables, since in this case the validity verification problem ?? is easy to solve. This is described in lines [p1start] - [p1end], where variable fixings are identified by calling Algorithm 2 for each \(\ell\in [L]\), which outputs an outer approximation for \(X^\ell\) (\(X_{\mathrm{out}}^\ell\)) based on fixing variables in the set \(N_{\mathrm{fix}}^\ell\subseteq N^\ell\). Then, the generated variable fixings are added to the IP formulation [eq:incorpForm] as constraints and [eq:incorpForm] is solved by an IP solver with a limit of one node (i.e., the IP solver only processes the root node of the branch-and-bound tree). If the IP solver solves the verification problem within that limit (e.g., by finding a feasible solution with positive objective value or proving a non-positive upper bound), then it returns the result accordingly. Otherwise, Algorithm 1 moves to the second phase. In this phase, two-variable inequalities are generated by Algorithm 4 for \(\ell\in [L]\) and additional variable fixings are checked, which may be possible due to the improved outer approximations defined by the two-variable inequalities. For layers \(\ell\in \{2,\ldots,L\}\), Algorithm 4 outputs an outer approximation \(X_{\mathrm{out}}^\ell\) that is potentially a subset of the one generated in the first phase. The inequalities defining these outer approximations are added to the IP formulation [eq:incorpForm] and it is solved. In order to answer the verification question, it is only necessary to determine the sign of the optimal value of [eq:incorpForm]. Thus, when solving [eq:incorpForm] the process can be terminated if either the best objective value of a feasible solution found is positive or the best upper bound for the optimal objective value is non-positive.

Figure 2: \mathrm{PhaseOneFixVar}(\ell, X_{\mathrm{in}}, X_{\mathrm{out}}^{\ell- 1})
Figure 3: \mathrm{PhaseTwoFixVar}(\ell, X_{\mathrm{in}}, X_{\mathrm{out}}^{\ell- 1}, N_{\mathrm{fix}}^\ell, X_{\mathrm{out}}^\ell)
Figure 4: \mathrm{GenTwoVarIneq}(\ell, X_{\mathrm{in}}, X_{\mathrm{out}}^{\ell- 1}, N_{\mathrm{fix}}^\ell, X_{\mathrm{out}}^\ell)

Algorithms 2, 3, and 4 generate variable fixings in phase 1, variable fixings in phase 2, and two-variable inequalities, respectively. These algorithms check whether each candidate layerwise derived valid inequality is valid for \(X^{\ell}\) by solving the IP subproblem ?? or 13 . When solving these IP subproblems, if the upper bound on the optimal objective value falls below \(c_iR_i^\ell/2\) the optimization process is terminated since we then know the candidate inequality is valid. On the other hand, if the lower bound (incumbent objective value) exceeds \(c_iR_i^\ell/2\), the optimization process is terminated since we can then conclude that we are not able to verify validity of the candidate inequality. In Algorithms 2 and 3, the neuron fixed by the candidate is added to \(N_{\mathrm{fix}}^\ell\) because this set is exploited in Algorithms 3 and 4 to retrieve candidates for layerwise derived valid inequalities.

Figure 5: \mathrm{UpdateInApprox}(\ell, X_{\mathrm{in}}, X_{\mathrm{feas}}^\ell)

To limit the time spent checking validity of candidates, Algorithms 3 and 4 use an inner approximation \(X_{\mathrm{in}}^\ell\) for \(\mathtt{1}_{\mathbb{R}_+}(a^\ell(X_{\mathrm{out}}^{\ell- 1}))\) to detect candidates that will not lead to a valid inequality, and hence avoid solving ?? or 13 for those candidates. For each candidate layerwise derived inequality, if the maximum of the left-hand side over \(X_{\mathrm{in}}^\ell\) is larger than the right-hand side, this candidate is not valid for \(X^{\ell}\), so solving the IP subproblem can be avoided. In Algorithm 1, \(X_{\mathrm{in}}= (X_{\mathrm{in}}^0, \cdots, X_{\mathrm{in}}^L)\) is initialized by propagating the input feature vector \(\bar{\mathbf{x}}\) through the BNN. In Algorithm 2 these sets are expanded by propagating the optimal solution obtained when solving ?? at layer 1 (which are in \(X^0\) by definition) through the BNN, thus yielding solutions in \(X^\ell\) which are added to \(X_{\mathrm{in}}^\ell\) for \(\ell=0,\ldots,L\). In Algorithms 3 and 4, for each layer \(\ell\in \{1,\ldots, L\}\), each time we solve ?? or 13 to check validity of a candidate inequality we collect the set of feasible solutions \(X_{\mathrm{feas}}^{\ell-1}\) obtained by the solver, which by definition are in the set \(X_{\mathrm{out}}^{\ell-1}\). These are then propagated forwarded as \(X_{\mathrm{feas}}^{\ell'} = \mathtt{1}_{\mathbb{R}_+}(a^{\ell'}(X_{\mathrm{feas}}^{\ell' - 1}))\) for \(\ell'=\ell,\ldots,L\) and these sets are added to \(X_{\mathrm{in}}^{\ell'}\). Since the set \(X_{\mathrm{out}}^{\ell-1}\) is completely determined when processing layer \(\ell\) in Algorithm 3, this process ensures that \(X_{\mathrm{in}}^{\ell} \subseteq X_{\mathrm{out}}^{\ell}\) for all \(\ell\), and hence if a candidate valid inequality is violated by a vector in \(X_{\mathrm{in}}^{\ell}\) we can conclude that solving ?? or 13 cannot lead to a verification that the inequality is valid.

As a final strategy to limit the computational time spent solving 13 on candidates that do not yield valid inequalities, Algorithm 4 includes a heuristic stopping rule that quits the process if it seems unlikely to yield more additional valid inequalities. The idea is to check the candidate inequalities in a sequence defined by a score that correlates with how likely they are to yield a valid inequality, and then terminate once the number of consecutive failed attempts exceeds a pre-specified limit ‘\(\mathrm{max\_fail}\)’. The score that we use for a candidate inequality \((i, c_i, k, c_k) \in N_{\mathrm{pair}}^\ell\) also leverages the inner approximations we have built and is defined as: \[\text{score}(i, c_i, k, c_k) = \frac{|\{\hat{\mathbf{x}}^\ell\in X_{\mathrm{in}}^\ell: \hat{x}_i^\ell= \frac{-c_i+ 1}{2}\}|+ |\{\hat{\mathbf{x}}^\ell\in X_{\mathrm{in}}^\ell: \hat{x}_k^\ell= \frac{-c_k+ 1}{2}\}|}{|X_{\mathrm{in}}^\ell|}.\] To understand the intuition for this score, consider the case of \(c_i=c_k=1\), so that the candidate inequality is of the form \(x^\ell_i + x^\ell_k \leq 1\), and the score sums the fraction of solutions in the inner approximation \(X_{\mathrm{in}}^\ell\) which have \(x^\ell_i = 0\) and which have \(x^\ell_k = 0\). A high score suggests most solutions in \(X_{\mathrm{out}}^\ell\) have either \(x^\ell_i = 0\) or \(x^\ell_k = 0\) and hence the candidate inequality might be satisfied. The intuition behind the other cases is similar.

4 Computational Study↩︎

We pursue a computational study to investigate how IP methods work to solve the BNN verification problem for multiple test instances. The following five IP methods are considered in the computational study:

Many-IP and 1-IP are compared to explore the impact of the technique for obtaining a linear objective. The methods 1-IP, 1-IP+HG, 1-IP+Fix, and 1-IP+Fix+2Var are compared to explore the impact of the techniques for generating layerwise derived valid inequalities.

4.1 Test Instances↩︎

Table 1: Networks in computational study
Network \(\mathbf{L}\) \(\mathbf{n^1}\) \(\mathbf{n^2}\) \(\mathbf{n^3}\) \(\mathbf{n^4}\) Error Rate
1 2 100 100 * * 7.53%
2 2 200 100 * * 5.52%
3 2 300 200 * * 4.19%
4 3 100 100 100 * 7.33%
5 3 200 100 100 * 5.08%
6 3 300 200 100 * 3.68%
7 4 200 100 100 100 5.04%
8 4 300 200 100 100 3.46%
9 4 500 300 200 100 2.32%

Unless stated otherwise, the maximum perturbation from \(\bar{\mathbf{x}}\) is defined using an \(\ell_1\) norm in our test instances.

Each test instance in the computational study consists of a BNN, \(\bar{\mathbf{x}}\), and \(\epsilon\). Nine BNNs are trained for the computational study by using [1]’s method based on a gradient descent method with the MNIST train dataset. The MNIST dataset consists of feature vectors representing handwritten digits from 0 to 9, so \(n^{L+ 1} = 10\). These feature vectors are originally 784-dimensional non-negative integer vectors whose coordinates are at most 255, but they are scaled to 784-dimensional non-negative real vectors whose coordinates are at most 1, so \(n^0 = 784\) and \(q= 255\). The number of hidden layers, the number of neurons in hidden layers, and the error rate of each network are reported in Table 1. The error rate of each network is computed as the portion of feature vectors misclassified by this network in the MNIST test dataset.

