A standing challenge for the adoption of machine learning (ML) techniques in safety-related applications is that misbehaviors can be hardly ruled out with traditional analytical or probabilistic techniques. In previous contributions of ours, we have shown how to deal with safety requirements considering both Multi-Layer Perceptrons (MLPs) and Support Vector Machines (SVMs), two of the most effective and well-known ML techniques. The key to provide safety guarantees for MLPs and SVMs is to combine Satisfiability Modulo Theory (SMT) solvers with suitable abstraction techniques. The purpose of this paper is to provide an overview of problems and related solution techniques when it comes to guarantee that the input-output function of trained computational models will behave according to specifications. We also summarize experimental results showing what can be effectively assessed in practice using state-of-the-art SMT solvers. Our empirical results are the starting point to introduce some open questions that we believe should be considered in future research about learning with safety requirements.
Machine learning (ML) techniques are adopted in a wide range of research and
engineering domains. For instance, artificial agents that act in physical domains can be
equipped with learning capabilities in order to acquire the dynamics of interest, thus
saving developers from the burden of devising explicit models — see [
In previous contributions of ours we have shown effective approaches to learning
with safety requirements. In particular, in [
In all the contributions above, the problem of providing safety guarantees is
encoded to formulas that can be solved automatically by Satisfiability Modulo Theory
(SMT) solvers [
The experimental assessment that we present considers SMT encodings obtained
from different verification problems. In the case of MLPs, the encodings are related to
control subsystems in the humanoids James [
The remainder of this paper is organized as follows. Section 2 gives background
notions on MLPs, SVRs, and SMT solvers. Section 3 summarizes the abstractions
introduced in [
A Multi-Layer Perceptron (MLP) is a function ν : Rn → Rm obtained by feeding
n inputs through a network of neurons, i.e., computational units arranged in multiple
layers ending with m outputs, where each neuron is characterized by an activation
function σ : R → R. We consider networks with only three cascaded layers, namely
input, hidden, and output layer, so that there are always n neurons in the input layer, and
m neurons in the output layer. Let x = (x1, . . . , xn) be the input signal to the network
ν. We assume that input neurons compute the activation function σ(r) = r, i.e., their
task is simply to pass forward the components of the input signal. Let h denote the
number of hidden neurons, then the input of the j-th hidden neuron is
rj =
n
X ajixi + bj
i=1
j = {1, . . . , h}
where aji is the weight of the connection from the i-th neuron in the input layer (1 ≤
i ≤ n) to the j-th neuron in the hidden layer, and the constant bj is the bias of the j-th
neuron. We denote with A = {a11, a12, . . . a1n, . . . , ah1, ah2, . . . ahn} and with B =
{b1, . . . , bh} the corresponding sets of weights. The activation function σh computed
by hidden neurons is a non-constant, bounded and continuous function of its input.
According to [
The key aspect of MLPs is that the sets of parameters A, B, C, D are not manually determined but are computed using an iterative optimization procedure known as training. Let R be a training set comprised of t pairs R = {(x1, y1), . . . (xl, yl)} where for each 1 ≤ i ≤ l, the vector xi is some input signal (pattern) and yi is the corresponding output signal (label). If we assume that R is generated by some unknown function f : Rn → Rm, then we can see training as a way of extrapolating the unknown function f from the signals in the training set. The goal of training is to determine the parameters A, B, C, D which maximize similarity between ν(x) and y for each pair (x, y) ∈ R. 2.2
Support Vector Regression (SVR) is a supervised learning paradigm, whose
mathematical foundations are derived from Support Vector Machine (SVM) [
ν(x) = w · x + b with w ∈ X , b ∈ R
such that ν(x) deviates at most ε from the targets yi ∈ T with kwk as small as possible.
