Predictable and Trustworthy AI

Predictable and Trustworthy AI

The objective of this research is to enable the use of AI algorithms and deep networks in safety-critical cyber-physical systems, such as autonomous vehicles, advanced robots, space crafts, and medical systems. To be safely deployed, such systems must be certified and must react within given timing constraints imposed by the environment. Unfortunately, current deep learning frameworks are not designed to be used in safety-critical systems and cannot guarantee predictable response times. To solve this problem, the following research is carried out at the RETIS Lab:

Safe and secure architectures for AI-powered cyber-physical systems

This work leverages hypervisor technology to integrate multiple components of different criticality and safety requirements into a single computing platform. In this way, it is possible to execute a high-performance computing domain (hosting replicas of neural controllers) under the Linux operating systems together with a safe, certifiable computing domain (hosting safety-critical components) under a real-time operating system. In such an architecture, the hypervisor ensures strong time and memory isolation among the different domains, guaranteeing security and real-time properties. To ensure safety, the critical domain must continuously monitor the machine learning modules to timely detect possible unreliable outputs that could jeopardize the whole system, switching to a simpler backup controller able to bring the system to a safe state. Developing a safety monitor that evaluates the reliability of a deep neural network in real-time is also a key research topic of the RETIS Lab.

• Edoardo Cittadini, Mauro Marinoni, Alessandro Biondi, Giorgiomaria Cicero, and Giorgio Buttazzo, “Supporting AI-Powered Real-Time Cyber-Physical Systems on Heterogeneous Platforms via Hypervisor Technology“, Real-Time Systems, Vol. 59, Issue 4, pp. 609-635, December 2023.
• Giorgio Buttazzo, “Can We Trust AI-Powered Real-Time Embedded Systems?”, in OpenAccess Series in Informatics (OASIcs), Vol. 98, Proc. of the HiPEAC Workshop on Next Generation Real-Time Embedded Systems (NG-RES 2022), Budapest, Hungary, June 22, 2022.
• Luca Belluardo, Andrea Stevanato, Daniel Casini, Giorgiomaria Cicero, Alessandro Biondi, and Giorgio Buttazzo, “A multi-domain software architecture for safe and secure autonomous driving“, Proc. of the 27th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA 2021), Online event, August 18-20, 2021.
• Alessandro Biondi, Federico Nesti, Giorgiomaria Cicero, Daniel Casini, and Giorgio Buttazzo, “A Safe, Secure, and Predictable Software Architecture for Deep Learning in Safety-Critical Systems“, IEEE Embedded Systems Letters, Vol. 12, No. 3, pp. 78-82, September 2020.

Defense methods against adversarial attacks

This research is aimed at developing methodologies for enhancing the security of machine learning algorithms, which have been shown to be quite sensistive to adversarial attacks, that is, malicious perturbations applied to inputs or objects in the environment able to induce erroneous behvaviors in neural networks.

Different effective methods have been developed at the RETIS Lab to detect adversarial attacks. One approach exploits the high sensitivity of adversarial inputs to specific transformations. Another method is based on a coverage analysis and consists of monitoring the neural activations of the internal layers of a neural network, comparing them with a reference behavior, a sort of “signature” acquired offline from a trusted dataset. This method allows the building of a confidence value used to judge the trustworthiness of the network prediction. Different coverage analysis methods have been evaluated and tested using multiple detection logics. A new method has also been developed for detecting and masking malicious perturbations applied in the physical world to fool neural models for image segmentation.

Finally, more fundamental research is being conducted to design new types of neural networks for which a certifiable robustness can be provided against adversarial attacks.