For each network, we consider 10 instances, defined by 10 different feature vectors \(\bar{\mathbf{x}}\). For each digit from 0 to 9, one feature vector in the MNIST test dataset whose \(\bar{t}\) is this digit is randomly chosen.

Figure 6: Perturbation Selection

For each network and feature vector \(\bar{\mathbf{x}}\), six values are obtained for \(\epsilon\) by employing Algorithm 6 with \(\mathrm{max\_iter}= 6\). Algorithm 6 is a binary search that attempts to find the largest \(\epsilon\) under which \(\bar{\mathbf{x}}\) can be \(\epsilon\)-verified using a given method and time limit in each iteration. In Algorithm 6, if \(\bar{\mathbf{x}}\) is \(\epsilon\)-verified for the current \(\epsilon\), \(\epsilon\) is increased based on the smallest input perturbation \(\epsilon_{\mathrm{UB}}\) under which \(\bar{\mathbf{x}}\) may not be \(\epsilon_{\mathrm{UB}}\)-verified. Otherwise, \(\epsilon\) is decreased to the average of \(\epsilon\) and the largest input perturbation \(\epsilon_{\mathrm{LB}}\) under which \(\bar{\mathbf{x}}\) is \(\epsilon_{\mathrm{LB}}\)-verified. Different IP methods for the BNN verification may result in different sequences of \(\epsilon\) in Algorithm 6 based on their ability to solve the verification problem at a given \(\epsilon\) within the time limit. This approach is used for determining the \(\epsilon\) values in the test instances in order to find challenging instances, i.e., those in which determining whether \(\bar{\mathbf{x}}\) is \(\epsilon\)-verified is nontrivial. The initial value \(\epsilon_{\mathrm{init}}\) is set to \(1\) in the case that the maximum perturbation from \(\bar{\mathbf{x}}\) is defined by an \(\ell_1\) norm, \(\frac{1}{255}\) in the case that the maximum perturbation is defined by \(\ell_\infty\) norm, and \(\frac{1}{32}\) in the case that the maximum perturbation is defined by \(\ell_2\) norm.

4.2 Implementation Details↩︎

In the IP method 1-IP+HG, ?? are generated by solving the LP relaxation problem of the IP problem [eq:incorpForm] and adding violated inequalities ?? and ?? in an iterative manner. In each iteration, for each \(\ell\in \{2, \ldots, L\}\) and \(i\in N^\ell\), an inequality ?? with the largest violation is added to [eq:incorpForm]. Likewise, ?? with the largest violation is added to [eq:incorpForm] as a constraint. This iteration is repeated until either no violated inequalities are found or the optimal objective value of the LP relaxation problem does not improve by 1% over the last 10 iterations. Our test instances are different than those used in [7] (ours have more layers in the BNN and non-binary inputs) and we obtain qualitatively different results than those presented in [7]. Thus, to validate our implementation, in Appendix 6.6 we present results of additional experiments with the method 1-IP+HG on the instances used in [7] which indicates that our implementation achieves qualitatively similar results to what is reported in [7] on those instances.

In the IP method 1-IP+Fix and 1-IP+Fix+2Var, in Algorithm 2, the IP subproblem ?? is solved using the method described at the end of Section 3.1 (i.e., without an IP solver).

In 1-IP+Fix+2Var, two-variable inequalities for the first hidden layer are not generated, and variable fixings for the second hidden layer are not generated in phase 2 because two-variable inequalities for the first hidden layer are unlikely to be generated for the test instances. The networks are dense, and \(\epsilon\) is much smaller than \(n^0 = 784\) in test instances, so for \(i, k\in N^1\) satisfying \(i< k\) and \(c_i, c_k\in \{-1, 1\}\), it is likely to find \(\hat{\mathbf{x}}^0 \in X^0\) where \(2 c_i\sum_{j\in N^0} W_{ij}^1 \hat{x}_j^0\) and \(2 c_k\sum_{j\in N^0} W_{kj}^1 \hat{x}_j^0\) achieve their maximum over \(X^0\). If both \(x_i^1\) and \(x_k^1\) are not fixed, \(\hat{\mathbf{x}}^0\) violates 13 , so two-variable inequalities for the first hidden layer are rarely generated. As a result of not generating two-variable inequalities for the first hidden layer, variable fixings for the second hidden layer cannot be generated in phase 2. We use \(\mathrm{max\_fail}= 100\) as the number of consecutive failures after which we terminate attempting to generate two-variable inequalities.

The time limit for all IP methods is 3600 seconds. In the IP method Many-IP, the time limit to solve the IP problem [eq:indivForm] for each \(t\) is set to 400 seconds because there are nine alternative classes. In 1-IP+HG, 1-IP+Fix, and 1-IP+Fix+2Var, a time limit on the phase for generating valid inequalities of 2700 seconds is imposed. The time limit to solve [eq:incorpForm] after generating the inequalities is set to 3600 seconds subtract the time spent generating valid inequalities. If the time limit is hit, the best upper bound for the optimal objective value is used instead of the best objective value to answer the BNN verification problem because \(\bar{\mathbf{x}}\) is \(\epsilon\)-verified if and only if the best upper bound is non-positive.

All IP methods are implemented in Python, and Gurobi 10.0.3 is used as the IP solver. All experiments in the computational study are run on an Ubuntu desktop with 32 GB RAM and 16 Intel Core i7-10700 CPUs running at 2.90 GHz.

4.3 Results↩︎

We first collect the maximum \(\epsilon\) under which \(\bar{\mathbf{x}}\) is \(\epsilon\)-verified for each IP method, network, and \(\bar{\mathbf{x}}\) in the case that the maximal perturbation from \(\bar{\mathbf{x}}\) is defined using an \(\ell_1\) norm. The maximum \(\epsilon\) is obtained from using Algorithm 6 with \(\mathrm{max\_iter}= 6\). For the same test instance, one IP method may succeed in verifying the BNN, but another IP method fails because it may not be able to verify the BNN within the time limit. As a result, the set of \(\epsilon\) defining the six instances may differ by IP methods for the same network and \(\bar{\mathbf{x}}\), and the maximum \(\epsilon\) may differ.

Table 2: Average maximum \(\epsilon\) under which \(\bar{\mathbf{x}}\) is \(\epsilon\)-verified by each method within the time limit.
Network Many-IP 1-IP 1-IP 1-IP 1-IP
+HG +Fix +Fix
+2Var
1 7.23 7.23 7.23 7.23 7.23
2 6.15 6.48 6.48 6.48 6.48
3 1.60 5.45 5.32 6.28 6.28
4 6.07 6.28 6.28 6.18 6.28
5 5.55 6.35 6.35 6.55 7.35
6 2.95 4.30 3.95 4.43 5.45
7 4.51 5.06 5.06 5.29 6.49
8 2.51 3.89 3.78 3.99 5.28
9 0.64 2.17 2.06 2.34 3.88

For each IP method and network, the arithmetic mean of the maximum \(\epsilon\) over ten \(\bar{\mathbf{x}}\) is presented in Table 2. Many-IP achieves the smallest maximum \(\epsilon\), and 1-IP+HG achieves a smaller maximum \(\epsilon\) than the 1-IP. Except for Network 4, 1-IP+Fix results in a larger maximum \(\epsilon\) than 1-IP. Method 1-IP+Fix+2Var yields the largest maximum \(\epsilon\) in every case. These results indicate that the using the proposed variable fixing approach yields modest improvement in the ability to find the maximum \(\epsilon\) at which an input can be verified, and using two-variable layer-wise derived inequalities yields significantly more improvement.

Table 3: Verification time (seconds) of Many-IP and 1-IP
Network # of Instances Many-IP 1-IP
1 60 153.1(3) 29.4
2 57 721.9(12) 110.5
3 20 1420.8(10) 358.9
4 59 269.7(8) 58.4(2)
5 56 986.5(18) 286.5(8)
6 39 1941.8(18) 568.3(7)
7 56 972.3(22) 279.7(12)
8 34 1654.4(17) 503.1(7)
9 18 2852.2(13) 710.8(3)

We next investigate in more detail the ability of the different methods to solve verification problems for various values of \(\epsilon\). We first compare Many-IP and 1-IP. To do so, for each network and feature vector we consider the subset of \(\epsilon\) values that are solved by both of these methods, and compute the shifted geometric mean of solution times to solve the IP problem [eq:incorpForm] (for 1-IP) or to solve [eq:indivForm] for all \(t\) (for Many-IP), with a shift of 1. These results are presented in Table 3, where for Many-IP, the number in parenthesis is the number of test instances where the time limit is hit in solving [eq:indivForm] for at least one \(t\) and for 1-IP, the number in parenthesis is the number of test instances where the time limit is hit in solving [eq:incorpForm]. We find that 1-IP solves the verification problem much more quickly than Many-IP, indicating that our technique for obtaining a linear objective leads to faster BNN verification. Considering the superiority of 1-IP over Many-IP, we exclude Many-IP from further comparisons.

