Scaling Data-Driven Probabilistic Robustness Analysis for Semantic Segmentation Neural Networks

We appreciate your detailed feedback

Response to Reviewer’s Comments on Weaknesses

W (Quality): Algorithm 1 is presented in a simplified form for clarity, but in our implementation, the SGD-based deflationary PCA procedure includes two termination criteria:

1. The first criterion is based on variance: the algorithm stops when the optimal variance captured in the current iteration falls below 1% of the optimal variance recorded in the first iteration. Since each iteration involves an optimization with no local maxima, it is guaranteed that the optimal variance captured in each subsequent iteration decreases monotonically.

2. The second criterion is a fixed upper bound on the number of principal directions, which we set to $N = 1000$. If the number of extracted directions exceeds this value, the algorithm terminates automatically.

The PCA process stops as soon as either of these conditions is satisfied.

We agree that a principled analysis of sensitivity to the PCA rank $N$ is valuable. Therefore, we will include an ablation study in the appendix to evaluate the effect of this and other hyperparameters (e.g., $m$, $N$) on the performance and robustness of our method.

Regarding the choice of $N = 1000$: In case the correlation matrix of logit dimensions is not approximately sparse, this number may sometimes be insufficient for achieving an accurate surrogate model. However, this does not pose a significant problem for our framework. The goal of the surrogate model is not to perfectly approximate the SSN but rather to reduce the conservatism that exists in the naïve technique. In practice, even a moderately trained surrogate model yields a tighter reachable set than the naïve approach, which is consistent with our experimental observations and we have provided a justification here for your review.

Supporting Justification: In the naïve technique, the outputs collected in the training set are approximated using their mean-value, and conformal inference is applied to the prediction errors, resulting in a hyperrectangular reachable set. In contrast, the surrogate-based method fits a small ReLU network to better approximate the outputs. One can, for example, initialize the surrogate model to output a constant equal to the mean of the training data in the beginning of the training process. This initialized model performs exactly as the naive technique and results in the same hyper-rectangular reachset. They also can use quantile regression—specifically, the $\delta_1$-quantile of prediction errors—as the loss function. Regardless of how well the surrogate is trained, the quantile of prediction errors will be strictly lower than in the initialized model. This ensures that the resulting reachable set is tighter than that produced by the naïve method.

However, due to the high output dimensionality of SSNs, directly training the surrogate without dimensionality reduction was computationally infeasible due to gradient-related challenges. PCA was therefore used to reduce the dimensionality of the output space, enabling us to start training the surrogate model and reduce the quantile of the prediction errors. Thus we achieve a tighter probabilistic reachable set that has the same level of guarantee with the naive technique.

W (Clarity): Algorithm 1, in its current form on the submission, is implemented as a for-loop with a fixed number of iterations $N$, and therefore terminates automatically after $N$ steps.

W (Significance): As suggested by Reviewer 2, we conducted new experiments comparing our method with two recent works that perform probabilistic verification via randomized smoothing. Specifically, we compared our technique with these methods on the verification of an HRNetV2 model with a W48 backbone (66M parameters) trained on the Cityscapes dataset. Our numerical results show that our approach is approximately 100 times less conservative than the baselines.

Details of this experiment are provided in our response to Reviewer 2, and we would greatly appreciate it if you could take a look. We have also cited these works in the Related Work section of the updated manuscript.

W (Originality): As noted, the core techniques used in our framework—conformal inference, surrogate modeling, and PCA—are individually well-established. However, our contribution lies in their novel integration and adaptation to the verification of semantic segmentation networks (SSNs), a high-dimensional and structured output setting where existing methods struggle with scalability or conservatism. This combination results in an efficient and practically useful verification algorithm.

Answer to Questions

Q1:

Hyper-parameter sensitivity:

Q2:

Dataset coverage: Our verification algorithm is architecture-agnostic and should work on both the Cityscapes and ADE20K datasets. As previously mentioned, we conducted a new experiment on the Cityscapes dataset, which has now been included in the updated manuscript. The average runtime for this experiment was 210 seconds, and the model we analyzed had 66 million parameters.