A solution to this problem is presented in [
In order to solve the above stated optimization problem one can use the standard dualization method using Lagrange multipliers. The Lagrange function writes where ηi, ηi∗, αi, αi∗ are Lagrange multipliers. Solving the dual problem allows to rewrite (3) as
l ν(x) = X(αi − αi∗)xi · x + b (6)
i=1 The algorithm can be modified to handle non-linear cases. This could be done by mapping the input samples xi into some feature space F by means of a map Φ : X → F . However this approach can easily become computationally unfeasible for high dimensionality of the input data. A better solution can be obtained by applying the so-called kernel trick. Observing eq. (6) it is possible to see that the SVR algorithm only depends on dot products between patterns xi. Hence it suffices to know the function K(x, x0) = Φ(x) · Φ(x0) rather than Φ explicitly. By introducing this idea the optimization problem can be rewritten, leading to the non-linear version of (6): ν(x) =
l
X(αi − αi∗)K(xi, x) + b
i=1
where K(·) is called kernel function as long as it fulfills some additional conditions —
see, e.g., [
A Constraint Satisfaction Problem (CSP) [
atom → bound | equation
bound → value relop value
relop → < | ≤ | = | ≥ | >
value → var | - var | const
equation → var = value - value
| var = value + value
| var = const · value
where const is a real value, and var is the name of a (real-valued) variable. Formally, this
grammar defines a fragment of linear arithmetic over real numbers known as
QuantifierFree Linear Arithmetic over Reals (QF LRA) [
From a semantical point of view, let X be a set of real-valued variables, and μ be an assignment of values to the variables in X, i.e., a partial function μ : X → R. For all μ, we assume that μ(c) = c for every c ∈ R, and that relopμ, +μ, −μ, ·μ denote the standard interpretations of relational and arithmetic operators over real numbers. Linear constraints are thus interpreted as follows: – A constraint (a1 . . . an) is true exactly when at least one of the atoms ai with i ∈ {1, . . . , n} is true. – Given x, y ∈ X ∪ R, an atom x relop y is true exactly when μ(x) relopμ μ(y) holds. – Given x ∈ X, y, z ∈ X ∪ R, and c ∈ R • x = y z with ∈ {+, −} is true exactly when μ(x) =μ μ(y) μ μ(z), • x = c · y is true exactly when μ(x) =μ μ(c) ·μ μ(y), Given an assignment, a constraint is thus a function that returns a Boolean value. A constraint is satisfied if it is true under a given assignment, and it is violated otherwise. A constraint network is satisfiable if it exists an assignment that satisfies all the constraints in the network, and unsatisfiable otherwise.
While different approaches are available to solve CSPs, this work is confined to
Satisfiability Modulo Theories (SMT) [
Research on learning with safety requirements has the objective of verifying trained MLPs/SVRs, i.e., guarantee that, given some input preconditions, the mapping ν respects stated output postconditions. In principle, this check can be automated in a suitable formal logic L by proving
|=L ∀x (π(x) → ϕ(ν(x)))
where π and ϕ are formulas in L expressing preconditions on input signals and
postconditions on output signals, respectively. Most often, activation functions for MLPs
are non-linear and transcendental and so are kernels for SVRs, which makes (8)
undecidable if L is chosen to be expressive enough to model such functions – see, e.g., [
|=L0 ∀x0 (π˜(x0) → ϕ˜(ν˜(x0))) is decidable, and (8) holds whenever (9) holds. If this is not the case, then there is some abstract input x0 such that π˜(x) is satisfied, but the abstract output ν˜(x0) violates ϕ˜. There are two cases: – If a concrete input x can be extracted from x0 such that also ν(x) violates ϕ, then x0 is a realizable counterexample, and ν fails to uphold (8). – On the other hand, if no concrete input x can be extracted such that ν(x) violates ϕ, then x0 is a spurious counterexample.
Spurious counterexamples arise because an abstract MLP/SVR ν˜ is “more permissive”
than its concrete counterpart ν. In this case, a refinement is needed, i.e., a new
abstraction “tighter” than ν˜ must be computed and checked. We call this
abstractionrefinement loop Counter-Example Triggered Abstraction Refinement (CETAR) in [
Details about the definition ofν˜ for MLPs in such a way that L0=QF LRA, as well as
details of preconditions and postconditions to be checked, with related abstractions, are
(8)
(9)
provided in [
To abstract the RBF kernel K, we observe that (10) corresponds to a Gaussian distribution G(μ, σ) with mean μ = xi — the i-th support vector of ς — and variance σ2 = 21γ . Given a real-valued abstraction parameter p, let us consider the interval [x, x+ p]. It is possible to show that the maximum and minimum of G(μ, σ) restricted to [x, x+ p] lie in the external points of such interval, unless μ ∈ [x, x + p] in which case the maximum of G lies in x = μ. The abstraction K˜p is complete once we consider two points x0, x1 with x0 < μ < x1 defined as the points in which G(xi) G(μ) with i ∈ 0, 1, where by “ a b” we mean that a is at least one order of magnitude smaller than b 3. We define theabstract kernel function for the i-th support vector as [min(G(x), G(x + p)), G(μ)] if μ ∈ [x, x + p] ⊂ [x0, x1] K˜p([x, x+p]) = [min(G(x), G(x + p)), max(G(x), G(x + p))] if μ ∈/ [x, x + p] ⊂ [x0, x1] [0, G(x0)] otherwise (11) According to eq. (11), p controls to what extent K˜p over-approximates K since large values of p correspond to coarse-grained abstractions and small values of p to finegrained ones. A pictorial representation of eq. (11) is given in figure 1. The abstract 3 Given a Gaussian distribution, 99.7% of its samples lie within ±3σ. In this case however, our RBF formulation does not include any normalization factor and stopping at ±3σ would not be sufficient to include all relevant samples. The heuristics described in the text was therefore adopted to solve the problem. SVR ς˜p is defined rewriting equation (7) as (12) (13) (14) (15) ς˜p =
l X(αi − αi∗)K˜p(xi, x) + b
i where we abuse notation and use conventional arithmetic symbols to denote their interval arithmetic counterparts.