Table 4: Verification time (seconds) of IP methods based on 1-IP
Network # of Instances 1-IP 1-IP 1-IP 1-IP
+HG +Fix +Fix
+2Var
1 60 29.4 31.6 5.6 7.0
2 60 119.6 124.3 16.8 16.2
3 52 779.5(10) 842.5(13) 58.4(4) 62.7(4)
4 59 58.4(2) 75.4(1) 15.2(2) 11.3
5 55 296.1(9) 377.9(9) 61.7(7) 30.1(1)
6 46 612.2(13) 942.1(14) 130.4(12) 56.3(2)
7 52 267.8(12) 376.7(15) 84.3(12) 36.1(4)
8 36 582.5(12) 722.1(12) 119.9(11) 36.0(2)
9 25 1183.8(11) 1445.2(11) 276.1(9) 68.3(1)

In Table 4 we report the geometric average verification times over the instances tested by all IP methods based on 1-IP. The set of test instances in this case is based on the set of \(\epsilon\) values that were solved by all 1-IP methods. This set of test instances may differ from the set used in the Many-IP and 1-IP comparison due to the exclusion of Many-IP from this comparison. The number in parenthesis is the number of test instances where the time limit is hit when solving [eq:incorpForm]. We find that 1-IP+HG’s verification times are larger than 1-IP’s, and 1-IP+Fix’s are shorter than 1-IP’s. Thus, we conclude that using inequalities ?? does not accelerate BNN verification, but variable fixings do. We also find that 1-IP+Fix+2Var’s verification times are similar to 1-IP+Fix’s for Networks 1-4, and 1-IP+Fix+2Var’s verification times are shorter than 1-IP+Fix’s for Networks 5-9. This suggests that the two-variable layerwise derived inequalities are more helpful for BNN verification of networks with more hidden layers.

Table 5: LP gap of IP methods based on 1-IP
Network 1-IP 1-IP 1-IP 1-IP
+HG +Fix +Fix
+2Var
1 116.4 % 116.4 % 32.5 % 18.2 %
2 120.8 % 120.8 % 36.0 % 19.9 %
3 131.2 % 132.9 % 50.3 % 30.5 %
4 125.4 % 124.9 % 49.1 % 13.9 %
5 137.4 % 137.8 % 67.4 % 20.5 %
6 150.7 % 153.3 % 82.4 % 25.6 %
7 144.1 % 150.2 % 82.0 % 31.7 %
8 178.8 % 179.3 % 93.8 % 26.9 %
9 180.2 % 180.2 % 109.2 % 13.8 %

We next investigate the LP gaps of [eq:incorpForm] over instances tested by all IP methods based on 1-IP. The LP gap is defined as \((z_{\mathrm{LP}}^*- z^*)/\bar{z}_{\mathrm{UB}}\) where \(z_{\mathrm{LP}}^*\) is the optimal objective value of the LP relaxation problem of [eq:incorpForm] after adding any valid inequalities introduced by the method, \(z^*\) is the best objective value from a feasible solution to [eq:incorpForm] obtained by the method, and \[\bar{z}_{\mathrm{UB}}= \max_{\substack{\mathbf{x}^L\in \{0, 1\}^{n^L}\\ t\in N^{L+ 1}}} (a_t^{L+ 1}(\mathbf{x}^L) - a_{\bar{t}}^{L+ 1}(\mathbf{x}^L)).\] We use \(\bar{z}_{\mathrm{UB}}\) as the denominator instead of \(|z^*|\) because \(z^*\) may be near zero for some instances, which would skew interpretation of these relative optimality gaps when averaged over different instances. The quantity \(\bar{z}_{\mathrm{UB}}\) is positive by definition and is a natural upper bound on the optimal value of [eq:incorpForm]. Table 5 reports the average LP gaps for each method. We find that the LP gaps of 1-IP+HG and 1-IP are similar, 1-IP+Fix yields significant improvement over 1-IP, and 1-IP-Fix+2Var yields further significant improvement beyond that. Although 1-IP+HG does not improve LP gaps on these instances, we remark that in the supplemental experiments reported in Appendix 6.6 we found that on the instances used in [7] the use of the single-neuron valid inequalities did yield modest reduction in the LP gap, although even on these instances this reduction still did not translate into reduced time to solve the verification problem.

Table 6: Other metrics of IP methods based on 1-IP (445 instances)
1-IP 1-IP 1-IP 1-IP
+HG +Fix +Fix
+2Var
Preprocessing time (seconds) 0.0 10.8 7.0 15.2
Verification time (seconds) 211.7 258.9 40.6 25.5
# of solved instances (veri.) 376 370 388 431
# of nodes (veri.) 9228.2 9501.0 78.0 7.3
Optimization time (seconds) 298.2 352.0 62.6 36.7
# of solved instances (opt.) 347 347 359 406
# of nodes (opt.) 16389.5 16540.8 241.1 31.4
Optimality gap 22.5 % 24.4 % 19.2 % 4.8 %

Table 6 presents additional results for the IP methods based on 1-IP. These results are averaged over all 445 instances solved by all these methods. The row ‘Preprocessing time’ presents the shifted geometric mean of times to generate layerwise derived valid inequalities (resp. ?? ) for 1-IP+Fix and 1-IP+Fix+2Var (resp. 1-IP+HG). The row ‘verification time’ is the shifted geometric mean of times to solve the verification problem – if a method does not solve an instance within the time limit, then the time limit is used for that instance. The row ‘# of solved instances (veri.)’ reports the number of instances for which each IP method solved the verification problem within the time limit. Row ‘# of nodes (veri.)’ is the shifted geometric mean of the number of nodes in the branch-and-bound tree when solving the verification problem (again, for instances hitting the time limit, this is just the number of nodes explored within the limit). In all the verification times the solution of [eq:incorpForm] is terminated as soon as the verification question is answered (e.g., if the upper bound becomes non-positive or the lower bound becomes positive). To provide further insight into the quality of these formulations we also attempted to solve [eq:incorpForm] without terminating once the verification question is answered. The results of this experiment are reported in the rows ‘Optimization time’, ’ (# of solved instances (opti.)‘,’(# of nodes (opti.))‘, which are defined analogously as the verification results. Row ’optimality gap’ presents the arithmetic mean of relative optimality gaps obtained in solving [eq:incorpForm] without the early termination, where the relative optimality gap is defined as \((\bar{z}- z^*)/\bar{z}_{\mathrm{UB}}\), where \(\bar{z}\) is the best bound for the optimal objective value of [eq:incorpForm] obtained by the method. A shift is set to 1 in every shifted geometric mean. These results confirm the significant time reduction obtained using variable fixing and the proposed two-variable inequalities, and indicate that this reduction is obtained thanks to the dramatic reduction in the number of branch-and-bound nodes required to either answer the verification problem or to solve the optimization problem. The results also reinforce that the single-neuron inequalities used in 1-IP+HG do not yield improvement.

Table 7: Maximum \(\epsilon\) under which \(\bar{\mathbf{x}}\) is \(\epsilon\)-verified for \(\ell_\infty\) norm and \(\ell_2\) norm
Norm Many-IP 1-IP 1-IP 1-IP 1-IP
+HG +Fix +Fix
+2Var
\(\mathbf{\ell_\infty}\) 0.018 0.026 0.020 0.025 0.032
\(\mathbf{\ell_2}\) 0.029 0.051 0.051 0.247 0.312

All results so far have been reported for the case in which the maximum perturbation from \(\bar{\mathbf{x}}\) is defined using the \(\ell_1\) norm. To illustrate the versatility of the IP approach, we also conducted analogous experiments using the \(\ell_\infty\) and \(\ell_2\) norm. The detailed results of these experiments are presented in Appendix 6.5, and we present a summary here. Table 7 presents the arithmetic mean of the maximum \(\epsilon\) over ten feature vectors \(\bar{\mathbf{x}}\) for each IP method on Network 5. Once gain, Many-IP achieves the smallest maximum \(\epsilon\) in both cases. Method 1-IP+HG again yields smaller maximum \(\epsilon\) than 1-IP in the case of \(p= \infty\) and the same in the case of \(p= 2\). 1-IP+Fix yields similar maximum \(\epsilon\) to 1-IP in the case of \(p= \infty\) and larger maximum \(\epsilon\) than 1-IP in the case of \(p= 2\). Thus, it seems that generating variable fixings alone does not improve BNN verification by the IP methods in the case of \(p= \infty\), but it does in the case of \(p= 2\). 1-IP+Fix+2Var yields the largest maximum \(\epsilon\) in both cases, showing that generating layerwise derived valid inequalities enables verifying the BNN against a higher range of \(\epsilon\) in the case of \(p= \infty\) and \(p= 2\).

5 Conclusion↩︎

In this paper, we investigate an IP method that exploits the technique for obtaining a linear objective and a technique for generating layerwise derived valid inequalities to solve the BNN verification problem. Our computational study shows that our IP method verifies BNNs against a higher range of input perturbation than existing IP methods. The technique for obtaining a linear objective leads to solving the BNN verification problem faster by solving a single IP problem instead of multiple IP problems for each alternative class. The technique for generating layerwise derived valid inequalities enables more efficient BNN verification by yielding smaller LP gaps at the expense of solving IP subproblems involving a single layer.

One future direction on IP methods for the BNN verification problem is investigating valid inequalities that involve more than two variables, as the inequalities we investigated contain at most two variables. Another future direction related to the BNN verification problem is counterfactual explanations for BNNs. As discussed in Section 1, these counterfactual explanations can be obtained by solving the BNN verification problem for various input perturbations. Thus, a possible direction of research for counterfactual explanations for BNNs is to consider whether information from these related instances can be shared to accelerate the overall process. For example, it may be possible to reduce the number of candidates for layerwise derived valid inequalities to check.