We appreciate your detailed feedback

Response to Reviewer’s Comments on Weaknesses

Extension of Experiments: We have significantly expanded the experimental section in the revised version. Reviewer 2 also suggested comparisons with two additional methods, which we have now included. The new comparison is described in detail in our response to Reviewer 2, and we would greatly appreciate it if you could take a moment to review that result as well. Below is a summary of the new experimental additions:

1. In the original submission, parts of the verification process were executed on CPU. We have now migrated all experiments fully on GPU to improve efficiency. For example, our updated experiments on the CamVid dataset now complete in 14 minutes—significantly faster than the 60-minute runtime previously reported.
2. We added a new experiment using a different UNet model trained on the OCTA-500 dataset and we analyzed it on a darkening attack like the other experiments in RQ1.
3. While the original submission used a fixed perturbation size with varying perturbation dimensions (ranging from $17 \times 3$ to $102 \times 3$) in RQ1, we now include an additional experiment in RQ1 where the perturbation dimension is fixed and the perturbation size is varied from $3/255$ to $150/255$.
4. We conducted a conservatism analysis by comparing our reachable set bounds against a Monte Carlo–estimated lower-bound.
5. Following the suggestion of reviewer 2, we performed a new comparative study with two other methods on the Cityscapes dataset, using an HRNetV2-W48 backbone with 66 million parameters.
6. We extended the experiment in RQ4 (Appendix E, page 14) to cover a broader range of perturbation sizes ($e = 1/255, \ldots, 30/255$) using 200 test images.
7. We added several visualizations of verification results across different datasets to improve interpretability.
8. We increased the number of test images per experiment to 200 to strengthen statistical confidence in our robustness evaluations.

Application in Other Domains: Thank you for this valuable suggestion. We agree that our probabilistic framework has a potential for application in various scientific and engineering domains. In scenarios where deterministic guarantees are difficult or impossible to obtain, our method can be applied and offer probabilistic but strong guarantees that support reliable decision-making under uncertainty. We believe this is particularly relevant for safety-critical settings and plan to explore such applications further in future work.

Answer to Questions

Q1:

Thank you for the question. Below, we first explain how the Robustness Value (RV) is computed and then clarify how it relates to the Table3 e.g. the hyper-parameters $\ell,m$ and the coverage and confidence $\delta_1, \delta_2$.

Let us begin by describing the process for computing RV:

Assume that $\mathbf{S}$ is the reachable set obtained using our conformal inference method. When we input this reachable set into Algorithm 2 (Page 8), the output mask is partitioned into three categories: robust, non-robust, and unknown pixels. The Robustness Value (RV) is then defined as the fraction of all pixels that are classified as robust:

Now, let’s relate this to the parameters in Table 3. Suppose we perturb an image from the CamVid dataset over a perturbation set $\mathbf{I}$, we sample a calibration set of size $m = 8000$, and set the rank to be $\ell = 7999$. Using this configuration, we generate a reachable set $\mathbf{S}$ via conformal inference as explained in the paper. We can now define the following logical statement $\mathsf{P}$ based on a coverage level $\delta_1$:

Here, $y$ denotes the vector of logits for all pixels in the SSN output that can be generated from perturbed images in $\mathbf{I}$. The confidence of guarantee, $\delta_2$, then implies:

where since $\mathbf{S}$ is generated via conformal inference using a pre-defined configuration ($ell,m$) we can say,

For example:

• If we set $\delta_1 = 0.995$, then $\delta_2 = 1 - \mathsf{betacdf}_{0.995}(7999, 2) = 0.99999999999999994$
• If we set $\delta_1 = 0.999$, then $\delta_2 = 1 - \mathsf{betacdf}_{0.999}(7999, 2) = 0.997$
• If we set $\delta_1 = 0.9995$, then $\delta_2 = 1 - \mathsf{betacdf}_{0.9995}(7999, 2) = 0.9085$

Using the pair $(\delta_1, \delta_2) = (0.999, 0.997)$, we can formally state that:

Now suppose we input this reachable set $\mathbf{S}$ into Algorithm 2 and find that 691,100 pixels are classified as robust, 100 as unknown, and 0 as non-robust. The RV is then computed as:

This means the guarantee

translates directly into the guarantee:

In other words, verifying the former implicitly verifies the latter. Therefor, if we generate a reachable $\mathbf{S}$, with that provable level of guarantee and introduce it to algorithm 2 and find out 691,100 pixels are robust then we have verified the correctness of the following guarantee:

Q2:

Thank you for your question. Below, we explain the factors that influence the average runtimes, particularly in the CamVid and Lung Segmentation experiments shown in Table 3.