• Giulio Rossolini, Alessandro Biondi, Giorgio Buttazzo, “Attention-Based Real-Time Defenses for Physical Adversarial Attacks in Vision Applications“, Proc. of the 15th ACM/IEEE Int. Conf. on Cyber-Physical Systems (ICCPS 2024), Hong Kong, China, May 13-16, 2024.
• Bernd Prach, Fabio Brau, Giorgio Buttazzo, Christoph H. Lampert, “1-Lipschitz Layers Compared: Memory, Speed, and Certifiable Robustness“, Proc. of the 34th IEEE/CVF Computer Vision and Pattern Recognition Conference (CVPR 2024), Seattle, WA, USA, Jun 17-21, 2024.
• Federico Nesti, Giulio Rossolini, Gianluca D’Amico, Alessandro Biondi, Giorgio Buttazzo, “CARLA-GEAR: A Dataset Generator for a Systematic Evaluation of Adversarial Robustness of Deep Learning Vision Models“, IEEE Transactions on Intelligent Transportation Systems, to appear.
• Fabio Brau, Giulio Rossolini, Alessandro Biondi, and Giorgio Buttazzo, “On the Minimal Adversarial Perturbation for Deep Neural Networks with Provable Estimation Error“, IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 45, No. 4, pp. 5038-5052, April 2023.
• Federico Nesti, Alessandro Biondi, and Giorgio Buttazzo, “Detecting Adversarial Examples by Input Transformations, Defense Perturbations, and Voting“, IEEE Transactions on Neural Networks and Learning Systems, Vol. 34, No. 3, pp. 1329-1341, March 2023.
• Giulio Rossolini, Federico Nesti, Fabio Brau, Alessandro Biondi, and Giorgio Buttazzo, “Defending From Physically-Realizable Adversarial Attacks Through Internal Over-Activation Analysis“, Proc. of the 37th AAAI Conference on Artificial Intelligence, Washington, DC, USA, February 7-14, 2023.
• Fabio Brau, Giulio Rossolini, Alessandro Biondi, and Giorgio Buttazzo, “Robust-by-Design Classification via Unitary-Gradient Neural Networks“, Proc. of the 37th AAAI Conference on Artificial Intelligence, Washington, DC, USA, February 7-14, 2023.
• Giulio Rossolini, Alessandro Biondi, and Giorgio Buttazzo, “Increasing the Confidence of Deep Neural Networks by Coverage Analysis“, IEEE Transactions on Software Engineering, Vol. 49, No. 2, pp. 802-815, February 2023.
• Federico Nesti, Giulio Rossolini, Saasha Nair, Alessandro Biondi, and Giorgio Buttazzo, “Evaluating the Robustness of Semantic Segmentation for Autonomous Driving against Real-World Adversarial Patch Attacks“, Proc. of the Winter Conf. on Applications of Computer Vision (WACV), Waikoloa, Hawaii, Jan 4-8, 2022.
• Giulio Rossolini, Federico Nesti, Gianluca D’Amico, Saasha Nair, Alessandro Biondi, Giorgio Buttazzo, “On the Real-World Adversarial Robustness of Real-Time Semantic Segmentation Models for Autonomous Driving“, IEEE Transactions on Neural Networks and Learning Systems, to appear.

Predictable acceleration of deep neural networks

A time-predictable acceleration of neural network inference is crucial for the development of safety-critical autonomous systems such as self-driving vehicles, robots, satellites, and space probes for planetary exploration. Unfortunately, the computing devices used today for accelerating neural computations are not able to provide a predictable timing behavior when executing multiple neural models. In fact, highly variable delays can be introduced during execution due to different types of interference among various micro-architecture components.

The RETIS Lab developed a set of efficient methodologies to bound such delays in different heterogeneous architectures that integrate general purpose GPUs (GPGPUs), FPGA, and multi-core processors of different types.

In particular, FPGAs can accelerate computations with a more predictable timing behavior and much less energy consumption than GPGPUs. In addition, dynamic partial reconfiguration can be exploited to reprogram parts of the FPGA area while the other parts are running. Such a feature has been exploited to implement a virtual FPGA that can execute a higher number of hardware accelerators sharing the same fabric, thanks to a timesharing mechanism similar to the one used to implement virtual memory. In this way, multiple neural networks can run concurrently on the same FPGA, greatly reducing response times for software implementation. Also, an automated framework allows optimized neural accelerators to be synthesized under given timing and resource constraints.

In another work, the FPGA is used to run multiple instances of Xilinx’s deep processing unit (DPU) to accelerate multiple neural networks for real-time object detection and tracking. This approach was effectively tested on a drone equipped with a camera and two LiDARs to perform real-time tracking of multiple persons at 30 fps, running the autopilot and a YOLOv8 for object detection on a Xilinx zcu102 board.