6 Appendix↩︎

6.1 Proof of Lemma [lem:linPropConstr]↩︎

We prove following Lemma [lem:linPropConstr] on the formulation for the layer propagation constraint [eq:origFormPropConstr] introduced in Section 2.1.1 with the definition on \(\mathrm{LB}_i^\ell\), \(\mathrm{UB}_i^\ell\), and \(R_i^\ell\) for \(\ell\in [L]\) and \(i\in N^\ell\).

Proof. Proof of Lemma [lem:linPropConstr]. The following constraints are equivalent to [eq:origFormPropConstr]: \[\begin{align} x_i^\ell= 1 &\Rightarrow a_i^\ell(\mathbf{x}^{\ell- 1}) \ge 0\\ &\Leftrightarrow 2 \sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1} \ge \sum_{j\in N^{\ell- 1}} W_{ij}^\ell- b_i^\ell, \quad \forall \ell\in [L], i\in N^\ell,\\ x_i^\ell= 0 &\Rightarrow a_i^\ell(\mathbf{x}^{\ell- 1}) < 0\\ &\Leftrightarrow 2 \sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1} < \sum_{j\in N^{\ell- 1}} W_{ij}^\ell- b_i^\ell, \quad \forall \ell\in [L], i\in N^\ell. \end{align}\]

For \(i\in N^1\) and \(j\in N^0\), \(W_{ij}^1 x_j^0\) is a multiple of \(\frac{1}{q}\). Also, \(R_i^1 + \frac{1}{q}\) is the smallest multiple of \(\frac{2}{q}\) not smaller than \(\sum_{j\in N^0} W_{ij}^1 - b_i^1\), and \(R_i^1 - \frac{1}{q}\) is the largest multiple of \(\frac{2}{q}\) smaller than \(\sum_{j\in N^0} W_{ij}^1 - b_i^1\). Hence, the above constraints can be written as follows for \(\ell= 1\): \[\begin{align} x_i^1 = 1 &\Rightarrow 2 \sum_{j\in N^0} W_{ij}^1 x_j^0 \ge R_i^1 + \frac{1}{q}, \quad \forall i\in N^1,\\ x_i^1 = 0 &\Rightarrow 2 \sum_{j\in N^0} W_{ij}^1 x_j^0 \le R_i^1 - \frac{1}{q}, \quad \forall i\in N^1. \end{align}\]

For \(\ell\in \{2, \ldots, L\}\), \(i\in N^\ell\), and \(j\in N^{\ell- 1}\), \(W_{ij}^\ell x_j^{\ell- 1}\) is an integer. Also, \(R_i^\ell+ 1\) is the smallest even integer not smaller than \(\sum_{j\in N^{\ell- 1}} W_{ij}^\ell- b_i^\ell\), and \(R_i^\ell- 1\) is the largest even integer smaller than \(\sum_{j\in N^{\ell- 1}} W_{ij}^\ell- b_i^\ell\). Hence, the above constraints can be written as follows for \(\ell\in \{2, \ldots, L\}\): \[\begin{align} x_i^\ell= 1 &\Rightarrow 2 \sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1} \ge R_i^\ell+ 1, \quad \forall i\in N^\ell,\\ x_i^\ell= 0 &\Rightarrow 2 \sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1} \le R_i^\ell- 1, \quad \forall i\in N^\ell. \end{align}\]

For \(\ell\in [L]\), \(i\in N^\ell\), and \(j\in N^{\ell- 1}\), \(W_{ij}^\ell\in \{-1, 0, 1\}\)and \(x_j^{\ell- 1} \in [0, 1]\). Hence, \(\mathrm{LB}_i^\ell\) is a lower bound for \(2 \sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1}\) because it is minus two times the number of \(-1\) in \(\{W_{ij}^\ell: j\in N^{\ell- 1}\}\). Also, \(\mathrm{UB}_i^\ell\) is an upper bound for \(2 \sum_{j\in N^{\ell- 1}} W_{ij}^\ell x_j^{\ell- 1}\) because it is two times the number of \(1\) in \(\{W_{ij}^\ell: j\in N^{\ell- 1}\}\).

By exploiting this lower bound and upper bound, it can be concluded that \((\mathbf{x}^0, \mathbf{x}^1) \in X^0 \times \{0, 1\}^{n^1}\) satisfies [eq:origFormPropConstr] if and only if it satisfies 3 and 4 , and \((\mathbf{x}^{\ell- 1}, \mathbf{x}^\ell) \in \{0, 1\}^{n^{\ell- 1}} \times \{0, 1\}^{n^\ell}\) satisfies [eq:origFormPropConstr] if and only if it satisfies 5 and 6 for \(\ell\in \{2, \ldots, L\}\). \(\square\) ◻

6.2 Proof of Lemma 1↩︎

Proof. Proof. First, from a feasible solution \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{t})\) to [eq:origForm] where \(t\) is considered as a decision variable, we obtain a feasible solution to [eq:incorpForm] with the same objective value. From \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{t})\), \(\hat{\mathbf{y}}\) is defined as \(q\hat{\mathbf{x}}^0\). Also, \(\hat{z}_t\) is defined as \(\mathtt{1}_{\{\hat{t}\}}(t)\), and \(\hat{v}_{ti}\) is defined as \(\hat{z}_t\hat{x}_i^L\).

By Lemma [lem:linPropConstr], \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{\mathbf{y}}, \hat{\mathbf{z}}, \hat{\mathbf{v}})\) satisfies 3 4 and 5 6 for \(\ell\in \{2, \ldots, L\}\). By the definition of \(\hat{\mathbf{y}}\), \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{\mathbf{y}}, \hat{\mathbf{z}}, \hat{\mathbf{v}})\) satisfies 7 8 and [eq:incorpFormYVar]. By the definition of \(\hat{\mathbf{z}}\) and \(\hat{\mathbf{v}}\), \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{\mathbf{y}}, \hat{\mathbf{z}}, \hat{\mathbf{v}})\) satisfies [eq:incorpFormClassConstr]-[eq:incorpFormProdSumConstr] and [eq:incorpFormZVar]-[eq:incorpFormVVar]. Also, \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{\mathbf{y}}, \hat{\mathbf{z}}, \hat{\mathbf{v}})\) satisfies [eq:incorpFormProdConstr] because \(\hat{\mathbf{z}}\) and \(\hat{\mathbf{x}}^L\) are binary, so \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{\mathbf{y}}, \hat{\mathbf{z}}, \hat{\mathbf{v}})\) is a feasible solution to [eq:incorpForm].

The definitions of \(\hat{\mathbf{z}}\) and \(\hat{\mathbf{v}}\) implies \(\hat{z}_t= 0\) for \(t\ne \hat{t}\), \(\hat{z}_{\hat{t}} = 1\), and \(\hat{v}_{ti} = \hat{z}_t\hat{x}_i^L\). With this implication, the objective value of \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{t})\) in [eq:origForm] is same as the objective value of \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{\mathbf{y}}, \hat{\mathbf{z}}, \hat{\mathbf{v}})\) in [eq:incorpForm] by following steps: \[\begin{align} a_{\hat{t}}^{L+ 1}(\hat{\mathbf{x}}^L) - a_{\bar{t}}^{L+ 1}(\hat{\mathbf{x}}^L) &= \sum_{t\in N^{L+ 1} \setminus \{\bar{t}\}} \hat{z}_t(a_t^{L+ 1}(\hat{\mathbf{x}}^L) - a_{\bar{t}}^{L+ 1}(\hat{\mathbf{x}}^L))\\ &= \sum_{t\in N^{L+ 1} \setminus \{\bar{t}\}} \hat{z}_t\Big(\sum_{i\in N^L} (W_{ti}^L- W_{\bar{t}i}^L)(2 \hat{x}_i^L- 1) + (b_t^L- b_{\bar{t}}^L)\Big)\\ &= \sum_{t\in N^{L+ 1} \setminus \{\bar{t}\}} \sum_{i\in N^L} 2(W_{ti}^L- W_{\bar{t}i}^L)\hat{z}_t\hat{x}_i^L\\ &\quad + \sum_{t\in N^{L+ 1} \setminus \{\bar{t}\}} \Big(-\sum_{i\in N^L} (W_{ti}^L- W_{\bar{t}i}^L) + (b_t^L- b_{\bar{t}}^L)\Big)\hat{z}_i\\ &= \sum_{t\in N^{L+ 1} \setminus \{\bar{t}\}} \sum_{i\in N^L} 2(W_{ti}^L- W_{\bar{t}i}^L)\hat{v}_{ti}\\ &\quad + \sum_{t\in N^{L+ 1} \setminus \{\bar{t}\}} \Big(-\sum_{i\in N^L} (W_{ti}^L- W_{\bar{t}i}^L) + (b_t^L- b_{\bar{t}}^L)\Big)\hat{z}_i. \end{align} \label{eq:linObj}\tag{14}\]

Next, from a feasible solution \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{\mathbf{y}}, \hat{\mathbf{z}}, \hat{\mathbf{v}})\) to [eq:incorpForm], we obtain a feasible solution to [eq:origForm] with the same objective value where \(t\) is considered as a decision variable. From \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{\mathbf{y}}, \hat{\mathbf{z}}, \hat{\mathbf{v}})\), \(\hat{t}\) is defined as \(t\) satisfying \(\hat{z}_t= 1\), whose uniqueness is guaranteed by [eq:incorpFormClassConstr] and [eq:incorpFormZVar].