Factors Affecting Runtime:

When using the naïve technique, the runtime is primarily influenced by four factors:

1. The size of the calibration dataset $m$,
2. The size of train dataset $t$,
3. The inference time of the model, and
4. The memory footprint on each output vector on the GPU or CPU memory.

The rest of the computation—such as statistical post-processing—has a negligible impact on runtime. However, inference speed can vary significantly depending on how it is executed. Performing inference on a GPU with batch processing is considerably faster than using a CPU with parallel processing. Additionally, we collect a training dataset to compute normalization factors used in the definition of the nonconformity score, and this data collection time must also be accounted for.

When using the surrogate-based technique, all the factors mentioned above still apply, but there are additional components that impact runtime:

• The time required to compute the top principal directions (PCA),
• The time to train the surrogate model, and
• Although relatively minor, the time required for deterministic reachability analysis on the surrogate model (since the surrogate is intentionally kept small and efficient).

Why CamVid Has Higher Runtime Than Lung Segmentation:

The runtime for the CamVid dataset is noticeably higher than for Lung Segmentation due to several factors:

• Model complexity: CamVid uses BiSeNet, which has a more complex architecture and higher inference time compared to UNet, used in Lung Segmentation.
• Output dimensionality: The output mask of UNet in the Lung Segmentation task is significantly smaller than that of BiSeNet in CamVid. Smaller outputs reduce memory requirements for each vector and enable more efficient batch processing during inference. As a result, we can process larger batches in the Lung Segmentation setting, which leads to a substantial reduction in overall verification time.

Additional Notes:

• The verification runtime is independent of perturbation size. That is, verifying for $e = 3/255$ takes approximately the same amount of time as verifying for $e = 155/255$.
• In the updated version of the paper, we include a chart in the appendix visualizing the runtime across all experiments introduced in RQ1.
• Although increasing the perturbation size $e$ does not increase runtime, it does increase the conservatism of the reachable set if the size of training dataset is not also increased. While the probabilistic guarantee still holds in such cases, the conservatism may become more pronounced. Thus we suggest increasing the size of training dataset if the perturbation size is larger.

Dear authors: Thank you for the rebuttal and the detailed responses provided to the mentioned weaknesses and questions. I will retain my score.

We appreciate your detailed feedback.

Response to Reviewer’s Comments on Weaknesses

Comparison with SOTA:

We were aware of paper [a]. In RQ2 (Appendix E, page 13), we showed NNV encountered out-of-memory issues in all experiments presented in RQ1. However, we were not previously aware of the other three papers [b, c, d], and we have now added them to related works and also have a comparison with them in the updated paper. The guarantee formulations are slightly different from ours. However, we found a meaningful way to compare, and our numerical results show our technique is 100 times less conservative. We also provide the details of this comparison below for your review.

Overview: Papers [b, c, d] are based on randomized smoothing. Paper [b] introduces a method called $\mathsf{SEGCERTIFY}$. Lets assume $\overline{\mathsf{SSN}}(x)(i,j)$ is the smooth version of $\mathsf{SSN}(x)(i,j)$ on pixel $(i,j)$, generated by a zero mean gaussian random noise:

where $\mathbf{L}$ is the set of classes. Assuming a coverage level $\tau\in[0.5,1]$, they redefine the top class $c_A(i,j)$ in a more conservative yet practically more convenient manner, and specify it as the class that satisfies: $\Pr_{\nu\sim\mathcal{N}(0,\sigma^2)}\left[\mathsf{SSN}(x+\nu)(i,j)=c_A(i,j)\right]\ge\tau$ , and then given a confidence guarantee $\delta_2$, they then propose the following guarantee for the smooth approximation of the model:

where $\mathbf{B}_r(x)$ is a ball with radius $r=\sigma\Phi^{-1}(\tau)$ and center $x$. They also argue that by allowing a portion of pixels to be abstained from (i.e., remain uncertifiable), they define:

and extend this guarantee over output space of $\mathsf{SSN}$ as:

which can be rephrased for the base model as:

On the other hand, the authors in [d] enhance this work using adaptive techniques to reduce the number of abstained (uncertifiable) pixels, and call it $\mathsf{ADAPTIVECERTIFY}$.

