Due to the increasing usage of machine learning (ML) techniques in security- and safety-critical domains, such as autonomous systems and medical diagnosis, ensuring correct behavior of ML systems, especially for different corner cases, is of growing importance. In this paper, we propose a generic framework for evaluating security and robustness of ML systems using different real-world safety properties. We further design, implement and evaluate VeriVis, a scalable methodology that can verify a diverse set of safety properties for state-of-the-art computer vision systems with only blackbox access. VeriVis leverage different input space reduction techniques for efficient verification of different safety properties. VeriVis is able to find thousands of safety violations in fifteen state-of-the-art computer vision systems including ten Deep Neural Networks (DNNs) such as Inception-v3 and Nvidia's Dave self-driving system with thousands of neurons as well as five commercial third-party vision APIs including Google vision and Clarifai for twelve different safety properties. Furthermore, VeriVis can successfully verify local safety properties, on average, for around 31.7% of the test images. VeriVis finds up to 64.8x more violations than existing gradient-based methods that, unlike VeriVis, cannot ensure non-existence of any violations. Finally, we show that retraining using the safety violations detected by VeriVis can reduce the average number of violations up to 60.2%.

Deep learning (DL) systems are increasingly deployed in safety-and security-critical domains including self-driving cars and malware detection, where the correctness and predictability of a system's behavior for corner case inputs are of great importance. Existing DL testing depends heavily on manually labeled data and therefore often fails to expose erroneous behaviors for rare inputs.We design, implement, and evaluate DeepXplore, the first whitebox framework for systematically testing real-world DL systems. First, we introduce neuron coverage for systematically measuring the parts of a DL system exercised by test inputs. Next, we leverage multiple DL systems with similar functionality as cross-referencing oracles to avoid manual checking. Finally, we demonstrate how finding inputs for DL systems that both trigger many differential behaviors and achieve high neuron coverage can be represented as a joint optimization problem and solved efficiently using gradientbased search techniques.DeepXplore efficiently finds thousands of incorrect corner case behaviors (e.g., self-driving cars crashing into guard rails and malware masquerading as benign software) in stateof-the-art DL models with thousands of neurons trained on five popular datasets including ImageNet and Udacity selfdriving challenge data. For all tested DL models, on average, DeepXplore generated one test input demonstrating incorrect behavior within one second while running only on a commodity laptop. We further show that the test inputs generated by DeepXplore can also be used to retrain the corresponding DL model to improve the model's accuracy by up to 3%.

背景信息：在过去几年中，机器学习（ML）一直是许多创新的核心。然而，包括在所谓的“安全关键”系统中，例如汽车或航空的系统已经被证明是非常具有挑战性的，因为ML的范式转变为ML带来完全改变传统认证方法。目的：本文旨在阐明与ML为基础的安全关键系统认证有关的挑战，以及文献中提出的解决方案，以解决它们，回答问题的问题如何证明基于机器学习的安全关键系统？'方法：我们开展2015年至2020年至2020年之间发布的研究论文的系统文献综述（SLR），涵盖了与ML系统认证有关的主题。总共确定了217篇论文涵盖了主题，被认为是ML认证的主要支柱：鲁棒性，不确定性，解释性，验证，安全强化学习和直接认证。我们分析了每个子场的主要趋势和问题，并提取了提取的论文的总结。结果：单反结果突出了社区对该主题的热情，以及在数据集和模型类型方面缺乏多样性。它还强调需要进一步发展学术界和行业之间的联系，以加深域名研究。最后，它还说明了必须在上面提到的主要支柱之间建立连接的必要性，这些主要柱主要主要研究。结论：我们强调了目前部署的努力，以实现ML基于ML的软件系统，并讨论了一些未来的研究方向。

Adversarial examples that fool machine learning models, particularly deep neural networks, have been a topic of intense research interest, with attacks and defenses being developed in a tight back-and-forth. Most past defenses are best effort and have been shown to be vulnerable to sophisticated attacks. Recently a set of certified defenses have been introduced, which provide guarantees of robustness to normbounded attacks. However these defenses either do not scale to large datasets or are limited in the types of models they can support. This paper presents the first certified defense that both scales to large networks and datasets (such as Google's Inception network for ImageNet) and applies broadly to arbitrary model types. Our defense, called PixelDP, is based on a novel connection between robustness against adversarial examples and differential privacy, a cryptographically-inspired privacy formalism, that provides a rigorous, generic, and flexible foundation for defense.

