CS781: Formal Methods in Machine Learning
Autumn 2024


Instructor Supratik Chakraborty email: supratik [AT] cse ...
Teaching Assistant M. Adarsh Reddy 210050091 [AT] iitb [DOT]...

Announcements

  • Project demo+presentation+viva on Tue, Nov 26, 2.00pm-6.30pm, in CC 101. All students must be present.

Course Information

Machine learning is increasingly being deployed in applications like autonomous driving, unmanned aerial vehicles, automated screening of applicants for jobs, automated screening for loans etc. In most of these applications, there is a need for guarantees on safety, fairness, unbiased-ness in decision making. Existing techniques for developing and training learning models however come with few provable guarantees in this regard. The problem of guaranteeing desirable behaviour of machine learning models is inherently hard, both because state-of-the-art learning models are very large, and also because specifying precise properties of these models, especially for perceptual tasks like image recognition, is difficult. On the other hand, the field of program (and hardware) verification has matured over the last four decades to produce tools that are routinely used in the industry. This course will try to bridge these two areas and teach students how techniques grounded in formal methods, that have been immensely successful in program/hardware verification, can be adapted to reason about guarantees in various machine learning settings. The intent is to introduce students to an area of significant importance that leverages advances in both formal methods and machine learning.

Pre-requisites

UG students CS228, CS213, CS337 or equivalent can be taken along with this course
PG students Either CS433 or CS719 or CS771. CS725 is recommended but not essential

Course Logistics

  • There will be weekly office hours for clearing doubts. You must send email by noon of the office hour day f you wish to attend office hours.
  • Students are required to read the required reading material (roughly 3 hours per week) in order to keep pace with this course.
  • Piazza will be the primary platform for discussion and query answering. Please sign up using the access code announced in class.

Meeting Schedule

Lecture Hours CC 101 Tue and Fri, 5.30-6.55 pm
Office Hours CC 314 Wed, 4-5pm (please send email to instructor if you wish to come for office hour)

Evaluation and assessment

Midsem 25%
Endsem 25%
Project 25%
Quizes + in-class evaluations 25%

  • There will be ungraded homework assignments, that may require use of publicly available tools.
  • All exams/quizes will be open-book. In-class evaluations may not be open-book.
  • If you miss an exam for a genuine reason, contact the instructor immediately.
  • Each graded quiz will carry equal weightage towards the 25% weightage for all quizes.
  • Informal discussion among students for the purpose of clarification is strongly encouraged.
  • There will be zero tolerance for dishonest means like copying solutions from others in any quiz, exam, project. Anybody found indulging in such activities will be summarily awarded an FR grade. The onus will be on the supposed offender to prove his or her innocence.
  • If you are unsure about the distinction between copying and discussion, please read this.

Course project

  • The course project carries 25% marks.
  • Each project will be done by a group of two students. If you absolutely need more than two students in your group, please contact the instructor.
  • Deadline for registering your group with the instructor: Wed, Sep 25, 2024
  • Each project will be based on one of the two topics below:
    1. Local robustness of deep neural networks for image recognition, focusing on spatially correlated input perturbations.
    2. Shield synthesis for reinforcement learning agents, where the shield may occasionally be unable to observe the environment's actions (but it can always observe the agent's actions)
    After choosing one of the two topics, you will finalize the specific problem to be solved in consultation with the instructor. This will require you to identify publicly available tool(s) for solving the problem, and make minor modification/tweaks to parts of the tool to help solve your specific problem. The litmus test will of course be whether your changes/tweaks eventually solve the problem in a manner that can be scaled to large networks. You will demonstrate your work on image recognition networks available in the public domain on image sets that may be a combination of those publicly available and those provided by the instructor.
  • A project submission includes a demo, a presentation and a report.
  • In case a non-trivial problem is solved by a student (or group of students), we keep open the possibility of developing this further and attempting a research paper submission.