Comparison: We adopt the perturbation set $\mathbf{B}_r(x)$ identical to what considered above and present our guarantee for certifying the robustness of the output pixels. Due to the conservative nature of our reachability analysis, some bounds for certain mask pixels may span multiple classes, which we label as unknown. These unknown pixels are in fact uncertifiable, and thus we define the following set accordingly:

and given a coverage level $\delta_1$ and confidence $\delta_2$ and a sampling distribution, $x'\stackrel{\mathcal{W}}{\sim}\mathbf{B}_r(x)$, we generate the following guarantee:

Therefore, given an identical perturbation set $\mathbf{B}_r(x)$ the comparison aims to determine which method produces fewer uncertifiable pixels under its proposed guarantee. We use Table 1 from [d] as a benchmark, which sets $\tau=0.75,0.95$, $\sigma= 0.25,0.33,0.5$, and $\delta_2=0.999$ (6 experiments totally, 200 images each). Their experiments are conducted using this configuration on an HRNetV2 model with a W48 backbone, trained on the Cityscapes dataset, and they compare the number of uncertifiable pixels achieved against [b]. Accordingly, we use our naive technique and extend this table by reporting the number of uncertifiable pixels we obtained under the setting $\delta_1=0.99,\delta_2=0.999$ and $\mathcal{W}$ to be uniform for all of those 6 experiments. The code is available online anonymously and can be shared upon your request during the author-reviewer discussion period.

Results: The number of uncertifiable pixels produced by our technique was 100 times smaller than the values reported in that table, clearly demonstrating the effectiveness of incorporating conformal inference into the verification of SSNs. Our average runtime was 210 seconds, with a calibration dataset size of $m=920$ for all experiments. However, Table 1 in [d] does not report any runtime information.

Limitation in Evaluation:

In response to the reviewer's concerns, we have significantly expanded and improved our evaluation. Specifically, inspired by prior works [b, d], we increased the number of test images to 200 across all experiments and added several new evaluations, as detailed below:

1. In the original submission, some parts of verification were conducted on CPU; all experiments are now executed solely on GPU for improved efficiency.
2. We added a new experiment on another UNet trained on the OCTA-500 dataset.
3. While the original submission focused on a fixed perturbation size with varying perturbation dimensions (ranging from $17\times 3$ to $102\times 3$), the revised version includes an additional experiment where we fix the perturbation dimension and vary the perturbation size from $3/255$ up to $150/255$.
4. We included analyzing the conservatism of our method by comparing our reachable set bounds to a lower-bound estimated via Monte Carlo simulation.
5. Per your suggestion, we performed a new comparative study with [b, d] on the Cityscapes dataset, targeting an HRNetV2-W48 backbone with 66M parameters.
6. We extended the experiment in RQ4 (Appendix E, page 14) to a broader range of perturbation sizes ($e = 1/255, ..., 30/255$), using 200 test images.
7. We included several visualizations of our verification results across different datasets to enhance interpretability.

Regarding the threat model, we have incorporated both:

• $\ell_\infty$ perturbations were used in the original RQ3 and RQ4 experiments on the CIFAR-100 dataset (Appendix E).
• A new experiment on the Cityscapes dataset, in comparison with [b, d], uses $\ell_2$ perturbations.

Our primary motivation for using the darkening attack was also as follows:

1. It was the primary threat model considered in [a], and widely used in several other papers on adversarial training.
2. It introduces sparsity in the input space.
3. It allows easy control over both perturbation size and dimension, enabling us to thoroughly test the scalability of our technique.

Finally, the code and updated manuscript are available online via an anonymous link. We are happy to share access upon your request during the author-reviewer discussion period.

Answer to the Questions

Q1:

Following your suggestion, we conducted experiments on the Cityscapes dataset to compare our results with methods [b] and [d].

Q2:

We previously compared our method with [a] in RQ2 (Appendix E). Method [d], as an extension of [b], offered a coherent narrative for comparison, and we included both conceptual and empirical comparisons against [b,d]. In contrast, [c] focuses on transformations with a focus on classification tasks, and we only cited that in Related works.

Q3:

We revised this sentence as follows: " In this work, we propose a scalable, architecture-agnostic, probabilistic verification algorithm tailored for semantic segmentation neural networks and we demonstrate through numerical experiments that it is less conservative than existing statistical methods in the literature.".

Q4:

We have addressed this by removing the mention of "M2NIST" from the sentence. One comment here is:

• Our naïve approach remains scalable to high-resolution input images for SSN, as it does not require training a surrogate model. For example, in our comparison with [b, d], the naïve technique completes verification in 210 seconds for an image with a resolution of 1024×2048.
• As noted in Lines 269–274, when the SSN input is high-dimensional, our surrogate-based method remains efficient under the assumption of sparsity in the input perturbation.