由于机器学习（ML）系统变得普遍存在，因此保护其安全性至关重要。然而，最近已经证明，动机的对手能够通过使用语义转换扰乱测试数据来误导ML系统。虽然存在丰富的研究机构，但为ML模型提供了可提供的稳健性保证，以防止$ \ ell_p $ norm界限对抗对抗扰动，抵御语义扰动的保证仍然很广泛。在本文中，我们提供了TSS - 一种统一的框架，用于针对一般对抗性语义转换的鲁棒性认证。首先，根据每个转换的性质，我们将常见的变换划分为两类，即可解决的（例如，高斯模糊）和差异可解的（例如，旋转）变换。对于前者，我们提出了特定于转型的随机平滑策略并获得强大的稳健性认证。后者类别涵盖涉及插值错误的变换，我们提出了一种基于分层采样的新方法，以证明稳健性。我们的框架TSS利用这些认证策略并结合了一致性增强的培训，以提供严谨的鲁棒性认证。我们对十种挑战性语义转化进行了广泛的实验，并表明TSS显着优于现有技术。此外，据我们所知，TSS是第一种在大规模想象数据集上实现非竞争认证稳健性的方法。例如，我们的框架在ImageNet上实现了旋转攻击的30.4％认证的稳健准确性（在$ \ PM 30 ^ \ CIC $）。此外，要考虑更广泛的转换，我们展示了TSS对自适应攻击和不可预见的图像损坏，例如CIFAR-10-C和Imagenet-C。

自动驾驶汽车和卡车，自动车辆（AVS）不应被监管机构和公众接受，直到它们对安全性和可靠性有更高的信心 - 这可以通过测试最实际和令人信服地实现。但是，现有的测试方法不足以检查AV控制器的端到端行为，涉及与诸如行人和人机车辆等多个独立代理的交互的复杂，现实世界的角落案件。在街道和高速公路上的测试驾驶AVS无法捕获许多罕见的事件时，现有的基于仿真的测试方法主要关注简单的情景，并且不适合需要复杂的周围环境的复杂驾驶情况。为了解决这些限制，我们提出了一种新的模糊测试技术，称为AutoFuzz，可以利用广泛使用的AV模拟器的API语法。生成语义和时间有效的复杂驾驶场景（场景序列）。 AutoFuzz由API语法的受限神经网络（NN）进化搜索引导，以生成寻求寻找独特流量违规的方案。评估我们的原型基于最先进的学习的控制器，两个基于规则的控制器和一个工业级控制器，显示了高保真仿真环境中高效地找到了数百个流量违规。此外，通过AutoFuzz发现的基于学习的控制器进行了微调的控制器，成功减少了新版本的AV控制器软件中发现的流量违规。

深度神经网络（DNN）的巨大进步导致了各种任务的最先进的性能。然而，最近的研究表明，DNNS容易受到对抗的攻击，这在将这些模型部署到自动驾驶等安全关键型应用时，这使得非常关注。已经提出了不同的防御方法，包括：a）经验防御，通常可以在不提供稳健性认证的情况下再次再次攻击; b）可认真的稳健方法，由稳健性验证组成，提供了在某些条件下的任何攻击和相应的强大培训方法中的稳健准确性的下限。在本文中，我们系统化了可认真的稳健方法和相关的实用和理论意义和调查结果。我们还提供了在不同数据集上现有的稳健验证和培训方法的第一个全面基准。特别是，我们1）为稳健性验证和培训方法提供分类，以及总结代表性算法的方法，2）揭示这些方法中的特征，优势，局限性和基本联系，3）讨论当前的研究进展情况TNN和4的可信稳健方法的理论障碍，主要挑战和未来方向提供了一个开放的统一平台，以评估超过20种代表可认真的稳健方法，用于各种DNN。