By 3 6 and Lemma [lem:linPropConstr], \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{t})\) satisfies the layer propagation constraints [eq:origFormPropConstr]. By 7 9 , [eq:incorpFormXInpVar], and [eq:incorpFormYVar], \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{t})\) satisfies the input perturbation constraint [eq:origFormXInpVar]. Hence, \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{t})\) is a feasible solution to [eq:origForm].

By 14 , the objective value of \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{\mathbf{y}}, \hat{\mathbf{z}}, \hat{\mathbf{v}})\) in [eq:incorpForm] is same as the objective value of \((\hat{\mathbf{x}}^0, \ldots, \hat{\mathbf{x}}^L, \hat{t})\) in [eq:origForm]. The first equality holds because \(\hat{z}_t= 0\) for \(t\neq \hat{t}\), and \(\hat{z}_{\hat{t}} = 1\). The last equality holds because \(\hat{v}_{ti} = \hat{z}_t\hat{x}_i^L\). For \(t\ne \hat{t}\), \(\hat{v}_{ti} \ge 0\) by [eq:incorpFormVVar], and \(\hat{v}_{ti} \le \hat{z}_t= 0\) by [eq:incorpFormProdConstr], so \(\hat{v}_{ti} = 0 = \hat{z}_t\hat{x}_i^L\). Also, \(\hat{v}_{\hat{t}i} = \hat{z}_{\hat{t}} \hat{x}_i^L\) by following steps: \[\begin{align} \hat{v}_{\hat{t}i} &= \sum_{t\in N^{L+ 1} \setminus \{\bar{t}\}} \hat{v}_{ti} &(\text{For all t other than \hat{t}, \hat{v}_{ti} = 0})\\ &= \hat{x}_i^L&(\text{By \eqref{eq:incorpFormProdSumConstr}})\\ &= \hat{z}_{\hat{t}} \hat{x}_i^L. \end{align}\]

For these reasons, [eq:incorpForm] is equivalent to [eq:origForm]. \(\square\) ◻

6.3 Proof of Convex Hull Characterization for a Single Neuron↩︎

We prove Theorem 1 on the characterization for the convex hull 10 for a single neuron introduced in Section 2.3, which is an extension of the main result in [7]. To simplify the statement of this theorem, \(\ell\in \{2, \ldots, L\}\) and \(i\in N^\ell\) are fixed, and the following notations are defined for \(j\in N^{\ell- 1}\) with \(\mathrm{LB}_i^\ell\), \(\mathrm{UB}_i^\ell\), and \(R_i^\ell\) defined in Section 2.1.1: \[\begin{align} \mathbf{x}& := \mathbf{x}^{\ell- 1},\\ u& := x_i^\ell,\\ w_j& := W_{ij}^\ell,\\ \mathrm{LB}& := \mathrm{LB}_i^\ell= \sum_{j\in N^{\ell- 1}} (W_{ij}^\ell- |W_{ij}^\ell|),\\ \mathrm{UB}&:= \mathrm{UB}_i^\ell= \sum_{j\in N^{\ell- 1}} (W_{ij}^\ell+ |W_{ij}^\ell|),\\ R&:= R_i^\ell= 2 \bigg\lceil\frac{\sum_{j\in N^{\ell- 1}} W_{ij}^\ell- b_i^\ell}{2}\bigg\rceil - 1. \end{align}\] Then, this theorem can be restated as follows:

Theorem 1 (Restated) The set of \((\mathbf{x}, u) \in [0, 1]^{n^{\ell- 1}} \times [0, 1]\) satisfying the following inequalities for all \(J\subset \{j\in N^{\ell- 1}: w_j\ne 0\}\) is 10 : \[\label{eq:simpSingleConvHullIneq} \begin{align} &\sum_{j\in J} (w_j(2 x_j- 1) - (2 u- 1)) \ge (R- \mathrm{UB}+ 1)u,\label{eq:simpSingleConvHullIneqLowerBound}\\ &\sum_{j\in J} (w_j(2 x_j- 1) - (2 u- 1)) \le (R- \mathrm{LB}- 1)(-u+ 1).\label{eq:simpSingleConvHullIneqUpperBound} \end{align}\] {#eq: sublabel=eq:eq:simpSingleConvHullIneq,eq:eq:simpSingleConvHullIneqLowerBound,eq:eq:simpSingleConvHullIneqUpperBound}

Proof. Proof. Consider the following sets: \[\begin{align} X^+ &= \{(\mathbf{x}, 1): \mathbf{x}\in \{0, 1\}^{n^{\ell- 1}}, a_i^\ell(\mathbf{x}) \ge 0\},\\ X^- &= \{(\mathbf{x}, 0): \mathbf{x}\in \{0, 1\}^{n^{\ell- 1}}, a_i^\ell(\mathbf{x}) < 0\}. \end{align}\] By the proof of Lemma [lem:linPropConstr], \(X^+\) and \(X^-\) can be written as follows: \[\begin{align} X^+ &= \Big\{(\mathbf{x}, 1): \mathbf{x}\in \{0, 1\}^{n^{\ell- 1}}, \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} w_jx_j\ge \frac{R+ 1}{2}\Big\},\\ X^- &= \Big\{(\mathbf{x}, 0): \mathbf{x}\in \{0, 1\}^{n^{\ell- 1}}, \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} w_jx_j\le \frac{R- 1}{2}\Big\}. \end{align}\]

By exploiting total unimodularity of the constraints defining \(X^+\) and \(X^-\) arising from \(w_j\in \{-1, 0, 1\}\) and \(\frac{R+ 1}{2} \in \mathbb{Z}\), \(\mathrm{conv}(X^+)\) and \(\mathrm{conv}(X^-)\) can be obtained as follows: \[\begin{align} \mathrm{conv}(X^+) &= \bigg\{(\mathbf{x}, 1): \mathbf{x}\in [0, 1]^{n^{\ell- 1}}, \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} w_jx_j\ge \frac{R+ 1}{2}\bigg\},\\ \mathrm{conv}(X^-)& = \bigg\{(\mathbf{x}, 0): \mathbf{x}\in [0, 1]^{n^{\ell- 1}}, \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} w_jx_j\le \frac{R- 1}{2}\bigg\}. \end{align}\]

These convex hulls can be used to describe 10 as follows where the last statement holds because of compactness of \(\mathrm{conv}(X^+)\) and \(\mathrm{conv}(X^-)\) arising from finiteness of \(X^+\) and \(X^-\): \[\begin{align} \mathrm{conv}(X^+ \cup X^-) &= \mathrm{conv}(\mathrm{conv}(X^+) \cup \mathrm{conv}(X^-))\\ &= \mathrm{cl}\mathrm{conv}(\mathrm{conv}(X^+) \cup \mathrm{conv}(X^-)). \end{align}\]

