FUNDAMENTAL LIMITS IN FORMAL VERIFICATION OF MESSAGE-PASSING NEURAL NETWORKS

Abstract

Output reachability and adversarial robustness are among the most relevant safety properties of neural networks. We show that in the context of Message Passing Neural Networks (MPNN), a common Graph Neural Network (GNN) model, formal verification is impossible. In particular, we show that output reachability of graph-classifier MPNN, working over graphs of unbounded, but finite size, nontrivial degree and sufficiently expressive node labels, cannot be verified formally: there is no algorithm that answers correctly (with yes or no), given an graphclassifier MPNN, whether there exists some valid input to the MPNN such that the corresponding output satisfies a given specification. However, we also show that output reachability and adversarial robustness of node-classifier MPNN can be verified formally when a limit on the degree of input graphs is given a priori. We discuss the implications of these results, for the purpose of obtaining a complete picture of the principle possibility to formally verify GNN, depending on the expressiveness of the involved GNN models and input-output specifications.

1. INTRODUCTION

The Graph Neural Network (GNN) framework, i.e. models that compute functions over graphs, has become a goto technique for learning tasks over structured data. This is not surprising since GNN application possibilities are enormous, ranging from natural sciences (Kipf et al. (2018) ; Fout et al. (2017) ) over recommender systems (Fan et al. (2019) ) to general knowledge graph applications which itself includes a broad range of applications (Zhou et al. (2020) ). Naturally, the high interest in GNN and their broad range of applications including safety-critical ones, for instance in traffic situations, impose two necessities: first, a solid foundational theory of GNN is needed that describes possibilities and limits of GNN models. Second, methods for assessing the safety of GNN are needed, in the best case giving guarantees for certain safety properties. Compared to the amount of work on performance improvement for GNN or the development of new model variants, the amount of work studying basic theoretical results about GNN is rather limited. Some general results have been obtained as follows: independently, Xu et al. ( 2019) and Morris et al. (2019) showed that GNN belonging to the model of Message Passing Neural Networks (MPNN) (Gilmer et al. (2017) ) are non-universal in the sense that they cannot be trained to distinguish specific graph structures. Furthermore, both relate the expressiveness of MPNN to the Weisfeiler-Leman graph isomorphism test. This characterisation is thoroughly described and extended by Grohe (2021). Loukas (2020) showed that MPNN can be Turing universal under certain conditions and gave impossibility results of MPNN with restricted depth and width for solving certain graph problems. Similarly, there is a lack of work regarding safety guarantees for GNN, or in other words work on formal verification of GNN. Research in this direction is almost exclusively concerned with certifying adversarial robustness properties (ARP) of node-classifying GNN (see Sect. 1.1 for details). There, usually considered ARP specify a set of valid inputs by giving a center graph and a bounded budget of allowed modifications and are satisfied by some GNN if all valid inputs are classified to the same, correct class. However, due to the nature of allowed modifications, these properties cover only local parts of the input space, namely neighbourhoods around a center graph. This local notion of adversarial robustness is also common in formal verification of classical neural networks (NN). However, in NN verification, the absence of misbehaviour of a more global kind is adressed using so called output reachability properties (ORP) (Huang et al. (2020) ). A common choice of ORP specifies a convex set of valid input vectors and a convex set of valid output vectors and is satisfied by some NN if there is a valid input that leads to a valid output. Thus, falsifying ORP, specifiying unwanted behaviour as valid outputs, guarantees the absence of respective misbehaviour regarding the set of valid inputs. To the best of our knowledge there currently is no research directly concerned with ORP of GNN. This work adresses both of the above mentioned gaps: we present fundamental results regarding the (im-)possibility of formal verification of GNN. We prove that -in direct contrast to formal verification of NN -there are non-trivial classes of ORP and ARP used for MPNN graph classification, that cannot be verified formally. Namely, as soon as the chosen kind of input specifications allows for graphs of unbounded, but finite size, non-trivial degree and sufficiently expressive labels, formal verification is no longer automatically possible in the following sense: there is no algorithm that, given an MPNN and specifications of valid inputs and outputs, answers correctly (yes/no) whether some valid input is mapped to some (in-)valid output. Additionally, we show that ORP and ARP of MPNN used for node classification are formally verifiable as soon as the degree of valid input graphs is bounded. In the ARP case, this extends the previously known bounds. The remaining part of this work is structured as follows: we give necessary definitions in Sect. 2 and a comprehensive overview of our results in Sect.3. In Sect. 4 and Sect. 5, we cover formal arguments, with purely technical parts outsourced to App. A and B. Finally, we discuss and evaluate our possibility and impossibility results in Sect.6.

1.1. RELATED WORK

This paper adresses fundamental questions regarding formal verification of adversarial robustness and output reachability of MPNN and GNN in general. Günnemann (2022) presents a survey on recent developments in research on adversarial attack, defense and robustness of GNN. We recapitulate some categorizations made in the survey and rank the corresponding works in our results. First, according to Günnemann ( 2022 In all cases, the amount of such discrete modifications is bounded, which means that the set of input graphs under consideration is finite and, thus, the maximal degree is bounded. Any argument for the possibility of formal verification derivable from these works is subsumed by Theorem 2 here. 2020)). In all cases, the considered set of input graphs is given by a bounded amount of structural pertubations to some center graph. Therefore, this is no contradiction to the result of Corollary 1 as the size of considered graphs is always bounded. As stated above, to the best of our knowledge, there currently is no work directly concerned with output reachability of MPNN or GNN in general.

2. PRELIMINARIES

Undirected, labeled graphs and trees. A graph G is a triple (V, D, L) where V is a finite set of nodes, D ⊆ V 2 a symmetric set of edges and L : V → R n is a labeling function, assigning a vector to each node. We define the neighbourhood Neigh(v) of a node v as the set {v ′ | (v, v ′ ) ∈ D}. The degree of G is the minimal d ∈ N s.t. for all v ∈ V we have |Neigh(v)| ≤ d. If the degree of G is d then G is also called a d-graph. A tree B is a graph with specified node v 0 , called the root, denoted by (V, D, L, v 0 ) and the following properties: V = V 0 ∪ V 1 ∪ • • • ∪ V k where V 0 = {v 0 }, all V i



) most work considers GNN used for node-classification (for example, Zügner et al. (2018); Dai et al. (2018); Wang et al. (2020); Wu et al. (2019)) and among such most common adversarial modifications are edge modifications of a fixed input graph (Zügner et al. (2018); Zügner & Günnemann (2019); Ma et al. (2020)), but also node injections or deletions are considered (Sun et al. (2020); Geisler et al. (2021)).

Additionally, there is work considering label modifications (Zügner et al. (2018); Wu et al. (2019); Takahashi (2019)), but only in discrete settings or where allowed modifications are bounded by box constraints. Again, this is covered by Theorem 2. There is also work on adversarial robustness of graph-classifier GNN (Jin et al. (2020); Chen et al. (2020); Bojchevski et al. (