深度神经网络容易受到来自对抗性投入的攻击，并且最近，特洛伊木马误解或劫持模型的决定。我们通过探索有界抗逆性示例空间和生成的对抗网络内的自然输入空间来揭示有界面的对抗性实例 - 通用自然主义侵害贴片的兴趣类 - 我们呼叫TNT。现在，一个对手可以用一个自然主义的补丁来手臂自己，不太恶意，身体上可实现，高效 - 实现高攻击成功率和普遍性。 TNT是普遍的，因为在场景中的TNT中捕获的任何输入图像都将：i）误导网络（未确定的攻击）;或ii）迫使网络进行恶意决定（有针对性的攻击）。现在，有趣的是，一个对抗性补丁攻击者有可能发挥更大的控制水平 - 选择一个独立，自然的贴片的能力，与被限制为嘈杂的扰动的触发器 - 到目前为止只有可能与特洛伊木马攻击方法有可能干扰模型建设过程，以嵌入风险发现的后门;但是，仍然意识到在物理世界中部署的补丁。通过对大型视觉分类任务的广泛实验，想象成在其整个验证集50,000张图像中进行评估，我们展示了TNT的现实威胁和攻击的稳健性。我们展示了攻击的概括，以创建比现有最先进的方法实现更高攻击成功率的补丁。我们的结果表明，攻击对不同的视觉分类任务（CIFAR-10，GTSRB，PUBFIG）和多个最先进的深神经网络，如WieredEnet50，Inception-V3和VGG-16。

从数据中学到的分类器越来越多地用作安全是关键问题的系统中的组件。在这项工作中，我们通过称为安全订购约束的约束来提出针对分类器的正式安全概念。这些限制条件将分类器输出的类输出的顺序与输入的条件有关，并且表达足以编码文献中分类器安全规范的各种有趣的示例。对于使用神经网络实施的分类器，我们还提出了一种运行时机制，用于执行安全订购约束。我们的方法基于一个自我校正层，该层可证明，无论分类器输入的特征如何，它都可以产生安全的输出。我们将此层与现有的神经网络分类器组成，以构建自我校正网络（SC-NET），并证明除了提供安全的输出外，SC-NET还可以保证尽可能保留原始网络的分类精度。我们的方法独立于用于分类的神经网络的大小和体系结构，仅取决于指定的属性和网络输出的尺寸；因此，它可扩展到大型最新网络。我们表明，我们的方法可以针对GPU进行优化，从而在当前硬件上引入了少于1ms的运行时开销 - 即使在包含数十万个神经元和数百万参数的大型，广泛使用的网络上。

关键应用程序中机器学习（ML）组件的集成引入了软件认证和验证的新挑战。正在开发新的安全标准和技术准则，以支持基于ML的系统的安全性，例如ISO 21448 SOTIF用于汽车域名，并保证机器学习用于自主系统（AMLAS）框架。 SOTIF和AMLA提供了高级指导，但对于每个特定情况，必须将细节凿出来。我们启动了一个研究项目，目的是证明开放汽车系统中ML组件的完整安全案例。本文报告说，Smikk的安全保证合作是由行业级别的行业合作的，这是一个基于ML的行人自动紧急制动示威者，在行业级模拟器中运行。我们演示了AMLA在伪装上的应用，以在简约的操作设计域中，即，我们为其基于ML的集成组件共享一个完整的安全案例。最后，我们报告了经验教训，并在开源许可下为研究界重新使用的开源许可提供了傻笑和安全案例。

在安全 - 关键的深度学习应用中，鲁棒性测量是一个至关重要的前部阶段。但是，现有的鲁棒性验证方法对于在现实世界中部署机器学习系统不足以实用。一方面，这些方法试图声称没有扰动可以``傻瓜''深神经网络（DNNS），这在实践中可能太严格了。另一方面，现有作品严格考虑像素空间上的$ l_p $有界的添加剂扰动，尽管扰动（例如颜色转换和几何变换）在现实世界中更实际且经常发生。因此，从实际的角度来看，我们提出了一种基于适应性浓度的新颖和一般{\ IT概率的稳健性评估方法}（ProA），并且可以测量深度学习模型对功能扰动的鲁棒性。 PROA可以根据模型的概率鲁棒性提供统计保证，\ textit {i.e。}，部署后训练有素的模型遇到的失败概率。我们的实验证明了PAA在评估对广泛功能扰动的概率鲁棒性方面的有效性和灵活性，并且与现有的最新基准相比，POA可以很好地扩展到各种大型深度神经网络。为了重现性，我们在github上发布工具：\ url {https://github.com/trustai/proa}。