By [26]’s work on disjunctive programming, \((\mathbf{x}, u) \in \mathbb{R}^{n^{\ell- 1}} \times \mathbb{R}\) is in 10 if and only if there exist \((\mathbf{x}^+, u^+), (\mathbf{x}^-, u^-) \in \mathbb{R}^{n^{\ell- 1}} \times \mathbb{R}\) and \(\lambda \in [0, 1]\) satisfying the following inequalities: \[\begin{align} \mathbf{x}&= \mathbf{x}^+ + \mathbf{x}^-,\\ u&= u^+ + u^-,\\ 0 \le \mathbf{x}^+ &\le \lambda \cdot \mathbf{1},\\ u^+ &= \lambda,\\ 2 \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} w_jx_j^+ &\ge (R+ 1)\lambda,\\ 0 \le \mathbf{x}^- &\le (1 - \lambda) \cdot \mathbf{1},\\ u^- &= 0,\\ 2 \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} w_jx_j^- &\le (R- 1)(1 - \lambda). \end{align}\] Existence of \((\mathbf{x}^+, u^+), (\mathbf{x}^-, u^-) \in \mathbb{R}^{n^{\ell- 1}} \times \mathbb{R}\) and \(\lambda \in [0, 1]\) satisfying the above inequalities is identical to existence of \(\mathbf{x}^+ \in \mathbb{R}^{n^{\ell- 1}}\) satisfying the following inequalities, which are provided by substituting \(u^-\) with \(0\), \(u^+\) and \(\lambda\) with \(u\), and \(\mathbf{x}^-\) with \(\mathbf{x}- \mathbf{x}^+\): \[\begin{align} -\frac{u}{2} \cdot \mathbf{1}\le \mathbf{x}^+ - \frac{u}{2} \cdot \mathbf{1}&\le \frac{u}{2} \cdot \mathbf{1},\tag{15}\\ -\Big(\frac{1 - u}{2}\Big) \cdot \mathbf{1}\le \mathbf{x}- \mathbf{x}^+ - \Big(\frac{1 - u}{2}\Big) \cdot \mathbf{1}&\le \Big(\frac{1 - u}{2}\Big) \cdot \mathbf{1},\tag{16}\\ 2 \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} w_jx_j^+ &\ge (R+ 1)u,\tag{17}\\ 2 \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} w_jx_j^+ &\ge 2 \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} w_jx_j- (R- 1)(1 - u).\tag{18} \end{align}\] For \(j\) satisfying \(w_j\neq 0\), 15 16 are equivalent to the following inequalities because \(w_j\in \{-1, 1\}\): \[\begin{align} -\frac{u}{2} \cdot \mathbf{1}\le w_j\Big(\mathbf{x}^+ - \frac{u}{2}\Big) \cdot \mathbf{1}&\le \frac{u}{2} \cdot \mathbf{1},\\ -\frac{(1 - u)}{2} \cdot \mathbf{1}\le w_j\Big(\mathbf{x}- \mathbf{x}^+ - (\frac{1 - u}{2})\Big) \cdot \mathbf{1}&\le \frac{(1 - u)}{2} \cdot \mathbf{1}. \end{align}\] By replacing \(w_jx_j^+\) with its maximum attained from the above inequalities in 17 18 and employing Fourier-Motzkin Elimination to 15 16 to remove \(\mathbf{x}^+ - \frac{u}{2}\), existence of \(\mathbf{x}^+ \in \mathbb{R}^{n^{\ell- 1}}\) satisfying 15 18 is equivalent to whether the following inequalities are satisfied: \[\begin{align} \max\Big(-\frac{u}{2}, x_j+ \frac{u}{2} - 1\Big) &\le \min\Big(\frac{u}{2}, x_j- \frac{u}{2}\Big), \quad \forall j\in N^{\ell- 1},\\ \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} \min((w_j+ 1)u, 2 w_jx_j+ (-w_j+ 1)(1 - u)) &\ge (R+ 1)u,\\ \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} \min((w_j+ 1)u, 2 w_jx_j+ (-w_j+ 1)(1 - u)) &\ge 2 \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} w_jx_j- (R- 1)(1 - u). \end{align}\] These inequalities are satisfied if and only if the following inequalities are satisfied because \(|w_j| = 1\) if \(w_j\ne 0\), \(\sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} (-w_j+ 1) = \sum_{j\in N^{\ell- 1}} (-w_j+ |w_j|) = -\mathrm{LB}\), and \(\sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} (w_j+ 1) = \sum_{j\in N^{\ell- 1}} (w_j+ |w_j|) = \mathrm{UB}\): \[\begin{gather} 0 \le x_j\le 1, \quad \forall j\in N^{\ell- 1},\\ 0 \le u\le 1,\\ \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} \min(w_j(2 x_j- 1), 2 u- 1) \ge (R- \mathrm{LB}+ 1)u- \sum_{j\in N^{\ell- 1}} |w_j|,\\ \sum_{\substack{j\in N^{\ell- 1}\\ w_j\ne 0}} \max(w_j(2 x_j- 1), 2 u- 1) \le (\mathrm{UB}- R+ 1)u+ R- \sum_{j\in N^{\ell- 1}} w_j- 1. \end{gather}\] If \(w_j\ne 0\), \(|w_j| = 1\), so \(|\{j\in N^{\ell- 1}: w_j\ne 0\}| = \sum_{j\in N^{\ell- 1}} |w_j|\). With this equality, by replacing \(\min\) and \(\max\) in the last two inequalities with linear expressions involving \(J\subset \{j\in N^{\ell- 1}: w_j\ne 0\}\), the set of \((\mathbf{x}, u)\) satisfying the last two inequalities can be written as the set of \((\mathbf{x}, u)\) satisfying the following linear inequalities for all \(J\subset \{j\in N^{\ell- 1}: w_j\ne 0\}\): \[\begin{gather} \sum_{j\in J} (w_j(2 x_j- 1) - (2 u- 1)) \ge (R- \mathrm{LB}+ 1)u- \sum_{j\in N^{\ell- 1}} |w_j| - \Big(\sum_{j\in N^{\ell- 1}} |w_j|\Big)(2 u- 1),\\ \sum_{j\in J} (w_j(2 x_j- 1) - (2 u- 1)) \le (\mathrm{UB}- R+ 1)u+ R- \sum_{j\in N^{\ell- 1}} w_j- 1 - \Big(\sum_{j\in N^{\ell- 1}} |w_j|\Big)(2 u- 1). \end{gather}\]

These inequalities are equivalent to ?? and ?? because \(\sum_{j\in N^{\ell- 1}} |w_j| = \frac{\mathrm{UB}- \mathrm{LB}}{2}\) and \(\sum_{j\in N^{\ell- 1}} (w_j- |w_j|) = \mathrm{LB}\), so 10 is the set of \((\mathbf{x}, u) \in [0, 1]^{N^{\ell- 1}} \times [0, 1]\) satisfying ?? for all \(J\subset \{j\in N^{\ell- 1}: w_j\ne 0\}\). \(\square\) ◻

6.4 Implementation Details for Infinity-norm and 2-norm↩︎

We explain implementation details for the case that the maximum perturbation from \(\bar{\mathbf{x}}\) is defined using an \(\ell_\infty\) norm or \(\ell_2\) norm. These details are about how to solve the IP subproblem ?? without an IP solver in the case of \(\ell= 1\) and how to implement the input perturbation constraint 9 .

We first consider solving ?? for the case of layer \(\ell= 1\) and \(p= \infty\). In this case, the optimal solution is obtained by setting \(x_j^0\) to \(\min(\bar{x}_j+ \epsilon, 1)\) for \(j\) satisfying \(c_iW_{ij}^1 = 1\), setting \(x_j^0\) to \(\max(\bar{x}_j- \epsilon, 0)\) for \(j\) satisfying \(c_iW_{ij}^1 = -1\), and setting \(x_j^0\) to \(\bar{x}_j\) for \(j\) satisfying \(c_iW_{ij}^1 = 0\). All constraints defining \(X^0\) are of the form \(|x_j^0 - \bar{x}_j| \le \epsilon\), so this solution is feasible, and it immediate that no other solution can yield a better objective value.

We next consider solving ?? for the case of layer \(\ell= 1\) and \(p= 2\). First, observe that given a feasible solution \(\hat{\mathbf{x}}^0 \in \frac{1}{q} \mathbb{Z}_+^{n^0} \cap [0, 1]^{n^0}\) to ?? , if for some \(j \in N^0\) it holds that \(c_iW_{ij}^1(\hat{x}_j^0 - \bar{x}_j) \le 0\), then another feasible solution with the same or better objective value can be obtained by replacing \(\hat{x}_j^0\) with \(\bar{x}_j\). Hence, we can restrict our search for an optimal solution of ?? to solutions \(\hat{\mathbf{x}}^0\) that satisfy: \[\begin{align} \hat{x}_j^0 \ge \bar{x}_j, &\quad \text{for j such that } c_iW_{ij}^1 = 1,\\ \hat{x}_j^0 \le \bar{x}_j, &\quad \text{for j such that } c_iW_{ij}^1 = -1,\\ \hat{x}_j^0 = \bar{x}_j, &\quad \text{for j such that } W_{ij}^1 = 0. \end{align}\] Let \(N_0^+ = \{j \in N_0 : W_{ij} \neq 0\}\). Thus, we can restrict our attention to solutions defined by a vector \(z \in \{0,1,\ldots,q\}^{N_0^+}\) as follows: \[\hat{x}_j^{0}(z) = \begin{cases} \min(\bar{x}_j+ \frac{z_j}{q}, 1) & \text{if } c_iW_{ij}^1 = 1, \\ \max(\bar{x}_j- \frac{z_j}{q}, 0) & \text{if } c_iW_{ij}^1 = -1, \\ \bar{x}_j& \text{if } W_{ij}^1 = 0 . \end{cases}\] Observe that the objective in ?? and the expression \(\| \hat{\mathbf{x}}(z) - \bar{\mathbf{x}}\|_2\) are monotone increasing in \(z\), and hence an optimal solution will be such that increasing \(z_j\) for any \(j \in N_0^+\) would be infeasible. Next, for \(z \in \{0,1,\ldots,q\}^{N_0^+}\), define the set \[N_0^S(z) = \Bigl\{ j \in N_0^+ : (c_iW_{ij}^1 = 1 \text{ and } \hat{x}_j^0(z) \leq 1 - 1/q ) \text{ or } (c_iW_{ij}^1 = -1 \text{ and } \hat{x}_j^0(z) \geq 1/q ) \Bigr\}.\] If there exists \(z \in \{0,1,\ldots,q\}^{N_0^+}\) in which \(\hat{\mathbf{x}}(z)\) is feasible to ?? and \(N_0^S(z) = \emptyset\), then \(\hat{\mathbf{x}}(z)\) is optimal to ?? since this solution obtains the best possible objective. Otherwise, we claim that there exists an optimal solution \(\hat{\mathbf{x}}(z)\) that satisfies: \[\max\{ z_j : j \in N_0^S(z)\} - \min \{z_j : j \in N_0^S(z) \} \leq 1.\] Consider a solution that violates this condition. Another feasible solution with the same objective value can be obtained by decreasing \(z_{j_1}\) by one and increasing \(z_{j_2}\) by one, where \(j_1 \in \arg \max\{ z_j : j \in N_0^S(z)\}\) and \(j_2 \in \arg \min \{z_j : j \in N_0^S(z) \}\). Repeating this process will eventually yield a vector \(z\) which satisfies this condition since there only finitely many elements achieving the max and min in the condition, and an element will necessarily be removed from one or the other as long as the max is at least two larger than the min.

