CS2125 Paper Review Form - Winter 2019 Reviewer:Ali Harakeh Paper Title: AI2: Safety and Robustness Certification of Neural Networks with Abstract Interpretation Author(s): Timon Gehr, Matthew Mirman, Dana Drachsler-Cohen, Petar Tsankov, Swarat Chaudhuri*, Martin Vechev 1) Is the paper technically correct? [X] Yes [ ] Mostly (minor flaws, but mostly solid) [ ] No 2) Originality [ ] Very good (very novel, trailblazing work) [X] Good [ ] Marginal (very incremental) [ ] Poor (little or nothing that is new) 3) Technical Depth [ ] Very good (comparable to best conference papers) [X] Good (comparable to typical conference papers) [ ] Marginal depth [ ] Little or no depth 4) Impact/Significance [ ] Very significant [X] Significant [ ] Marginal significance. [ ] Little or no significance. 5) Presentation [ ] Very well written [ ] Generally well written [X] Readable [ ] Needs considerable work [ ] Unacceptably bad 6) Overall Rating [ ] Strong accept (award quality) [ ] Accept (high quality - would argue for acceptance) [X] Weak Accept (borderline, but lean towards acceptance) [ ] Weak Reject (not sure why this paper was published) 7) Summary of the paper's main contribution and rationale for your recommendation. (1-2 paragraphs) This paper presents AI2, a framework that can be used to prove desirable properties regarding the behavior of neural networks. AI2 is one of the first methods that provide a sound and scalable analysis of deep neural networks through through abstract interpretation, and can be used to evaluate the robustness of neural networks to common adversarial attacks. The major contribution of this paper is the scalability, soundness, and precision of the proof that a neural network satisfies a target property. However, AI2 also suffers from a few weak points mentioned bellow. 8) List 1-3 strengths of the paper. (1-2 sentences each, identified as S1, S2, S3.) S1: Abstract interpretation allows the certification of a network's property with a 'single abstract run' over an abstract input set describing such property. S2: Abstract transformers allow the scalability of AI2 to analyze large deep neural networks (up to 53000 neurons shown in the paper), much more than the state of the art at the time of publication. S3: AI2 allows the certification of robustness of neural networks to adversarial attacks. 9) List 1-3 weaknesses of the paper (1-2 sentences each, identified as W1, W2, W3.) W1: AI2 requires formulating abstract transformers for every layer type used in the neural network. The paper provides CAT formulations for three commonly used layers: the convolutional, fully connected, and max-pooling layers, which can be formulated into abstract transformers. Any custom layers (such as ROI pooling for object detection) or activation function (such as leaky ReLU) will require the lengthy process of deriving a new CAT and as such a new abstract transformer. W2: AI2 can be used whenever the set of perturbed inputs can be overapproximated with a set of zonotopes in a precise way. That is if the overapproximation adds too many inputs that do not capture actual perturbations to the robustness region, AI2 may fail to provide proof of robustness even if it holds.