It is easy to see that every abstract SVR ς˜p can be modeled in QF LRA. Let us
consider a concrete SVR ς : [
then (Ki ≥ 0) (Ki ≤ G(x0)) . . . if (x1 < x)
then (Ki ≥ 0) (Ki ≤ G(x0)) . . . if (0 < x)(x ≤ 0.5)
then (Ki ≥ min(G(0), G(0.5)) (Ki ≤ max(G(0), G(0.5))
The expression “ if t1 . . . tm then a1 . . . an” is an abbreviation for the set of constraints where t1, . . . , tm and a1, . . . an are atoms expressing bound on variables, and ¬ is Boolean negation (e.g., ¬(x < y) is (x ≥ y)). Finally, the output of the SVR is just f (x) = hα1 − α1∗iKi(x1, x) + . . . + hαn − αn∗iKn(xn, x) + hbi (16) with x1, . . . , xn being the support vectors of ς 3.2
As mentioned previously, verification of MLPs and SVRs amounts to answer a
logical query. In this subsection, we summarize the three different verification problems –
namely, global safety, local safety, and stability – as introduced in [
We say that an MLP/SVR ν is globally safe if condition (8) holds when π and ϕ are defined as above. This notion of (global) safety is representative of all the cases in which an out-of-range response is unacceptable, such as, e.g., minimum and maximum reach of an industrial manipulator, lowest and highest percentage of a component in a mixture, and minimum and maximum dose of a drug that can be administered to a patient.
Local safety The need to check for global safety in MLPs can be mitigated using bounded activation functions in the output neurons to “squash” their response within an acceptable range, modulo rescaling. In principle, the same trick could be applied to SVRs as well, even if it is much less commonly adopted. A more stringent, yet necessary, requirement is thus represented by “local” safety. Informally speaking, we can say that an MLP/SVR ν trained on a dataset R of t patterns is “locally safe” whenever given an input pattern x∗ 6= x for all (x, y) ∈ R it turns out that ν(x∗) is “close” to yj as long as x∗ is “close” to xj and (xj , yj ) ∈ R for some j ∈ {1, . . . , t}. Local safety cannot be guaranteed by design, because the range of acceptable values varies from point to point. Moreover, it is relevant in all those applications where the error of an MLP/SVR must never exceeds a given bound on yet-to-be-seen inputs, and where the response of an MLP must be stable with respect to small perturbations in its input in the neighborhood of “known” patterns.
Stability While local safety allows to analyze the response of a network even in the presence of bounded-output MLPs/SVRs, it suffers from two important limitations. – It does not take into account the whole input domain, i.e., if a pattern falls out the union of the input polytopes, then nothing can be said about the quality of the response. – It is tied to a specific training set, i.e., changing the set of patterns used to train the network can change the response of the safety check.
These two limitations are important in practice, in particular when the availability of training data is scarce so the chance of hitting “unseen” patterns is high, or when the training set is very sparse so the chance of having large regions of uncovered input space is high. One way to overcome these limitations is to keep the locality of the check, i.e., small input variations must correspond to small output variations, but drop
Family ICUB LOGI ICUB RAMP ICUB TANH JAMES LOGI JAMES RAMP JAMES TANH
N Overall
# the dependency from the training set, i.e., check the whole input space. Formally, given a trained model ν : I → O we definestability as follows where δ, ∈ R+ are two arbitrary constants which define the amount of variation that we allow in the input and the corresponding perturbation of the output. We observe that condition (18) requires non linear arithmetic to express the scalar product of the difference vectors. In other words, once fixed x1, we have that x2 must be contained in an hypersphere of radius δ centered in x1 – and similarly for ν(x1), ν(x2) and . An overapproximation of such hypersphere, and thus a consistent abstraction of (18), is any convex polyhedra in which the hypersphere is contained. The degree of abstraction can be controlled by setting the number of facets of the polyhedra, and such an abstract condition can be expressed in QF LRA.