Therefore, in cases where the perturbation dimension is very large, we fall back to the naïve technique for scalability.

Q5:

We agree with your observation. Like methods [b, c, d], our approach is architecture-agnostic and should generalize to larger models. While the models used in RQ1 were not representative of large-scale architectures, as you suggested, we have now added an experiment using the HRNetV2-W48 backbone—which has 66 million parameters—to compare our technique with methods [b,d].

Q6:

Our goal in RQ1 was mainly to evaluate the surrogate-based technique. While PCA enables the surrogate method to scale to SSNs with high-dimensional outputs, it does not address scalability when the input dimensionality is high. As noted in the manuscript, the surrogate approach requires sparsity in the perturbation set when dealing with high-dimensional inputs. This motivated our choice of the darkening attack, which introduces structured, sparse perturbations.

Response to Limitation Comments

• We clearly stated in the conclusion section that our method provides probabilistic guarantees, and we also emphasized on this in the title of the paper.
• Regarding model size, our approach is not limited to small models—we successfully performed verification on HRNetV2 with 66 million parameters in just 210 seconds, achieving significantly lower conservatism compared to methods [b] and [d] on the Cityscapes dataset.

Dear Authors,

Thank you for the detailed response and for the new experiments on Cityscapes and HRNetV2. I appreciate the significant improvements in evaluation and the more thorough discussion of comparisons.

I have a few clarifications and follow-up questions:

1. Quantitative Comparison

You mention that your method produces “100× fewer uncertifiable pixels” than [d]. According to Table 1 in [d], [b] has between 5% and 28% abstained pixels. Does this imply your method abstains from only 0.05% to 0.28% of pixels for the same perturbation settings?

Could you please provide the extended table you mentioned that directly compares the methods?

More generally, randomized smoothing provides stronger guarantees—i.e., worst-case robustness over a norm ball—without relying on assumptions about the distribution of perturbations. Would it be fair to say that the lower abstention rates in your method come at the cost of weaker guarantees, making this more of a trade-off than a superiority?

2. Perturbation Sparsity

You mention that perturbation sparsity is essential for your surrogate-based method to scale to high-dimensional inputs. Yet the comparison on Cityscapes uses $\ell_2$ perturbations, which are dense by nature. Could you clarify whether the surrogate method was used in this case, and if so, how it could scale to dense perturbations on high-dimensional inputs?

3. Calibration Set

Do you reuse the same calibration set across all test examples (e.g., the 200 Cityscapes images), and if so, how do you account for potential overfitting or leakage when estimating coverage guarantees?

We appreciate your detailed feedback.

Response to Comments on Weaknesses

On the Use of Established Techniques: As noted, the core techniques used in our framework—conformal inference, surrogate modeling, and PCA—are individually well-established. However, our contribution lies in their novel integration and adaptation to the verification of semantic segmentation networks (SSNs), a high-dimensional and structured output setting where existing methods struggle with scalability or conservatism. This combination results in an efficient and practically useful verification algorithm. As requested by Reviewer 2, we have included additional experiments comparing our method with several baselines from the literature. These results, discussed in our responses to Reviewer 2, demonstrate a significantly reduced level of conservatism in our method relative to existing approaches.

On Conservatism vs. Exactness: Appendix E (RQ4) already provides a numerical comparison showing that the ReLU-based surrogate leads to less conservative estimates than the naive baseline. However, you are correct that we did not previously include a numerical evaluation of conservatism relative to exact reach sets. To address this, we have added a new experiment in the revised version of the paper. Specifically, we perform 10^6 random forward passes through the model to empirically lower-bound the true reachable set. We then compare these empirical bounds with the reach set computed by our method. The results show that, on average, the bounds produced by our method are only 10% larger than the empirical lower bound in the M2NIST experiment, and approximately 20% larger in the CamVid experiment. This demonstrates that while our method is conservative, the gap from exactness remains moderate and practical.

On Assumptions about Surrogate Model Accuracy: We do not assume an accurate approximation of the original SSN. The main motivation for introducing the surrogate technique is to improve upon the naive method. The more accurate the ReLU surrogate, the lower the conservatism compared to the naive technique. We discuss this in more detail in our responses to your questions.