Required Reading List

There are no standard reference textbooks in this area. There is an online e-book by Prof. Aws Albarghouthi (Univ of Wisconsin at Madison) that has recently been published and is freely available. We will follow this book for topics that are covered in the book. For other topics, the primary reference will be papers and articles listed below (to be updated as the semester proceeds).
  1. E-book: Introduction to Neural Network Verification by Aws Albarghouthi, 2020
  2. Partial list of papers and articles (all papers below have appeared in conferences and/or journals; however, whenever an extended version was found on arXiv/CoRR, the arxiv citation has been given).
    1. Towards Verified Artificial Intelligence by Sanjit A. Seshia, Dorsa Sadigh and S. Sankar Sastry, 2016.
    2. Formal Specification for Deep Neural Networks by Sanjit Seshia et al.
    3. An Abstract Domain for Certifying Neural Networks by Gagandeep Singh, Timon Gehr, Markus Puschel and Martin Vechev, 2019
    4. Fast and Complete: Enabling Complete Neural Network Verification with Rapid and Massively Parallel Incomplete Verifiers by Kaidi Xu, Huan Zhang, Shiqi Wang, Yihan Wung, Suman Jana, Xue Lin and Cho-Jui Hsieh, 2021
    5. Beta-CROWN: Efficient Bound Propagation with Per-neuron Split Constraints for Neural Network Robustness Verification by Shiqi Wang, Huan Zhang, Kaidi Xu, Xue Lin, Suman Jana, Cho-Jui Hsieh and Zico Kolter, 2021
    6. Safe Reinforcement Learning via Shielding by M. Alshiekh, R. Bloem, R. Ehlers, B. Konighofer, S. Niekum, U. Topcu, 2017
    7. Safe Reinforcement Learning using Probablisitic Shields by N. Jansen, B. Könighofer, S. Junges, A. C. Serban and R. Bloem, 2020
    8. Abduction based Explanations for Machine Learning Models by Alexey Igantiev, Nina Narodytska, Joao Marques Silva, 2018
    9. Synthesizing Pareto-optimal Interpretations for Black-box Models by Hazem Torfah, Shetal Shah, Supratik Chakraborty, Akshay S and Sanjit Seshia, 2020
    10. Monitoring Algorithmic Fairness by Thomas A. Henzinger, Mahyar Karimi, Konstantin Kueffner and Kaushik Mallik, 2023

Tools implementing topics studied in class

Readings for your leisure

Practice problems, Quizes and Exams

Exam/Quiz/Problem set Posted on Answers due by
Practice Problem Set 1    
Quiz 1 (Aut 2023)    
Midsem Exam (Aut 2023)    
Quiz 0 (Aut 2024) Sep 3, 2024, 6:45pm Sep 3, 2024, 7:15pm
Quiz 1 (Aut 2024) with model solutions Sep 11, 2024, 2:10pm Sep 11, 2024, 3:40pm
Midsem Exam (Aut 2024) Sep 18, 2024, 6:30pm Sep 11, 2024, 8:30pm
Practice Problem Set 2    
Quiz 2 (Aut 2024) Nov 6, 2024, 2:00pm Nov 6, 2024, 3:30pm
Endsem Exam (Aut 2024) Nov 19, 2024, 5:30pm Nov 19, 2024, 8:30pm