As reported in [
Considering the experimental results reported in [
Experimental Setup A pictorial representation of the case study we consider is shown
in Figure 2. In this domain setup, a ball has to be thrown in such a way that it goes
through a goal, possibly avoiding obstacles present in the environment. The learning
agent interacting with the domain is allowed to control the force f = (fx, fy ) applied
to the ball when it is thrown. Given that the coordinate origin is placed at the
center of the wall opposing the goal — see Figure 2 — we chose fx ∈ [
DB Random QBC
DB
Random
QBC
DB
using the V-REP simulator [
Results We train SVRs on a dataset of n samples built as T = {(fi, yi), . . . , (fn, yn)} where fi = (fxi, fyi) is the force vector applied to the ball to throw it, and yi is the observed distance from the center of the gate, which is also the target of the regression. Obviously, the regression problem could be extended, e.g., by including the initial position of the ball, but our focus here is on getting the simplest example that could lead to evaluation of different active learning paradigms and verification thereof. Preliminary tests were performed in an obstacle-free environment, using specific subsets of all the feasible trajectories. Three algorithms were compared, namely a random strategy for adding new samples to the learning set, the query by committee algorithm and the one proposed by Demir and Bruzzone [32] — listed in Table 2 as “Random”, “QBC” and “DB”, respectively. Each test episode consists in adding samples to the model, and it ends when either the Root Mean Squared Error (RMSE) is smaller than a threshold (here 0.2), or when at most 100 additional samples are asked for. Table 2 suggests that when the learning problem involves one single class of shots (e.g., only straight shots), the algorithms provide better results. Indeed, when both straight and kick shots are possible, all three algorithms require more than 100 additional samples in at least 50% of the runs in order to reach the required RMSE. We conducted further experiments, this time considering the three cases (a), (b), and (c) described before, and the full set of feasible trajectories in each case. The results obtained, shown in Table 2 (right), confirm the observation made on Table 2 (left). The best results are indeed obtained for case (b), wherein the obstacle is placed in such a way that only kick shots are feasible, thus turning the learning problem into a single-concept one.
In this work we have summarized the state of the art in the topic of learning with safety requirements. The promise of this research is to make data-driven models fit enough to be deployed in safety-related context, e.g., adaptive agents operating in physical domains. However, several questions should be answered before the techniques surveyed in this paper can be pushed in practical applications with confidence in their effectiveness. Currently, we can consider the following issues: – SMT solvers could deal with the majority of encodings in a reasonable amount of time; still, there might be room for improvement and scalability with respect to the size of the learning problems must be assessed. – Safety requirements have been considered for batch learning with MLPs and active learning with SVRs; it would be worth investigating whether active learning with MLPs and batch learning with SVRs can give improved results in terms of learning and verification. – There are learning techniques which are both very effective and natively provide (statistical) bounds on their prediction; Gaussian process regression (GPR) [33] is one such technique, with a fairly considerable record of success stories; it would be interesting to compare the level of confidence in the prediction given by GPR on one side, and the strict guarantees provided by MLPs/SVRs checked with SMT solvers on the other. – Applications in which learning techniques ought to provide safety requirements are diverse, and include learning through reinforcement with continuous rather than discrete state-action-space representations — see [34] for a discussion. One important issue is thus the feasibility of techniques that we surveyed in such fields, wherein learning is part of a larger system devoted to program adaptive agents. Our future works will focus on addressing the above open issues and whether the proposed methodologies can scale to real-world problems, possibly posing verification of learning models as a challenge problem for the SMT research community. 29. Chang, C.C., Lin, C.J.: Libsvm: a library for support vector machines. ACM Transactions on Intelligent Systems and Technology (TIST) 2(3) (2011) 27 30. Cimatti, A., Griggio, A., Schaafsma, B., Sebastiani, R.: The MathSAT5 SMT Solver. In Piterman, N., Smolka, S., eds.: Proceedings of TACAS. Volume 7795 of LNCS, Springer (2013) 31. GPy: GPy: A gaussian process framework in python. http://github.com/
SheffieldML/GPy (since 2012) 32. Demir, B., Bruzzone, L.: A multiple criteria active learning method for support vector regression. Pattern Recognition 47(7) (2014) 2558–2567 33. Williams, C.K.I., Rasmussen, C.E.: Gaussian processes for regression. In: Advances in Neural Information Processing Systems 8, NIPS, Denver, CO, November 27-30, 1995. (1995) 514–520 34. Pathak, S., Pulina, L., Metta, G., Tacchella, A.: How to abstract intelligence?(if verification is in order). In: Proc. 2013 AAAI Fall Symp. How Should Intelligence Be Abstracted in AI Research. (2013)