• Gerlando Sciangula, Francesco Restuccia, Alessandro Biondi, and Giorgio Buttazzo, “Hardware Acceleration of Deep Neural Networks for Autonomous Driving on FPGA-based SoC“, Proc. of the Euromicro Conference on Digital System Design (DSD 22), Maspalomas, Gran Canaria, Spain, August 31 – Septembre 2, 2022.
• M. Pagani, A. Biondi, M. Marinoni, L. Molinari, G. Lipari, G. Buttazzo, “A Linux-Based Support for Developing Real-Time Applications on Heterogeneous Platforms with Dynamic FPGA Reconfiguration“, Future Generation Computer Systems, Vol. 129, pp. 125-140, April 2022. (Outstanding Journal Paper)
• Marco Pagani, Enrico Rossi, Alessandro Biondi, Mauro Marinoni, Giuseppe Lipari, and Giorgio Buttazzo, “A Bandwidth Reservation Mechanism for AXI-based Hardware Accelerators on FPGAs“, Proc. of the Euromicro Conference on Real-Time Systems (ECRTS 2019), Stuttgart, Germany, July 9-12, 2019.

Explainability of deep neural networks

The high performance of deep neural networks comes with a price: these systems are highly complex, and their outputs cannot easily be interpreted and, hence, trusted by humans. Such difficulty in providing a clear explanation of their behavior makes AI inapplicable in areas where explanations are necessary for legal, safety, or security reasons. This work investigates different methodologies for building a clear graphical explanation of the results generated by a deep neural network. This research also investigates how to exploit generated explanations for automatically detecting possible biases present in the training set and possible unsafe inputs, such as adversarial examples or out-of-distribution samples.

• Marco Pacini, Federico Nesti, Alessandro Biondi and Giorgio Buttazzo, “X-BaD: A Flexible Tool for Explanation-Based Bias Detection”, Proc. of the IEEE International Conference on Cyber Security and Resilience (Virtual), July 26-28, 2021.

Enhance predictability in inference engines

The native scheduler used by popular inference engines, e.g., the one employed by TensorFlow, to run deep neural networks on multicore platforms does not take timing issues into account since it has been designed to optimize the average case rather than the worst-case performance. Therefore, it can introduce long and unpredictable delays, making it unsuitable for safety-critical applications. This work aims at enhancing predictability by acting on the node scheduler to introduce mechanisms designed to handle neural-network-specific workloads.

• Daniel Casini, Alessandro Biondi, and Giorgio Buttazzo, “Timing Isolation and Improved Scheduling of Deep Neural Networks for Real-Time Systems”, Software: Practice and Experience, Vol. 50, Issue 9, pp. 1760-1777, September 2020.

AI for cloud computing and network function virtualization (NFV) infrastructures

Cyber-physical systems are becoming increasingly interconnected, and low-latency and high-reliability connectivity are among hot topics in networking, for example, with reference to 5G scenarios. In this context, adaptive AI-based techniques are becoming more and more important to support communications in distributed cyber-physical systems. This task investigates techniques based on artificial intelligence and machine learning to analyze the massive amount of data coming from the monitoring system of a cloud/NFV infrastructure for purposes related to supporting operations, performance troubleshooting, root-cause analysis, workload prediction, and capacity planning.

Improving predictability, safety, and security in the Apollo autonomous driving framework

Modern frameworks for autonomous driving include several functionalities that need to run in a predictable, safe, and secure manner. The Apollo open-source framework for autonomous driving consists of multiple modules, each taking care of a specific task, e.g., control, planning, and perception. Since Apollo requires interacting with sensors and devices (such as GPUs) whose drivers and software stacks may not be available on a real-time operating system, it runs on Linux, a feature-rich operating system that, however, is vulnerable to safety threats and cyber-attacks. For this reason, it is not suitable for the certification of the most safety-critical components, e.g., control and actuation. This work aims to improve Apollo’s safety and security features by using a hypervisor for creating two virtual machines that share the same physical platform: a Linux-based virtual machine (Linux-VM) and a virtual machine running a real-time operating system (RTOS-VM). In this way, the Linux-VM runs the perception-related components requiring a tight interaction with sensors and hardware accelerators, while the RTOS-VM is in charge of handling the most safety-related activities. Furthermore, a more predictable acceleration of Apollo’s deep neural networks is provided by using FPGA instead of GPUs.