当与分支和界限结合使用时，结合的传播方法是正式验证深神经网络（例如正确性，鲁棒性和安全性）的最有效方法之一。但是，现有作品无法处理在传统求解器中广泛接受的切割平面限制的一般形式，这对于通过凸出凸松弛的加强验证者至关重要。在本文中，我们概括了结合的传播程序，以允许添加任意切割平面的约束，包括涉及放宽整数变量的限制，这些变量未出现在现有的结合传播公式中。我们的广义结合传播方法GCP-crown为应用一般切割平面方法}开辟了一个机会进行神经网络验证，同时受益于结合传播方法的效率和GPU加速。作为案例研究，我们研究了由现成的混合整数编程（MIP）求解器生成的切割平面的使用。我们发现，MIP求解器可以生成高质量的切割平面，以使用我们的新配方来增强基于界限的验证者。由于以分支为重点的绑定传播程序和切削平面的MIP求解器可以使用不同类型的硬件（GPU和CPU）并行运行，因此它们的组合可以迅速探索大量具有强切割平面的分支，从而导致强大的分支验证性能。实验表明，与VNN-Comp 2021中最佳工具相比，我们的方法是第一个可以完全求解椭圆形的基准并验证椭圆21基准的两倍的验证者，并且在oval21基准测试中的最佳工具也明显超过了最先进的验证器。广泛的基准。 GCP-Crown是$ \ alpha $，$ \ beta $ -Crown验证者，VNN-COMP 2022获奖者的一部分。代码可在http://papercode.cc/gcp-crown上获得

许多最近的作品已经提出了培训具有本地鲁棒性属性的分类器的方法，这可以针对大多数投入证明可以消除逃离攻击的类别，但并非所有输入。由于数据分发Shift在安全应用程序中非常常见，因此通常观察到恶意软件检测，因此本地鲁棒性无法保证在部署分类器时的未经持续输入。因此，更希望强制实施所有输入的全局鲁棒性属性，这严格强于局部鲁棒性。在本文中，我们为满足全球鲁棒性属性的培训分类器提供了一种框架和工具。我们定义了全局稳健性的新概念，更适合安全分类器。我们设计一个新颖的助推器机构训练框架，以实施全球鲁棒性属性。我们将Classifier构建为逻辑规则的集合，并设计一个新的验证者来验证属性。在我们的训练算法中，助推器增加了分类器的容量，并且固定器在经次引导的电感合成后验证了验证的全局鲁棒性属性。我们表明我们可以培训分类器来满足三个安全数据集的不同全局鲁棒性属性，甚至同时多个属性，对分类器的性能进行适度影响。例如，我们训练Twitter垃圾邮件帐户分类器以满足五个全局鲁棒性属性，而真正的阳性率下降5.4％，而假阳性率的增加0.1％，而不是不满足任何财产的基线XGBoost模型。

基于基于不完整的神经网络验证如冠的绑定传播非常有效，可以显着加速基于神经网络的分支和绑定（BAB）。然而，绑定的传播不能完全处理由昂贵的线性编程（LP）求解器的BAB常规引入的神经元分割限制，导致界限和损伤验证效率。在这项工作中，我们开发了一种基于$ \ beta $ -cra所做的，一种基于新的绑定传播方法，可以通过从原始或双空间构造的可优化参数$ \ beta $完全编码神经元分割。当在中间层中联合优化时，$ \ Beta $ -CROWN通常会产生比具有神经元分裂约束的典型LP验证更好的界限，同时像GPU上的皇冠一样高效且并行化。适用于完全稳健的验证基准，使用BAB的$ \ Beta $ -CROWN比基于LP的BAB方法快三个数量级，并且比所有现有方法更快，同时产生较低的超时率。通过早期终止BAB，我们的方法也可用于有效的不完整验证。与强大的不完整验证者相比，我们始终如一地在许多设置中获得更高的验证准确性，包括基于凸屏障破碎技术的验证技术。与最严重但非常昂贵的Semidefinite编程（SDP）的不完整验证者相比，我们获得了更高的验证精度，验证时间较少三个级。我们的算法授权$ \ alpha，\ \β$ -craft（Alpha-Beta-Crown）验证者，VNN-Comp 2021中的获胜工具。我们的代码可在http://papercode.cc/betacrown提供

Adversarial examples that fool machine learning models, particularly deep neural networks, have been a topic of intense research interest, with attacks and defenses being developed in a tight back-and-forth. Most past defenses are best effort and have been shown to be vulnerable to sophisticated attacks. Recently a set of certified defenses have been introduced, which provide guarantees of robustness to normbounded attacks. However these defenses either do not scale to large datasets or are limited in the types of models they can support. This paper presents the first certified defense that both scales to large networks and datasets (such as Google's Inception network for ImageNet) and applies broadly to arbitrary model types. Our defense, called PixelDP, is based on a novel connection between robustness against adversarial examples and differential privacy, a cryptographically-inspired privacy formalism, that provides a rigorous, generic, and flexible foundation for defense.

Due to the increasing usage of machine learning (ML) techniques in security- and safety-critical domains, such as autonomous systems and medical diagnosis, ensuring correct behavior of ML systems, especially for different corner cases, is of growing importance. In this paper, we propose a generic framework for evaluating security and robustness of ML systems using different real-world safety properties. We further design, implement and evaluate VeriVis, a scalable methodology that can verify a diverse set of safety properties for state-of-the-art computer vision systems with only blackbox access. VeriVis leverage different input space reduction techniques for efficient verification of different safety properties. VeriVis is able to find thousands of safety violations in fifteen state-of-the-art computer vision systems including ten Deep Neural Networks (DNNs) such as Inception-v3 and Nvidia's Dave self-driving system with thousands of neurons as well as five commercial third-party vision APIs including Google vision and Clarifai for twelve different safety properties. Furthermore, VeriVis can successfully verify local safety properties, on average, for around 31.7% of the test images. VeriVis finds up to 64.8x more violations than existing gradient-based methods that, unlike VeriVis, cannot ensure non-existence of any violations. Finally, we show that retraining using the safety violations detected by VeriVis can reduce the average number of violations up to 60.2%.