On the Use of Attack Models: We acknowledge that FGSM and PGD are widely used in adversarial robustness literature. However,PGD and FGSM attacks are essentially one-dimensional, as they identify a single critical direction to which the model is most vulnerable. Verifying robustness against such attacks does not require reachability techniques. Since pixel values are discrete (e.g., $1/255, 2/255, \ldots, 1$), verification along a one-dimensional perturbation can be efficiently performed with a finite number of forward passes through the model. In contrast, consider a 102-dimensional perturbation with a magnitude of $3/255$. Verifying robustness in this setting would require $3^{102}$ model evaluations, which is computationally infeasible. This complexity motivates the need for reachability-based analysis. For this reason, we focused on darkening attacks in our experiments.

On the Interpretation of Unknown Pixels: We agree that pixels labeled as “unknown” (i.e., not certifiably robust) can pose a challenge in interpretation. The unknown pixels are not certifiable, meaning we do not provide guarantees for them due to the conservatism inherent in our reachability analysis. Addressing uncertifiable pixels is a common and active area of research in the verification community. However, as requested by Reviewer 2, we described a recent experiment demonstrating that the number of uncertifiable pixels produced by our method is at least 100 times lower than those reported by other probabilistic techniques in the literature.

Answer to the Questions:

Q1:

We do not assume that a small ReLU network accurately approximates the SSN across the entire input distribution. Instead, we use the network to enhance the naive technique in two ways:

Improved Output Estimation: In the naive method, we estimate the outputs using a fixed value (typically the mean), which can result in high approximation error. By contrast, we use a small ReLU model to learn a more expressive approximation of the outputs, which reduces this error. The better the surrogate model, the more accurate the output estimates, resulting in a tighter reachable set.

Better Reachable Set Geometry: We apply ApproxStar reachability analysis to the ReLU model, which yields a convex hull over the output space. This provides a more informative and compact approximation of the cloud of outputs than the hyper-rectangular (box-shaped) reachable sets used in the naive approach. To ensure formal coverage guarantees, we then use conformal inference to appropriately inflate this convex hull, ensuring the true outputs lie within it with provable probabilistic guarantee.

In summary, even if the small ReLU model is not a perfect surrogate for the SSN, it still leads to tighter and more meaningful reachable sets than the naive mean-based method.

Proof: One can initialize the surrogate model such that it outputs a constant value equal to the mean of the training dataset and define the loss function as the $\delta_1$-quantile of the prediction errors (i.e.,Quantile Regression). Regardless of how accurately the surrogate is trained, the resulting error quantile will be lower than that of the initialized model. This is sufficient to claim that the new reachable set has been tightened.

However, due to the high dimensionality of SSN, we were unable to start training it, primarily because of gradient-related computational issues. To address this, we applied PCA to reduce dimensionality, allowing the training process to get started.

Q2:

Yes, we addressed this through a numerical experiment presented in RQ4 of Appendix E (Page 14), where we evaluated the conservatism of our method. The experiment compares three approaches: (1) the naive technique, (2) reachability analysis with a linear surrogate model, and (3) reachability analysis with a ReLU-based surrogate model.

In the original experiment, we varied the perturbation bound $e$ from $1/255$ to $10/255$. The ReLU-based method verified robustness of the classification up to $e = 9/255$, while the linear surrogate method did so up to $6/255$, and the naive method only up to $3/255$. This clearly demonstrates the improved performance of the ReLU surrogate, which we attribute to its ability to produce less conservative reachable sets. We recently extended this analysis to $200$ images and expanded the range of $e$ values from $1/255$ to $30/255$.

Q3:

Before addressing it directly, we would like to highlight that, due to the accuracy and data efficiency of CI, our baseline (naive) technique performs better compared to SOTA. This is supported by new experimental results requested by Reviewer 2, which show it significantly outperforms existing probabilistic methods. However, our overarching goal is to reduce conservatism of naive technique, which is why we incorporate ReLU-based surrogate models in reachability.

We terminate our SGD-based PCA algorithm once a specific amount of principal directions are extracted. When outputs are highly correlated, that amount may be insufficient. This can degrade the accuracy of the ReLU surrogate model. Nonetheless, even in these cases, the ReLU-based reachability analysis still outperforms the naive approach, as learning from the data distribution using a ReLU model is more effective than relying on approximation with a mean-value (naive technique).

We appreciate the suggestion to explore autoencoders for dimensionality reduction and we plan to investigate this direction in future work.

