Go to ICLR 2026 Conference homepageSound Verification of Deployed Neural Networks
Keywords: sound verification, backdoor attacks, deployment, floating point arithmetic
Abstract: Verification methods aim at mathematically proving desirable properties of neural networks, such as robustness to adversarial perturbations. A verifier is sound if and only if it never claims that a neural network has the desired property when it does not. It was shown recently that none of the currently known verifiers that are claimed to be sound are guaranteed to be sound when considering the deployed version of the verified network. Due to this, all the known verifiers are vulnerable to certain backdoor attacks, where an adversarial network passes verification but, in reality, it exhibits adversarial behavior in specific deployment environments. So far, it has been suspected that sound verification is prohibitively expensive if we wish to verify all possible executions—including parallel and stochastic ones—in deployment. *We are the first to propose an efficient error bounding technique that most known verifiers can apply to become practically sound.* The technique enables both interval bound propagation and symbolic propagation methods to remain sound even if the deployment environment randomly selects a valid ordering and parenthesizing of the arithmetic operations to compute the network. We present a theoretical foundation for our approach and demonstrate empirically that our technique indeed discovers all known deployment-specific attacks, introducing only a limited performance overhead.
Supplementary Material: zip
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Submission Number: 8686
Loading