Deep learning (DL) systems are increasingly deployed in safety-and security-critical domains including self-driving cars and malware detection, where the correctness and predictability of a system's behavior for corner case inputs are of great importance. Existing DL testing depends heavily on manually labeled data and therefore often fails to expose erroneous behaviors for rare inputs.We design, implement, and evaluate DeepXplore, the first whitebox framework for systematically testing real-world DL systems. First, we introduce neuron coverage for systematically measuring the parts of a DL system exercised by test inputs. Next, we leverage multiple DL systems with similar functionality as cross-referencing oracles to avoid manual checking. Finally, we demonstrate how finding inputs for DL systems that both trigger many differential behaviors and achieve high neuron coverage can be represented as a joint optimization problem and solved efficiently using gradientbased search techniques.DeepXplore efficiently finds thousands of incorrect corner case behaviors (e.g., self-driving cars crashing into guard rails and malware masquerading as benign software) in stateof-the-art DL models with thousands of neurons trained on five popular datasets including ImageNet and Udacity selfdriving challenge data. For all tested DL models, on average, DeepXplore generated one test input demonstrating incorrect behavior within one second while running only on a commodity laptop. We further show that the test inputs generated by DeepXplore can also be used to retrain the corresponding DL model to improve the model's accuracy by up to 3%.

We introduce a machine-learning (ML)-based weather simulator--called "GraphCast"--which outperforms the most accurate deterministic operational medium-range weather forecasting system in the world, as well as all previous ML baselines. GraphCast is an autoregressive model, based on graph neural networks and a novel high-resolution multi-scale mesh representation, which we trained on historical weather data from the European Centre for Medium-Range Weather Forecasts (ECMWF)'s ERA5 reanalysis archive. It can make 10-day forecasts, at 6-hour time intervals, of five surface variables and six atmospheric variables, each at 37 vertical pressure levels, on a 0.25-degree latitude-longitude grid, which corresponds to roughly 25 x 25 kilometer resolution at the equator. Our results show GraphCast is more accurate than ECMWF's deterministic operational forecasting system, HRES, on 90.0% of the 2760 variable and lead time combinations we evaluated. GraphCast also outperforms the most accurate previous ML-based weather forecasting model on 99.2% of the 252 targets it reported. GraphCast can generate a 10-day forecast (35 gigabytes of data) in under 60 seconds on Cloud TPU v4 hardware. Unlike traditional forecasting methods, ML-based forecasting scales well with data: by training on bigger, higher quality, and more recent data, the skill of the forecasts can improve. Together these results represent a key step forward in complementing and improving weather modeling with ML, open new opportunities for fast, accurate forecasting, and help realize the promise of ML-based simulation in the physical sciences.

In recent years several learning approaches to point goal navigation in previously unseen environments have been proposed. They vary in the representations of the environments, problem decomposition, and experimental evaluation. In this work, we compare the state-of-the-art Deep Reinforcement Learning based approaches with Partially Observable Markov Decision Process (POMDP) formulation of the point goal navigation problem. We adapt the (POMDP) sub-goal framework proposed by [1] and modify the component that estimates frontier properties by using partial semantic maps of indoor scenes built from images' semantic segmentation. In addition to the well-known completeness of the model-based approach, we demonstrate that it is robust and efficient in that it leverages informative, learned properties of the frontiers compared to an optimistic frontier-based planner. We also demonstrate its data efficiency compared to the end-to-end deep reinforcement learning approaches. We compare our results against an optimistic planner, ANS and DD-PPO on Matterport3D dataset using the Habitat Simulator. We show comparable, though slightly worse performance than the SOTA DD-PPO approach, yet with far fewer data.

Climate change is causing the intensification of rainfall extremes. Precipitation projections with high spatial resolution are important for society to prepare for these changes, e.g. to model flooding impacts. Physics-based simulations for creating such projections are very computationally expensive. This work demonstrates the effectiveness of diffusion models, a form of deep generative models, for generating much more cheaply realistic high resolution rainfall samples for the UK conditioned on data from a low resolution simulation. We show for the first time a machine learning model that is able to produce realistic samples of high-resolution rainfall based on a physical model that resolves atmospheric convection, a key process behind extreme rainfall. By adding self-learnt, location-specific information to low resolution relative vorticity, quantiles and time-mean of the samples match well their counterparts from the high-resolution simulation.

Tumor segmentation in histopathology images is often complicated by its composition of different histological subtypes and class imbalance. Oversampling subtypes with low prevalence features is not a satisfactory solution since it eventually leads to overfitting. We propose to create synthetic images with semantically-conditioned deep generative networks and to combine subtype-balanced synthetic images with the original dataset to achieve better segmentation performance. We show the suitability of Generative Adversarial Networks (GANs) and especially diffusion models to create realistic images based on subtype-conditioning for the use case of HER2-stained histopathology. Additionally, we show the capability of diffusion models to conditionally inpaint HER2 tumor areas with modified subtypes. Combining the original dataset with the same amount of diffusion-generated images increased the tumor Dice score from 0.833 to 0.854 and almost halved the variance between the HER2 subtype recalls. These results create the basis for more reliable automatic HER2 analysis with lower performance variance between individual HER2 subtypes.