DLFuzz: Differential Fuzzing Testing of Deep Learning Systems (1808.09413v1)

Abstract: Deep learning (DL) systems are increasingly applied to safety-critical domains such as autonomous driving cars. It is of significant importance to ensure the reliability and robustness of DL systems. Existing testing methodologies always fail to include rare inputs in the testing dataset and exhibit low neuron coverage. In this paper, we propose DLFuzz, the frst differential fuzzing testing framework to guide DL systems exposing incorrect behaviors. DLFuzz keeps minutely mutating the input to maximize the neuron coverage and the prediction difference between the original input and the mutated input, without manual labeling effort or cross-referencing oracles from other DL systems with the same functionality. We present empirical evaluations on two well-known datasets to demonstrate its efficiency. Compared with DeepXplore, the state-of-the-art DL whitebox testing framework, DLFuzz does not require extra efforts to find similar functional DL systems for cross-referencing check, but could generate 338.59% more adversarial inputs with 89.82% smaller perturbations, averagely obtain 2.86% higher neuron coverage, and save 20.11% time consumption.

• The paper introduces DLFuzz, a gradient-based differential fuzzing framework that boosts neuron coverage by up to 5.59% and generates up to 584.62% more adversarial examples.
• The paper leverages a joint optimization approach to balance neuron activation and misclassification likelihood, reducing the need for manual labeling.
• Empirical results on MNIST and ImageNet show that DLFuzz cuts testing time by 20.11% and improves DL reliability in safety-critical applications.

DLFuzz: Differential Fuzzing Testing of Deep Learning Systems

The paper "DLFuzz: Differential Fuzzing Testing of Deep Learning Systems" contributes to the methodologies used in testing the reliability and robustness of Deep Learning (DL) systems. These systems are increasingly being applied in safety-critical domains, such as autonomous vehicles, where their reliability is of utmost importance. Traditional DL testing methodologies often fail due to incomplete input coverage and inadequate neuron activity tracking. This work introduces DLFuzz, a differential fuzzing framework designed to enhance neuron coverage and generate adversarial inputs with minimal manual intervention, circumventing the constraints associated with both whitebox and blackbox testing paradigms.

Core Methodological Advances

DLFuzz operates by minutely mutating inputs to maximize both neuron coverage and the prediction difference from an original input. Unlike existing methods such as DeepXplore, which requires manual labeling and cross-referencing similar functional DL systems, DLFuzz automates these processes through a gradient-based approach to perturb inputs. This effectively reduces the overhead associated with manual procedures and dependency on multiple DL systems.

The framework formulates the goal of DL testing as a joint optimization problem that seeks to maximize neuron coverage and trigger incorrect behavior. The mutation algorithm of DLFuzz achieves this by modeling the problem using a tailored loss function, which includes components for both neuron activation and misclassification likelihood. The algorithm iteratively alters the inputs while maintaining imperceptible perturbations and tracks neuron coverage improvements. By selecting neurons strategically, based on criteria such as past activation frequency and weight influence, DLFuzz enhances the breadth of options available to influence DL behavior.

Evaluation and Results

Empirical validation was conducted using multiple DL systems on the MNIST and ImageNet datasets, common benchmarks in DL research. DLFuzz emerged superior to DeepXplore in neuron coverage, achieving improvements between 1.10% and 5.59%. Additionally, it surpassed DeepXplore in generating adversarial examples—up to 584.62% more—for given input sets, while maintaining notably smaller perturbations. The paper reports an average time savings of 20.11% for generating adversarial examples, underscoring its efficiency.

Moreover, the addition of adversarial examples generated by DLFuzz into retraining sets of DL models demonstrated practical efficacy by improving model accuracy—indicating its tangible benefits in real-world applications, especially in safety-critical contexts.

Theoretical and Practical Implications

The introduction of DLFuzz illustrates a significant advance in applying fuzzing techniques to DL testing, a field traditionally dominated by constraint-based and heuristic approaches. The framework's reliance on differential analysis without manual labels marks a theoretical shift in DL testing methodologies towards more autonomous systems.

Practically, DLFuzz enhances the DL development lifecycle by automating a considerable portion of the testing process. Through strategic neuron activation and robust adversarial example generation, DLFuzz can identify critical input vulnerabilities in DL systems earlier, reduce error rates in production, and ultimately bolster the safety and reliability factors in sensitive applications such as autonomous vehicles.

Future Directions

Building on these insights, potential avenues of further research include extending the framework's adaptability to other DL tasks such as speech recognition and investigating domain-specific mutation strategies that leverage unique characteristics of different data types.

Additionally, the paradigm of differential fuzzing testing can be expanded to explore synergies with reinforcement learning, where the mutation process could be guided by environmental feedback, further optimizing the testing efficiency and coverage in DL systems.

By exploring these directions, the methodology described in DLFuzz has the potential not only to enhance existing testing frameworks but also to pave the way for future DL system validation techniques in a multitude of applications.