Lectures and interactions

Date Topic Resources
Jul 30 Introduction to course and logistics; why bother about formal methods in machine learning? Slides
Aug 2 Specifying properties of ML components Slides
Aug 6 More on specifying properties of ML components; importance of abstraction in reasoning about large ML components Slides
Aug 9 More on the theory of abstraction: Galois connection and its properties; illustration with interval abstract domain Same slides as above
Aug 13 Computing abstract transitions; illustrating computation of abstract post-condition of a neural network using interval domain Slides
Aug 16 Discussion on Galois connection, and its use in verifying properties of neural networks. The DeepPoly abstract domain for verifying local robustness properties of neural networks: abstracting ReLUs and complexity of computing linear bounds in terms of inputs DeepPoly paper: Sec 1, 2, 3, 4 (prior to 4.2)
Aug 27 DeepPoly abstract domain: abstracting sigmoids, tanhs, maxpool and affine transformations. Using DeepPoly to verify robustness with correlated perturbation of inputs. DeepPoly paper: Sec 4.2, 4.3, 4.4
Aug 30 Using linear relaxation based perturbation analysis (LiRPA) for obtaining bounds of outputs of neural networks Dual norms: some intuition
ɑ-CROWN paper : Sec 1, 2.1, 2.3
Sep 3 More discussion on ɑ-CROWN; using ɑ-CROWN in conjunction with branch-and-bound, incompleteness in the absence of LP based feasibility checks, building a complete verifier using ɑ-CROWN, LP feasibility checks and branch-and-bound ɑ-CROWN paper : Sec 2.2, 3.1, 3.2, 3.3, 3.4, Appendix A
Sep 4
(Compensation)		 Discussion on computation of matrices in LiRPA approaches; soundness of LiRPA and ɑ-CROWN; re-visiting why LP feasibility checks are necessary for completeness of ɑ-CROWN with branch-and-bound ɑ-CROWN paper : all section; Paper showing computation of matrices: Appendices A, B
Sep 6 Using Lagrangian multipliers to model split ReLU constraints: intuition, formulation, justification β-CROWN paper : Sec 1, 2, 3.1
Sep 7
(Compensation)		 Re-visiting the role of the Lagrangian multiplier in modeling split constraints in β-CROWN; using branch-and-bound with β-CROWN algorithm, and its soundness and completeness β-CROWN paper : Sec 3.1, 3.3, 3.4 (Appendix A for details of bound matrix calculations)
Sep 10 Discussion of Quiz 0 solutions, and solutions to some practice problems, discussion of course projects. Introduction to shield synthesis in reinforcement learning Shield synthesis paper : Sec 1
Sep 13 Discussion of Quiz 1 solutions. Introduction to shielding: preemptive and post-posed shields, basics of reinforcement learning and reactive systems Shield synthesis paper : Sec 1, 2, 3
Sep 24 Recap of basics of reinforcement learning, reactive systems, Mealy machines, infinite games and illustration with water-tank example Shield synthesis paper : Sec 1, 2, 3
Sep 27 Constructing abstractions of MDPs, safety automata and game graphs. An algorithmic view of how to compute winning regions and winning strategies from game graphs Shield synthesis paper : Sec 3, 4
Oct 1 Mealy machine synthesis from game formulation for pre-emptive and post-posed shields, examples of shielded systems in action, how shielding folds into the learning process. Introduction to probabilistic shields, motivation for going beyond non-probabilistic shields Shield synthesis paper : Sec 5, 6, 7, 8
Prob shielding paper : Sec 1, 2
Oct 4 Construction of MDP from observed behaviour of adversaries, computation of action-values, using thresholds to select δ-safe actions, properties of δ-safe shielded MDPs Prob shielding paper : Sec 2, 3.1, 3.2, 3.3
Oct 8 Recap of probabilistic shield synthesis steps, computing minimum probability of reaching an unsafe state in an MDP, overview of techniques used to address scalability concerns Prob shielding paper: Sec 3.3, 3.4, 3.5, 4 (optional)
Oct 11 Introduction to logical abduction based explanation of neural network decisions: modeling networks using first-order formulas, modeling conditional linear constraints using mixed integer linear programming, an iterative abduction procedure. Abductive explanation paper : Sec 1, 2, 3
Slides for abductive explanations
Oct 15 Big-M encoding of conditional linear constraints as MILP; more on finding abductive explanations: subset-minimal and cardinality-minimal explanations, algorithm for each kind of explanation, relation of abductive explanations and adversarial input generation, understanding experimental results Abductive explanation paper : Sec 3, 4, 5
Slides for big-M encoding
Oct 18 The problem of synthesizing "explainable" interpretations of black-box ML models; role of hypothesis class; basics of Probably Approximately Correct (PAC) learning: sample complexity, learning best hypothesis from within hypothesis class, explanation of PAC learning guarantee and how it differs from obtaining an ideal explanation of black-box model Pareto interpretation paper : Sec I, II, IV
Slides
Oct 22 Need for Pareto-optimal (PO) interpretations, finding a single PO point using single-objective optimization techniques; weighted MaxSAT, inter-reduction to integer linear programming, weighted MaxSAT with hard and soft clauses, use in symbolically encoding Pareto-optimal interpretation synthesis; explaining encoding of syntactic requirements of hypothesis class, and of matching of sample output for a given (symbolic interpretation) Pareto interpretation paper : Appendix A, Sec III A, B
Slides
Oct 25 Further discussions on symbolic encoding of Pareto-optimal interpretation as a weighted MaxSAT instance, going from one Pareto point to multiple Pareto points, generalizing to other classes of explanability and correctness measures, making sense of experimental results Pareto interpretation paper : Appendix A, Sec III C, V
Slides
Oct 29 Scaling challenge for FM in ML; Monitoring with guarantees as a pragmatic solution. Markovian assumption, PAC guarantees for monitors, randomized register monitors Monitoring paper: Sec 1, 2
Nov 1 Monitoring Markov chains with guarantees: randomized register monitors (RRM) as probabilistic programs, induced probability on output computed by RRM, definition of RRM states, runs, and semantics; Probabilistic Specification Expressions (PSE) and their use; frequentist monitor synthesis problem definition and illustration Monitoring paper: Sec 2.2, 3.1, 3.2
Nov 5 Discussion of Hoeffding's inequality and its use in synthesis of frequentist monitors; use of auxiliary random variables; monitor synthesis for division-free PSEs and for PSEs with division; taking care of dependent multiplications, addressing space requirements when combining frequent and infrequent sequences of random events Monitoring paper: Sec 4, Appendix A.2
Nov 8 Detailed discussion of frequentist monitoring algorithm. Concluding remarks for course Monitoring paper: Sec 4