These arguments imply that an optimal solution to ?? can be obtained by first finding the maximum \(m\) such that the solution \(\hat{\mathbf{x}}(z)\) is satisfies \(\| \hat{\mathbf{x}}(z) - \bar{\mathbf{x}}\|_2 \leq \epsilon\), where \(z_j = m\) for \(j \in N_0^+\). Having found this solution (e.g., by binary search), one would then iteratively select some \(j \in N_0^S(z)\) and increase \(z_j\), and repeat (without selecting any \(j\) more than once) until no more can be increased without violating \(\| \hat{\mathbf{x}}(z) - \bar{\mathbf{x}}\|_2 \leq \epsilon\).

Finally, we describe how the constraint 9 is formulated when using a MIP solver to solve the verification problem in the case of \(p=2\). We define a decision variable \(u_j\) to represent \(|x_j^0 - \bar{x}_j|\) for each \(j\in N^0\). The following inequalities are added as constraints because 9 is satisfied if and only if there exists \(\mathbf{u}\in \mathbb{R}_+^{n^0}\) satisfying the following inequalities: \[\begin{align} u_j&\ge x_j^0 - \bar{x}_j, \quad \forall j\in N^0,\\ u_j&\ge -x_j^0 + \bar{x}_j, \quad \forall j\in N^0,\\ \sum_{j\in N^0} u_j^2 &\le \epsilon^2. \end{align}\] We remark that we found through preliminary empirical study that this formulation technique was computationally superior to the more direct approach of simply formulating the constraint as follows: \[\sum_{j \in N_0} (x_j^0 - \bar{x}_j)^2 \leq \epsilon^2.\]

6.5 Detailed Computational Results for Infinity-norm and 2-norm↩︎

We present more detailed computational results for the case that the maximum perturbation from \(\bar{\mathbf{x}}\) is defined using an \(\ell_\infty\) norm or \(\ell_2\) norm. Test instances for these cases are formed with Network 5 in Table 1, \(\bar{\mathbf{x}}\), and \(\epsilon\) that are chosen as explained in Section 4.1.

Table 8: Verification time (seconds) of Many-IP and 1-IP for \(\ell_\infty\) norm and \(\ell_2\) norm
Norm # of instances Many-IP 1-IP
\(\mathbf{\ell_\infty}\) 47 143.1(16) 78.1(6)
\(\mathbf{\ell_2}\) 17 502.9(12) 311.6(2)

We first investigate the time required to use the IP problem [eq:incorpForm] (resp. [eq:indivForm] for all \(t\)) to solve the the verification problem. The shifted geometric mean (with a shift of 1) of times over all instances tested by both IP method Many-IP and 1-IP is computed for each method and displayed in Table 8 for the case of \(p= \infty\) and \(p= 2\), along with the number of test instances. For Many-IP, the number in parenthesis is the number of test instances where the time limit is hit in solving [eq:indivForm] for at least one \(t\). For 1-IP, the number in parenthesis is the number of test instances where the time limit is hit in solving [eq:incorpForm]. We find that 1-IP’s verification times are smaller than Many-IP’s, indicating that our technique for obtaining a linear objective also leads to faster BNN verification in the case of \(p= \infty\) and \(p= 2\).

Table 9: Metrics of IP methods based on 1-IP for \(\ell_\infty\) norm (49 instances)
1-IP 1-IP 1-IP 1-IP
+HG +Fix +Fix
+2Var
Preprocessing time (seconds) 0.0 10.6 7.5 27.4
Verification time (seconds) 98.6 147.2 100.6 44.9
# of solved instances (veri.) 38 35 37 44
# of nodes (veri.) 1297.6 1283.6 1265.3 17.8
Optimization time (seconds) 115.5 178.4 117.5 57.4
# of solved instances (opt.) 37 33 37 42
# of nodes (opt.) 2182.8 2587.9 2133.7 86.4
LP gap 153.4 % 156.3 % 103.4 % 35.2 %
Optimality gap 31.8 % 46.8 % 33.6 % 11.0 %

Table 9 presents results analogous to those of Table 6 in the main sections, but on instances with \(p= \infty\). We find that in this case, neither 1-IP+HG nor 1-IP+Fix yield improvement compared to 1-IP, so generating ?? and variable fixings do not improve BNN verification. Generating variable fixings decreases LP gaps, but this decrease does not lead to more effective BNN verification in the case of \(p= \infty\). On the other hand, 1-IP+Fix+2Var yields improvement compared to the other IP methods based on 1-IP. It implies that our technique for generating layerwise derived valid inequalities, mainly two-variable inequalities, also leads to more efficient BNN verification in the case of \(p= \infty\).

Table 10: Metrics of IP methods based on 1-IP for \(\ell_2\) norm (22 instances)
1-IP 1-IP 1-IP 1-IP
+HG +Fix +Fix
+2Var
Preprocessing time (seconds) 0.0 35.1 6.7 9.2
Verification time (seconds) 1215.6 1305.9 9.3 10.3
# of solved instances (veri.) 12 12 22 22
# of nodes (veri.) 9844.0 9811.1 0.8 0.7
Optimization time (seconds) 1549.9 1632.5 12.2 12.4
# of solved instances (opt.) 11 11 21 22
# of nodes (opt.) 16647.4 16607.7 7.1 5.0
LP gap 165.1 % 165.1 % 12.5 % 2.9 %
Optimality gap 46.5 % 46.6 % 1.8 % 0.0 %

In the case of \(p= 2\), the same metrics are computed over all 22 instances tested by all IP methods based on 1-IP to compare these IP methods. Table 10 shows these metrics. 1-IP+HG does not result in improvement compared to 1-IP, which means that generating ?? also does not improve BNN verification in the case of \(p= 2\). 1-IP+Fix and 1-IP+Fix+2Var yield similar improvements compared to 1-IP, which implies that generating variable fixings improves BNN verification in the case of \(p= 2\), but on these instances there does not appear to be further improvement from two-variable inequalities.

Table 11: Metrics of 1-IP+Fix and 1-IP+Fix+2Var for \(\ell_2\) norm (49 instances)
1-IP 1-IP
+Fix +Fix
+2Var
Preprocessing time (seconds) 7.0 24.0
Verification time (seconds) 66.3 41.5
# of solved instances (veri.) 35 42
# of nodes (veri.) 33.6 4.8
Optimization time (seconds) 82.3 82.9
# of solved instances (opt.) 32 34
# of nodes (opt.) 90.7 75.7
LP gap 51.8 % 24.0 %
Optimality gap 29.5 % 16.9 %

To better compare 1-IP+Fix and 1-IP+Fix+2Var, we report in Table 11 the results comparing these instances on all 49 instances solved by these two methods (many of these were excluded in Table 10 since they were not solved by 1-IP or 1-IP+HG). From this table we observe that spending more time in generating more layerwise derived valid inequalities, mainly two-variable inequalities, results in reducing LP gaps and solving the verification problem more quickly on these instances.

6.6 Computational Study on Convex Hull Characterization for a Single Neuron↩︎

We pursue an additional computational study to validate our implementation for IP methods exploiting Theorem 1 on convex hull characterization for a single neuron. As we see in in Table 5, the IP method 1-IP+HG employing the valid inequalities presented Theorem 1 does not yield significant decreases in LP gaps compared to the IP method 1-IP. However, using these valid inequalities resulted in smaller LP gaps in [7]. One possible reason for this discrepancy is that ?? cannot be used for \(\ell= 1\) in our computational study because \(q= 255\), but these valid inequalities can be used in the computational study of [7] because \(q= 1\). To examine whether this guess is correct, an additional computational study is conducted on test instances based on ones in [7] to assess the impact of exploiting Theorem 1. In this computational study, the IP method Many-IP and Many-IP+HG, which solves the IP problem [eq:indivForm] by employing a constraint generation approach with ?? as 1-IP+HG for each \(t\), are compared because \(t\) is fixed in [7].

Table 12: Networks in additional computational study
Network \(\mathbf{L}\) \(\mathbf{n^1}\) \(\mathbf{n^2}\)
1 1 32 *
2 1 64 *
3 1 128 *
4 2 32 32
5 2 64 64
6 2 128 128

Each test instance consists of a BNN, \(\bar{\mathbf{x}}\), and \(\epsilon\). Six BNNs pretrained from [7] are used in this computational study. These networks are trained on the MNIST training dataset by using [1]’s method, which implies \(n^0 = 784\) and \(n^{L+ 1} = 10\). The numbers of hidden layers and the number of neurons in hidden layers of each network are reported in Table 12. Feature vectors in the MNIST dataset are scaled to binary vectors by converting coordinates smaller than 128 to 0 and the other coordinates to 1, which indicates \(q= 1\). Ten feature vectors are selected for \(\bar{\mathbf{x}}\). For each digit from 0 to 9, one feature vector in the MNIST test dataset whose \(\bar{t}\) is this digit is randomly chosen. Positive integers from 1 to 5 are used as \(\epsilon\).

