Neural networks are increasingly being deployed in contexts where safety is a critical concern. In this work, we propose a way to construct neural network classifiers that dynamically repair violations of non-relational safety constraints called safe ordering properties. Safe ordering properties relate requirements on the ordering of a network's output indices to conditions on their input, and are sufficient to express most useful notions of non-relational safety for classifiers. Our approach is based on a novel self-repairing layer, which provably yields safe outputs regardless of the characteristics of its input. We compose this layer with an existing network to construct a self-repairing network (SR-Net), and show that in addition to providing safe outputs, the SR-Net is guaranteed to preserve the accuracy of the original network. Notably, our approach is independent of the size and architecture of the network being repaired, depending only on the specified property and the dimension of the network's output; thus it is scalable to large state-of-the-art networks. We show that our approach can be implemented using vectorized computations that execute efficiently on a GPU, introducing run-time overhead of less than one millisecond on current hardware -- even on large, widely-used networks containing hundreds of thousands of neurons and millions of parameters.

中文翻译：

---

自修复神经网络：通过动态修复可证明深度网络的安全性

神经网络越来越多地部署在安全是关键问题的环境中。在这项工作中，我们提出了一种构建神经网络分类器的方法，该分类器动态修复违反称为安全排序属性的非关系安全约束。安全排序属性将网络输出索引的排序要求与其输入条件相关联，并且足以表达最有用的分类器非关系安全概念。我们的方法基于一种新颖的自我修复层，无论其输入的特征如何，都可以证明它会产生安全的输出。我们将此层与现有网络组合以构建自修复网络（SR-Net），并表明除了提供安全输出外，SR-Net 还保证保留原始网络的准确性。尤其，我们的方法与正在修复的网络的大小和架构无关，仅取决于指定的属性和网络输出的维度；因此它可以扩展到大型最先进的网络。我们展示了我们的方法可以使用在 GPU 上高效执行的矢量化计算来实现，在当前硬件上引入不到一毫秒的运行时开销——即使在包含数十万个神经元和数百万个神经元的大型、广泛使用的网络上也是如此。参数。