神经网络已广泛应用于垃圾邮件和网络钓鱼检测，入侵预防和恶意软件检测等安全应用程序。但是，这种黑盒方法通常在应用中具有不确定性和不良的解释性。此外，神经网络本身通常容易受到对抗攻击的影响。由于这些原因，人们对可信赖和严格的方法有很高的需求来验证神经网络模型的鲁棒性。对抗性的鲁棒性在处理恶意操纵输入时涉及神经网络的可靠性，是安全和机器学习中最热门的主题之一。在这项工作中，我们在神经网络的对抗性鲁棒性验证中调查了现有文献，并在机器学习，安全和软件工程领域收集了39项多元化研究工作。我们系统地分析了它们的方法，包括如何制定鲁棒性，使用哪种验证技术以及每种技术的优势和局限性。我们从正式验证的角度提供分类学，以全面理解该主题。我们根据财产规范，减少问题和推理策略对现有技术进行分类。我们还展示了使用样本模型在现有研究中应用的代表性技术。最后，我们讨论了未来研究的开放问题。

我们开发DeepTraversal，一个反馈驱动的框架来测试DNN。DeepTraversal首先启动离线阶段，以将各种形式的媒体数据映射到歧管。然后，在其在线测试阶段，DeameTraversal遍历准备的歧管空间以最大化DNN覆盖标准和触发预测误差。在我们的评估中，使用DNN执行各种任务（例如，分类，自动驾驶，机器翻译）和不同类型（图像，音频，文本）的媒体数据。DeepTraversal表现出比现有的方法相对于流行DNN覆盖标准的方法更好，并且它可以发现更大的数量和更高质量的错误触发输入。经过测试的DNN模型，经过深度干扰的调查结果，实现更好的准确性

Deep neural networks (DNNs) are currently widely used for many artificial intelligence (AI) applications including computer vision, speech recognition, and robotics. While DNNs deliver state-of-the-art accuracy on many AI tasks, it comes at the cost of high computational complexity. Accordingly, techniques that enable efficient processing of DNNs to improve energy efficiency and throughput without sacrificing application accuracy or increasing hardware cost are critical to the wide deployment of DNNs in AI systems.This article aims to provide a comprehensive tutorial and survey about the recent advances towards the goal of enabling efficient processing of DNNs. Specifically, it will provide an overview of DNNs, discuss various hardware platforms and architectures that support DNNs, and highlight key trends in reducing the computation cost of DNNs either solely via hardware design changes or via joint hardware design and DNN algorithm changes. It will also summarize various development resources that enable researchers and practitioners to quickly get started in this field, and highlight important benchmarking metrics and design considerations that should be used for evaluating the rapidly growing number of DNN hardware designs, optionally including algorithmic co-designs, being proposed in academia and industry.The reader will take away the following concepts from this article: understand the key design considerations for DNNs; be able to evaluate different DNN hardware implementations with benchmarks and comparison metrics; understand the trade-offs between various hardware architectures and platforms; be able to evaluate the utility of various DNN design techniques for efficient processing; and understand recent implementation trends and opportunities.

机器学习算法和深度神经网络在几种感知和控制任务中的卓越性能正在推动该行业在安全关键应用中采用这种技术，作为自治机器人和自动驾驶车辆。然而，目前，需要解决几个问题，以使深入学习方法更可靠，可预测，安全，防止对抗性攻击。虽然已经提出了几种方法来提高深度神经网络的可信度，但大多数都是针对特定类的对抗示例量身定制的，因此未能检测到其他角落案件或不安全的输入，这些输入大量偏离训练样本。本文介绍了基于覆盖范式的轻量级监控架构，以增强针对不同不安全输入的模型鲁棒性。特别是，在用于评估多种检测逻辑的架构中提出并测试了四种覆盖分析方法。实验结果表明，该方法有效地检测强大的对抗性示例和分销外输入，引入有限的执行时间和内存要求。

我们提出了一个新颖的框架，用于在感知任务上为神经网络指定和验证全球的正确性。关于感知任务的神经网络验证的大多数工作都集中在鲁棒性验证上。与鲁棒性验证不同，旨在验证网络的预测在标记点周围的某些本地区域中稳定，我们的框架提供了一种在整个目标输入空间中全球指定正确性的方法，并验证网络是否适用于所有目标输入是否正确（或找到网络不正确的区域）。我们通过1）由世界所有相关状态组成的状态空间以及2）观察过程产生来自世界各州的神经网络输入。用有限数量的瓷砖铺平状态和输入空间，从状态瓷砖和网络输出范围从输入图块获得地面真相界限，然后比较地面真相和网络输出范围，在网络输出误差上为任何任何内容提供了上限感兴趣的输入。提出的框架还启用了检测非法输入 - 未包含（或接近）目标输入空间中未包含的输入，如状态空间和观察过程（神经网络不是为了在其上使用的），以便我们我们当我们无法保证时可以标记。两个案例研究的结果突出了我们技术验证整个目标输入空间上误差界限的能力，并显示误差界限如何在状态和输入空间上变化。

