We present CAISAR, an open-source platform under active development for the characterization of AI systems' robustness and safety. CAISAR provides a unified entry point for defining verification problems by using WhyML, the mature and expressive language of the Why3 verification platform. Moreover, CAISAR orchestrates and composes state-of-the-art machine learning verification tools which, individually, are not able to efficiently handle all problems but, collectively, can cover a growing number of properties. Our aim is to assist, on the one hand, the V&V process by reducing the burden of choosing the methodology tailored to a given verification problem, and on the other hand the tools developers by factorizing useful features - visualization, report generation, property description - in one platform. CAISAR will soon be available at https://git.frama-c.com/pub/caisar.
graded or abandoned. These tools use different techniques, different input formats, handle different ML artefacts and, The integration of machine learning programs as compo- most importantly, have varying performances depending nents of critical systems is said to be bound to happen; on the problems. Our goal of orchestrating multiple tools initiatives from various private and govermental actors aims at maximizing the property coverage in the context (e.g., US’ NSF funding for Trustworthy AI1, France’s of a validation and verification process. Grand Défi IA de confiance 2) are a consequence of that To this end, we present a platform dedicated to Charfact. Trusting such programs is thus becoming a crucial acterizing Artificial Intelligence Safety and Robustness issue, both on technical and ethical sides. (CAISAR) that aims to unify several formal methods and
A possible approach to trust is formal test and verifica- tools, at the input, through the use of a mature and exprestion, a broad set of techniques and tools that have been sive property description and proof orchestration language, applied to software safety for several decades. These for- at the output, through the factorization of features such mal methods build on sound mathematical foundations as visualization and report generation, and at the usage, to assess the behaviour of programs in a principled way, through shared heuristics and interconnections between be it for generating tests or providing proven guarantees. tools.
For the last few years, several independent works have The answer to the question “To what extent can I trust started to investigate the possible applications of formal my machine learning program?” has many components, verification to machine learning program verification and ranging from data analysis to decision explainability. One its limitations. This led to what could be characterized as such important components is dealing with verification a Cambrian explosion of tools aiming to solve a particular and validation, and we wish to make CAISAR an imsubset of the machine learning verification field. In less portant element in the safety toolbelt by covering these than vfie years, more than 20 tools were produced, up- applications.
In the following, we will first present the design principles of CAISAR and state its main goals. We will follow by a description of its most prominent features, as well as its limitations. We will then explain the position of CAISAR regarding other tools for formal verification of machine learning programs, and conclude by presenting some future work and possible research problems.
confidence on the studied system. In order for users to
trust CAISAR as well, it needs to rely on well-known and
The aim for CAISAR is to provide a verification envi- approved principles and technologies. It is developed in
ronment for Artificial Intelligence (AI) based systems OCaml, a strongly typed programming language, used
tailored to different needs. The profusion of tools for AI- to develop tools for program verification and validation.
programs certification offers numerous possibilities, from Such tools include Coq [
The first principle of CAISAR is to ease this burden of choice by automating parts of it. CAISAR aims to provide a unique interface for vastly different tools, with a single entry point to specify verification goals. Choosing which tool to use is an informed decision that may not be relevant for the user; the goal is to provide an actionable answer on the safety of the system, by using whatever tool is suitable for the problem. Ideally, the user should not be bothered with deciding which tool is suitable for their use case: CAISAR will automatically figure out how to express the given property to suit verifiers. As AI systems pipelines are becoming more and more complex, it is crucial for CAISAR to handle this complexity. Currently, CAISAR supports neural networks and support vector machines, and an industrial benchmark of an ensemble model (NNSVM), which we are unable to further discuss, is being used as a concrete real-word use-case.
Existing verifiers rely on different decision procedures, e.g., Mixed Integer Linear Programming (MILP), abstract interpretation, or Satisfaction Modulo Theory (SMT) calculus. Modelling a verification problem using these frameworks require different skills and is time-consuming; for instance, some modelling choices made for MILP may not be applied under SMT. Moreover, even if one succeeds in phrasing a verification problem under multiple decision procedures, the different results may not be immediately comparable.
CAISAR aims to provide a common ground for inputs
and outputs, which will lead to an easier comparison,
lower time consumption and an informed decision.
Furthermore, collecting and presenting the user with multiple
answers from different techniques can provide additional
Some works are starting to combine multiple
techniques [
A long-term goal for CAISAR is to provide a reasoning engine where past verification problems processed by CAISAR can inform next ones, gradually building a knowledge base that is suitable for the specific needs of the user. CAISAR will also implement its own built-in heuristics to supplement specialized programs that do not implement them.