Q4:

Our method is centered on computing the reachable set of the output space. Once this set is obtained, it can be used to reason about a variety of tasks—not just SSN. While our current paper focuses on challenges posed by high-dimensional outputs in SSN, the proposed approach is general and can be applied to other high-dimensional tasks as well.

Accordingly, we have decided to revise the title if the paper is accepted. The updated title will be:

"Probabilistic Robustness Analysis in High-Dimensional Space: Application to Semantic Segmentation Networks"

Q5:

Yes, our framework provides a principled approach for selecting these parameters. The user specifies a target coverage level $\delta_1$ and confidence level $\delta_2$, and we use a binary search to efficiently determine the appropriate calibration size $m$ and rank $\ell$.

In the common case where $\ell = m - 1$, increasing $m$ monotonically increases $\delta_2$ for a fixed $\delta_1$. This property allows binary search to efficiently identify the optimal $m$ that satisfies the desired level for $\delta_2$. Our toolbox includes this module that retuens optimal $m$ based on desired statistical guarantees.

Response to Limitation Comments:

We would like to again encourage the reviewer to revisit Appendix A, where we provide a detailed explanation of why CI is distribution-free.

You raised three important points, and we address them below:

1- Importantly, the formal guarantee in our method is entirely derived from CI; the surrogate model is introduced solely to reduce the conservatism of this guarantee, without affecting its validity.

2- It’s important to emphasize that CI is distribution-free—this is thoroughly discussed in Appendix A. The distribution-free nature of CI is precisely why we adopt it for reachability analysis of neural networks, whose output distributions is complex. Therefore, the validity of our method does not depend on how exact the calibration distribution is captured. As long as the calibration dataset is sampled from the same distribution that guarantee holds and this is the magic of CI.

3- We add a paragraph on societal impact, and the importance of verification in safety-critical domains such as medical imaging.

Dear Reviewer Xbuv

Thank you for your valuable feedback and insightful comments.

We have addressed all of your comments in detail and are currently awaiting your response. As the reviewer-author discussion period is approaching its deadline, we wanted to kindly follow up and ask if you had any feedback on our responses.

Thank you again for your time and consideration.

Thank you for the detailed and thoughtful rebuttal. I appreciate the clarifications and the new experiments added to address concerns raised during the initial review.

1. Your clarification that the ReLU surrogate model is used to tighten the probabilistic reachable sets—rather than to approximate the original SSN precisely—is helpful. The empirical comparison between surrogate-based and naive methods in Appendix E (RQ4), as well as the newly added 10⁶-sample lower bound experiment, is a valuable addition and demonstrates meaningful reductions in conservatism (10–20% reachset inflation). This directly addresses my concern about quantifying conservativeness, and I appreciate this additional effort. However, I still find that some limitations around surrogate fidelity in complex architectures (e.g., very deep or heterogeneous SSNs) are underexplored. While you mention the potential to fall back to mean-based reachability in these cases, more principled discussion (e.g., error bounds, confidence estimates for approximation quality) would strengthen the framework's practical utility.

2. I understand your rationale for not including PGD/FGSM in the evaluation, especially given their limited dimensionality and the motivation for reachability-based methods in high-dimensional perturbation settings. That said, including at least some standard attack models (even as baselines) would improve alignment with the robustness literature and broaden the appeal and generalizability of the method.

3. You clarified that “unknown” pixels arise from conservatism in the reachability analysis, and you reference recent experiments showing fewer unknowns compared to other probabilistic techniques. That is useful context. Nevertheless, the practical impact of these regions remains ambiguous—particularly in medical or safety-critical domains where pixel-level robustness matters. Including examples or discussion on downstream decision-making (e.g., alerting users, fallback mechanisms) could help bridge the gap between theoretical guarantees and practical utility.

4. Your use of deflation-based PCA is both innovative and appropriate for high-dimensional output settings. Still, I encourage future work on exploring alternatives like autoencoders or low-rank factorization, particularly when PCA struggles due to output correlation or class imbalance (as you acknowledged). It’s promising to hear that such directions are under consideration.

In summary, your rebuttal addressed many of my questions with thoughtful explanation and additional experiments. The proposed approach remains a strong contribution in adapting conformal inference to structured, high-dimensional robustness verification, with impressive scalability results. However, I continue to see limitations in the surrogate approximation fidelity, evaluation breadth (e.g., threat models), and interpretation of uncertain outputs that modestly temper the overall impact.

I therefore choose to maintain my original score. Thank you again for the clear and thorough response.