FUNDAMENTAL LIMITS IN FORMAL VERIFICATION OF MESSAGE-PASSING NEURAL NETWORKS

Abstract

Output reachability and adversarial robustness are among the most relevant safety properties of neural networks. We show that in the context of Message Passing Neural Networks (MPNN), a common Graph Neural Network (GNN) model, formal verification is impossible. In particular, we show that output reachability of graph-classifier MPNN, working over graphs of unbounded, but finite size, nontrivial degree and sufficiently expressive node labels, cannot be verified formally: there is no algorithm that answers correctly (with yes or no), given an graphclassifier MPNN, whether there exists some valid input to the MPNN such that the corresponding output satisfies a given specification. However, we also show that output reachability and adversarial robustness of node-classifier MPNN can be verified formally when a limit on the degree of input graphs is given a priori. We discuss the implications of these results, for the purpose of obtaining a complete picture of the principle possibility to formally verify GNN, depending on the expressiveness of the involved GNN models and input-output specifications.

1. INTRODUCTION

The Graph Neural Network (GNN) framework, i.e. models that compute functions over graphs, has become a goto technique for learning tasks over structured data. This is not surprising since GNN application possibilities are enormous, ranging from natural sciences (Kipf et al. (2018); Fout et al. (2017) ) over recommender systems (Fan et al. (2019) ) to general knowledge graph applications which itself includes a broad range of applications (Zhou et al. (2020) ). Naturally, the high interest in GNN and their broad range of applications including safety-critical ones, for instance in traffic situations, impose two necessities: first, a solid foundational theory of GNN is needed that describes possibilities and limits of GNN models. Second, methods for assessing the safety of GNN are needed, in the best case giving guarantees for certain safety properties. 2017)) are non-universal in the sense that they cannot be trained to distinguish specific graph structures. Furthermore, both relate the expressiveness of MPNN to the Weisfeiler-Leman graph isomorphism test. This characterisation is thoroughly described and extended by Grohe (2021). Loukas (2020) showed that MPNN can be Turing universal under certain conditions and gave impossibility results of MPNN with restricted depth and width for solving certain graph problems. Similarly, there is a lack of work regarding safety guarantees for GNN, or in other words work on formal verification of GNN. Research in this direction is almost exclusively concerned with certifying adversarial robustness properties (ARP) of node-classifying GNN (see Sect. 1.1 for details). There, usually considered ARP specify a set of valid inputs by giving a center graph and a bounded budget of allowed modifications and are satisfied by some GNN if all valid inputs are classified to the same, correct class. However, due to the nature of allowed modifications, these properties cover only local parts of the input space, namely neighbourhoods around a center graph. 1



Compared to the amount of work on performance improvement for GNN or the development of new model variants, the amount of work studying basic theoretical results about GNN is rather limited. Some general results have been obtained as follows: independently, Xu et al. (2019) and Morris et al. (2019) showed that GNN belonging to the model of Message Passing Neural Networks (MPNN) (Gilmer et al. (