Deep neural networks (DNNs) have demonstrated superior performance over classical machine learning to support many features in safety-critical systems. Although DNNs are now widely used in such systems (e.g., self driving cars), there is limited progress regarding automated support for functional safety analysis in DNN-based systems. For example, the identification of root causes of errors, to enable both risk analysis and DNN retraining, remains an open problem. In this paper, we propose SAFE, a black-box approach to automatically characterize the root causes of DNN errors. SAFE relies on a transfer learning model pre-trained on ImageNet to extract the features from error-inducing images. It then applies a density-based clustering algorithm to detect arbitrary shaped clusters of images modeling plausible causes of error. Last, clusters are used to effectively retrain and improve the DNN. The black-box nature of SAFE is motivated by our objective not to require changes or even access to the DNN internals to facilitate adoption.Experimental results show the superior ability of SAFE in identifying different root causes of DNN errors based on case studies in the automotive domain. It also yields significant improvements in DNN accuracy after retraining, while saving significant execution time and memory when compared to alternatives. CCS Concepts: • Software and its engineering → Software defect analysis; • Computing methodologies → Machine learning.

Deep neural networks have achieved impressive experimental results in image classification, but can surprisingly be unstable with respect to adversarial perturbations, that is, minimal changes to the input image that cause the network to misclassify it. With potential applications including perception modules and end-to-end controllers for self-driving cars, this raises concerns about their safety. We develop a novel automated verification framework for feed-forward multi-layer neural networks based on Satisfiability Modulo Theory (SMT). We focus on safety of image classification decisions with respect to image manipulations, such as scratches or changes to camera angle or lighting conditions that would result in the same class being assigned by a human, and define safety for an individual decision in terms of invariance of the classification within a small neighbourhood of the original image. We enable exhaustive search of the region by employing discretisation, and propagate the analysis layer by layer. Our method works directly with the network code and, in contrast to existing methods, can guarantee that adversarial examples, if they exist, are found for the given region and family of manipulations. If found, adversarial examples can be shown to human testers and/or used to fine-tune the network. We implement the techniques using Z3 and evaluate them on state-of-the-art networks, including regularised and deep learning networks. We also compare against existing techniques to search for adversarial examples and estimate network robustness.

Although Deep Neural Networks (DNNs) have achieved impressive results in computer vision, their exposed vulnerability to adversarial attacks remains a serious concern. A series of works has shown that by adding elaborate perturbations to images, DNNs could have catastrophic degradation in performance metrics. And this phenomenon does not only exist in the digital space but also in the physical space. Therefore, estimating the security of these DNNs-based systems is critical for safely deploying them in the real world, especially for security-critical applications, e.g., autonomous cars, video surveillance, and medical diagnosis. In this paper, we focus on physical adversarial attacks and provide a comprehensive survey of over 150 existing papers. We first clarify the concept of the physical adversarial attack and analyze its characteristics. Then, we define the adversarial medium, essential to perform attacks in the physical world. Next, we present the physical adversarial attack methods in task order: classification, detection, and re-identification, and introduce their performance in solving the trilemma: effectiveness, stealthiness, and robustness. In the end, we discuss the current challenges and potential future directions.

Neural networks provide state-of-the-art results for most machine learning tasks. Unfortunately, neural networks are vulnerable to adversarial examples: given an input x and any target classification t, it is possible to find a new input x that is similar to x but classified as t. This makes it difficult to apply neural networks in security-critical areas. Defensive distillation is a recently proposed approach that can take an arbitrary neural network, and increase its robustness, reducing the success rate of current attacks' ability to find adversarial examples from 95% to 0.5%.In this paper, we demonstrate that defensive distillation does not significantly increase the robustness of neural networks by introducing three new attack algorithms that are successful on both distilled and undistilled neural networks with 100% probability. Our attacks are tailored to three distance metrics used previously in the literature, and when compared to previous adversarial example generation algorithms, our attacks are often much more effective (and never worse). Furthermore, we propose using high-confidence adversarial examples in a simple transferability test we show can also be used to break defensive distillation. We hope our attacks will be used as a benchmark in future defense attempts to create neural networks that resist adversarial examples.