CAISAR’s architecture can be divided into the following functional blocks:
2. A Proof Obligation Generator (POG), associated with a Dispatcher (DISP) 3. An Intermediate Representation (IR) 4. A visualization module (VIZ)
Ada programs [
CAISAR then automatically translates into a format supported by the selected verifiers, through a succession of encoding transformations and simplifications. For instance, some verifiers are best used when trying to falsify the property: instead of checking they instead try to satisfy the negation ∀ ∈ , () ⇒ ( (), ) ∃ ∈ , () ∧ ¬( (), ) A typical task for program verification involves to solve This transformation is embedded in CAISAR, when calla verification problem . A verification problem consists ing Marabou: a verification problem can be transon checking that a program with a given set of inputs is formed into an equivalent one ′ that can be dispatched meeting certain expectations on its outputs. More for- to Marabou. mally, let be an input space, (· ) be a property on the input space, be a program, and (· , · ) be a property 3.2. Proof Obligations Generations for on the output space. By property, we mean a statement various tools that describes a desirable behaviour for the program. Let = ( , , , ) be a verification problem . The goal is to verify the following property:
∀ ∈ , () ⇒ ( (), )
To write , one needs to be able to express concisely and
without ambiguity each component: the program to verify
, the properties and , and the dataset . To this end,
CAISAR provides full support for the WhyML
specification and programming language [
Marabou
Marabou [
It is currently in active development.
SAVer
use TestSVM . SVMasArray
use i e e e _ f l o a t . F l o a t 6 4
use c a i s a r .SVM
g o a l G: f o r a l l a : i n p u t _ t y p e .
r o b u s t _ t o svm_apply a ( 0 . 5 : t )
The Support Vector Machine reachability analysis tool Figure 3: Example verification problem specified to
SAVer [
Alt-Ergo and SMTLIB compliant solvers
Existing general purpose SMT solvers for program
verification like Alt-Ergo [
Python Reachability Assessment Tool
The Python Reachability Assessment Tool (PyRAT) is a
static analyzer targeting specifically neural networks. It
builds upon the framework of abstract interpretation [
For low dimensional inputs, PyRAT use input
partitioning as described in [
AIMOS: a Metamorphic testing utility AI Metamorphism Observing Software (AIMOS) is a p r e d i c a t e r o b u s t _ t o software developped at the same time as CAISAR, aiming ( model : model ) to provide metamorphic properties testing or perturbations ( a : i n p u t _ t y p e ) on a dataset for a given AI model. Metamorphic testing (f eoprsa:l l t b) . = d i s t _ l i n f a b eps is a testing technique relying on properties symmetries model . num_input − > and invariance on the operating domain. See [21] for a model . app a = model . app b comprehensive survey on this approach. AIMOS offers tools to derive properties from a set of transformations on the inputs: given , , and a transformation function Figure 2: An example of a predicate in CAISAR’s stan- : ∈ ↦→ , it generates a set of new properies ′ dard library: being “robust to” against a perturbation of that are coherent with the transformation. As an example, amplitude . Here, the predicate defines (). a symmetry on the inputs of a classification model could result on a symmetry on the outputs; AIMOS would then 3.4. Answer composition automatically modify the property to check against the symmetrical labels. CAISAR currently offer two ways to compose verifiers.
AIMOS can generate test cases scenarios from the First, CAISAR can launch several solvers on the same task most common input transformations (geometrical rota- and compose their answer: it can then provide a summary tions, noise addition); others can be added if necessary. stating which solver succeeded and which one failed. SecAIMOS was evaluated on a metamorphic property on the ond, CAISAR has the ability to verify pipelines that are ACAS-Xu benchmark. The aim of the property was to composed of several machine learning programs: for inevaluate the ability of neural networks trained on ACAS stance, a pipeline composed of several neural networks, or to generalize with symmetric inputs. Given a symmetry a neural network which outputs are processed by a SVM. on inputs, AIMOS generates the expected symmetrical CAISAR can be used to state an overall verification goal, output, and tests models against the base and symmetrical and to model that the outputs of a block of the pipeline outputs. See table 1 for results. AIMOS was able to show are the inputs of another block. More advanced methods that neural networks trained on ACAS have a low, but of composition, such as automatic subgoals generation noticeable sensitivity to symmetry on one input. or refinement by multiple analysis constitute a promising research venue.
The most similar work to CAISAR is the DNNV plat- instance out-of-distribution detection, is another future
form [
DNNP, is built on Python; while CAISAR’s specification language, WhyML, is already used in several formal verification platforms and provide additional theoretical References guarantees, which is a key component to provide trust. As stated before, WhyML allows specifying multiple verification goals in the same verification problem, which helps modelling more complex use cases.
The main difference between CAISAR and DNNV is that the latter does not combine verifiers answers, that is to say there is (at the time of writing) no feature that aims to interoperate verifiers: from the DNNV documentation5: "DNNV standardizes the network and property input formats to enable multiple verification tools to run on a single network and property. This facilitates both verifier comparison, and artifact re-use." As verifiers are becoming more and more sophisticated and specialized, combination of methods will become even more fruitful, and we expect this to be a key difference with DNNV.
As the field of machine learning verification is blooming, choosing the right tool for the right verification problem becomes more and more tedious. We presented CAISAR, a platform aimed to alleviate this difficulty by presenting a single, extensible entry point to machine learning veriifcation problem modelling and solving. Plenty of work still needs to be done, however.
Altough CAISAR already integrates some
state-of-theart tools, other verifiers that ranked high in the
VNNCOMP are on the way of integration. Such verifiers
include , -CROWN [
Another research venue would be the integration of
neural network reparation techniques such as [
Various problem splitting heuristics based, for instance,
on [
Data is the cornerstone of modern machine learning systems, and it is necessary to give tools to handle its complexity. Support for more various data kinds, such as time series, is a first step towards this direction. Integration of tools for analyzing data in relation with a program, for