Table 13: Metrics of Many-IP and Many-IP+HG
Network \(\mathbf{\epsilon}\) LP value Verification time (seconds)
Many-IP Many-IP+HG Many-IP Many-IP+HG
1 1.0 24.5 6.2 1.2 1.7
2.0 24.6 6.3 1.3 5.0
3.0 24.7 7.9 1.4 5.8
4.0 24.8 7.7 1.4 6.7
5.0 24.8 7.9 1.5 8.6
2 1.0 50.2 12.9 2.3 3.8
2.0 50.4 16.9 4.2 9.9
3.0 50.5 16.4 4.3 13.4
4.0 50.7 18.5 4.3 16.9
5.0 50.8 22.9 4.1 17.2
3 1.0 80.7 15.9 4.5 8.6
2.0 80.9 19.1 9.0 27.5
3.0 81.2 20.3 9.2 34.1
4.0 81.4 29.4 9.2 36.6
5.0 81.6 31.8 9.3 49.3
4 1.0 22.1 4.5 1.2 5.0
2.0 22.1 11.0 1.4 21.1
3.0 22.1 14.4 1.5 20.2
4.0 22.1 16.6 1.4 22.6
5.0 22.1 18.1 1.5 25.6
5 1.0 29.9 12.7 2.5 8.6
2.0 29.9 19.9 6.6 53.2
3.0 29.9 23.6 6.9 47.5
4.0 29.9 25.7 7.2 68.4
5.0 29.9 27.0 7.5 84.8
6 1.0 45.0 26.4 5.3 16.3
2.0 45.0 36.2 28.7 1347.6(3)
3.0 45.0 40.0 37.1 1312.6(3)
4.0 45.0 42.2 50.4 1287.8(5)
5.0 45.0 43.3 64.9 1175.9(4)

For each network and \(\epsilon\), the arithmetic mean of optimal objective values of the LP relaxation problem of [eq:indivForm] over all \(\bar{\mathbf{x}}\) and \(t\) (LP value) and the shifted geometric mean of times to solve the verification problem for all \(t\) with a shift of 1 over all \(\bar{\mathbf{x}}\) (verification time) are computed for Many-IP and Many-IP+HG to compare these IP methods. Table 13 reports LP values and verification times. The number in parenthesis for verification time is the number of \(\bar{\mathbf{x}}\) where the time limit is hit in solving [eq:indivForm] for at least one \(t\) for each network and \(\epsilon\). Many-IP+HG yields smaller LP values than Many-IP as in [7], so our additional computational study validates our implementation for IP methods employing the valid inequalities in Theorem 1. In particular, the gap in LP values between Many-IP and Many-IP+HG becomes smaller for larger \(L\) and \(\epsilon\) as in [7]. However, Many-IP+HG results in larger verification times than Many-IP, which implies that even though using the inequalities in Theorem 1 improves LP relaxation values, it does not reduce BNN verification time.

References↩︎

[1]
Hubara I, Courbariaux M, Soudry D, El-Yaniv R, Bengio Y (2016) Binarized neural networks. Lee D, Sugiyama M, von Luxburg U, Guyon I, Garnett R, eds., Adv. in Neural Information Processing Systems, volume 29, 4107––4115 (Curran Associates, Inc.).
[2]
Kung J, Zhang D, van der Wal G, Chai S, Mukhopadhyay S (2018) Efficient object detection using embedded binarized neural networks. Journal of Signal Processing Systems 90(6):877–890.
[3]
Ma Y, Xiong H, Hu Z, Ma L (2019) Efficient super resolution using binarized neural network. The IEEE/CVF Conf. on Computer Vision and Pattern Recognition Workshops, 694––703 (IEEE).
[4]
Shridhar K, Jain H, Agarwal A, Kleyko D (2020) End to end binarized neural networks for text classification. Moosavi NS, Fan A, Shwartz V, Glavaš G, Joty S, Wang A, Wolf T, eds., Proc. of SustaiNLP: Workshop on Simple and Efficient Natural Language Processing, 29–34 (Association for Computational Linguistics).
[5]
McDanel B, Teerapittayanon S, Kung HT (2017) Embedded binarized neural networks. Gunningberg P, Voigt T, Mottola L, Lu C, eds., Proc. of the International Conf. on Embedded Wireless Systems and Networks, 168–173 (Junction Publishing).
[6]
Khalil EB, Gupta A, Dilkina B (2019) Combinatorial attacks on binarized neural networks. International Conf. on Learning Representations, https://openreview.net/forum?id=S1lTEh09FQ.
[7]
Han S, Gómez A (2021) Single-neuron convexification for binarized neural networks. https://optimization-online.org/wp-content/uploads/2021/05/8419.pdf, accessed May 27, 2021.
[8]
Lubczyk D, Neto J (2024) Neuron pairs in binarized neural networks robustness verification via integer linear programming. Basu A, Mahjoub AR, Salazar González JJ, eds., Combinatorial Optimization, 305–317 (Springer).
[9]
Fischetti M, Jo J (2018) Deep neural networks and mixed integer linear optimization. Constraints 23(3):296–309.
[10]
Amir G, Wu H, Barrett C, Katz G (2021) An smt-based approach for verifying binarized neural networks. Groote JF, Larsen KG, eds., Tools and Algorithms for the Construction and Analysis of Systems, 203–222 (Springer).
[11]
Jia K, Rinard M (2020) Efficient exact verification of binarized neural networks. Larochelle H, Ranzato M, Hadsell R, Balcan MF, Lin HT, eds., Adv. in Neural Information Processing Systems, volume 33, 1782–1795 (Curran Associates, Inc.).
[12]
Kovásznai G, Gajdár K, Narodytska N (2021) Portfolio solver for verifying binarized neural networks. Annales Mathematicae et Informaticae 53:183–200.
[13]
Narodytska N, Kasiviswanathan S, Ryzhyk L, Sagiv M, Walsh T (2018) Verifying properties of binarized deep neural networks. McIlraith S, Weinberger K, eds., Proc. of the AAAI Conf. on Artificial Intelligence, volume 32, 6615––6624 (AAAI).
[14]
Ivashchenko M, Choi SW, Nguyen LV, Tran HD (2023) Verifying binary neural networks on continuous input space using star reachability. The IEEE International Conf. on Formal Methods in Software Engineering, 7–17 (IEEE).
[15]
Shih A, Darwiche A, Choi A (2019) Verifying binarized neural networks by angluin-style learning. Janota M, Lynce I, eds., Theory and Applications of Satisfiability Testing, 354–370 (Springer).
[16]
Zhang Y, Zhao Z, Chen G, Song F, Chen T (2021) Bdd4bnn: A bdd-based quantitative analysis framework for binarized neural networks. Silva A, Leino KRM, eds., Computer Aided Verification, 175–200 (Springer).
[17]
Geiger L, Team P (2020) Larq: An open-source library for training binarized neural networks. Journal of Open Source Software 5(45):1746.
[18]
Bernardelli AM, Gualandi S, Lau HC, Milanesi S (2023) The bemi stardust: A structured ensemble of binarized neural networks. Sellmann M, Tierney K, eds., Learning and Intelligent Optimization, 443–458 (Springer).
[19]
Toro Icarte R, Illanes L, Castro M, Cire A, McIlraith S, Beck C (2019) Training binarized neural networks using mip and cp. Schiex T, de Givry S, eds., Principles and Practice of Constraint Programming, 401–417 (Springer).
[20]
Martinez B, Yang J, Bulat A, Tzimiropoulos G (2020) Training binary neural networks with real-to-binary convolutions. International Conf. on Learning Representations.
[21]
Tang W, Hua G, Wang L (2017) How to train a compact binary neural network with high accuracy? Singh S, Markovitch S, eds., Proc. of the AAAI Conf. on Artificial Intelligence, volume 31, 2625––2631 (AAAI).
[22]
Mothilal R, Sharma A, Tan C (2020) Explaining machine learning classifiers through diverse counterfactual explanations. Hildebrandt M, Castillo C, Celis E, Ruggieri S, Taylor L, Zanfir-Fortuna G, eds., Conf. on Fairness, Accountability, and Transparency, 607–617 (ACM).
[23]
Wachter S, Mittelstadt B, Russell C (2018) Counterfactual explanations without opening the black box: Automated decisions and the gdpr. Harvard Journal of Law and Technology 31(2):841–888.
[24]
Contardo C, Fukasawa R, Rousseau LM, Vidal T (2024) Optimal counterfactual explanations for k-nearest neighbors using mathematical optimization and constraint programming. Basu A, Mahjoub AR, Salazar González JJ, eds., Combinatorial Optimization, 318–331 (Springer).
[25]
Vivier-Ardisson G, Forel A, Parmentier A, Vidal T (2024) Cf-opt: Counterfactual explanations for structured prediction. https://arxiv.org/pdf/2405.18293, accessed May 28, 2024.
[26]
Balas E (1985) Disjunctive programming and a hierarchy of relaxations for discrete optimization problems. SIAM Journal on Algebraic Discrete Methods 6(3):466–486.

  1. This is equivalent to the standard description of BNN propagation in which the \(+1/-1\) output is defined by the sign function.↩︎

Subjects

Machine Learning (cs.LG)

Optimization and Control (math.OC)

Updated on Academus

2025/10/08 02:52 UTC